File name:	99a803f00b5c0f1142a265867a88343a90e9958d.exe
Full analysis:	https://app.any.run/tasks/7f1bd136-4f25-4c18-b518-954458961bb5
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 19:43:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	anydesk tool adware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	B668B25A4264BE498DC5BCB8DD47D05B
SHA1:	99A803F00B5C0F1142A265867A88343A90E9958D
SHA256:	1270D2EE89DA2B55413AF74865A227FF10C11FCC6C3AB1189B470EF9721DA3D7
SSDEEP:	98304:TDRDogeatF/ED8vK3FQy3/TsKBCMFXbvppVvdWNnCRXJ2S0SkT/+5lSrWNXsGTdA:ieSP/lPLU

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:12:04 15:38:43+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	10752
InitializedDataSize:	5480960
UninitializedDataSize:	17833472
EntryPoint:	0x1ce5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	9.0.1.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	AnyDesk Software GmbH
FileDescription:	AnyDesk
FileVersion:	9.0.1
ProductName:	AnyDesk
ProductVersion:	9
LegalCopyright:	(C) 2024 AnyDesk Software GmbH

PID	Process	Filename		Type
6584	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PAF8R2P8JB893JWJ39BK.temp		—
		MD5:—	SHA256:—
6660	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\AppData\Roaming\AnyDesk\system.conf		text
		MD5:0C04AD1083DC5C7C45E3EE2CD344AE38	SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0
6660	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\Desktop\gcapi.dll		executable
		MD5:1CE7D5A1566C8C449D0F6772A8C27900	SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
6660	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\AppData\Roaming\AnyDesk\service.conf		text
		MD5:143C8A61A0B16C5B7E74E6AEE7716B38	SHA256:89D7F88EC792DC5D9021BFC7A86E78AA18056E4129C87A96944D91D645DA206A
6660	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\AppData\Roaming\AnyDesk\global_cache\device-id.cache		binary
		MD5:3F4231304ADFD825C92820AEC23FBA79	SHA256:466182F108C4EE0D07C539522F05FC5B399AF687C55B58836DE53C0AA4345A52
6584	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms		binary
		MD5:0373B778F6B21EE87FF479AF2A9517B6	SHA256:3B0897E40AE3F21309CF9CCEC4056AD3794AAC74C4F3E80557BDADA08DEBF7AF
6660	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\AppData\Local\Temp\gcapi.dll		executable
		MD5:1CE7D5A1566C8C449D0F6772A8C27900	SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
6584	99a803f00b5c0f1142a265867a88343a90e9958d.exe	C:\Users\admin\AppData\Roaming\AnyDesk\user.conf		text
		MD5:A787C308BD30D6D844E711D7579BE552	SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5848	svchost.exe	GET	200	2.19.198.75:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6660	99a803f00b5c0f1142a265867a88343a90e9958d.exe	POST	200	18.245.86.84:80	http://api.playanext.com/httpapi	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	2.19.198.75:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.19.198.75:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.215.121.133:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5848	svchost.exe	GET	200	23.215.121.133:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.215.121.133:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.21.110.146:443	www.bing.com	AKAMAI-AS	DE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
5848	svchost.exe	2.19.198.75:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.19.198.75:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	2.19.198.75:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5848	svchost.exe	23.215.121.133:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	23.215.121.133:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.215.121.133:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
www.bing.com	2.21.110.146 2.21.110.139	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	2.19.198.75 2.19.198.56 2.19.198.49 23.32.238.162 2.19.198.43 2.19.198.40 23.32.238.88 23.32.238.90 23.32.238.155	whitelisted
www.microsoft.com	23.215.121.133	whitelisted
boot.net.anydesk.com	57.129.37.28	whitelisted
relay-ad3345a7.net.anydesk.com	51.195.5.157	whitelisted
api.playanext.com	18.245.86.79 18.245.86.26 18.245.86.105 18.245.86.84	whitelisted
self.events.data.microsoft.com	52.182.143.208	whitelisted
relay-b51eac1f.net.anydesk.com	92.223.66.29	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
—	—	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Driver Updater Setup Process

General Info

99a803f00b5c0f1142a265867a88343a90e9958d.exe

B668B25A4264BE498DC5BCB8DD47D05B

99A803F00B5C0F1142A265867A88343A90E9958D

1270D2EE89DA2B55413AF74865A227FF10C11FCC6C3AB1189B470EF9721DA3D7

98304:TDRDogeatF/ED8vK3FQy3/TsKBCMFXbvppVvdWNnCRXJ2S0SkT/+5lSrWNXsGTdA:ieSP/lPLU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

ADWARE has been detected (SURICATA)

SUSPICIOUS

Application launched itself

ANYDESK has been found

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Access to an unwanted program domain was detected

INFO

Creates files or folders in the user directory

Checks supported languages

Process checks whether UAC notifications are on

Reads the computer name

The sample compiled with english language support

The process uses the downloaded file

Reads CPU info

Checks proxy server information

Process checks computer location settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings