File name:

99a803f00b5c0f1142a265867a88343a90e9958d

Full analysis: https://app.any.run/tasks/c08b6301-bf63-4788-92ca-274fd868ea86
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 18:52:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
anydesk
tool
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

B668B25A4264BE498DC5BCB8DD47D05B

SHA1:

99A803F00B5C0F1142A265867A88343A90E9958D

SHA256:

1270D2EE89DA2B55413AF74865A227FF10C11FCC6C3AB1189B470EF9721DA3D7

SSDEEP:

98304:TDRDogeatF/ED8vK3FQy3/TsKBCMFXbvppVvdWNnCRXJ2S0SkT/+5lSrWNXsGTdA:ieSP/lPLU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6348)

    • ADWARE has been detected (SURICATA)

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

  • SUSPICIOUS

    • ANYDESK has been found

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)

    • Application launched itself

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)

    • Executable content was dropped or overwritten

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

    • Potential Corporate Privacy Violation

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

    • Access to an unwanted program domain was detected

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

  • INFO

    • Process checks whether UAC notifications are on

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)

    • The sample compiled with english language support

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

    • The process uses the downloaded file

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)

    • Creates files or folders in the user directory

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

    • Reads the computer name

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6348)

    • Checks supported languages

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 556)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6348)

    • Reads the machine GUID from the registry

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

    • Checks proxy server information

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6348)

    • Process checks computer location settings

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6348)
      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6340)

    • Reads CPU info

      • 99a803f00b5c0f1142a265867a88343a90e9958d.exe (PID: 6348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:04 15:38:43+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5480960
UninitializedDataSize: 17833472
EntryPoint: 0x1ce5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.0.1.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 9.0.1
ProductName: AnyDesk
ProductVersion: 9
LegalCopyright: (C) 2024 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 99a803f00b5c0f1142a265867a88343a90e9958d.exe no specs #ADWARE 99a803f00b5c0f1142a265867a88343a90e9958d.exe 99a803f00b5c0f1142a265867a88343a90e9958d.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Users\admin\AppData\Local\Temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe" C:\Users\admin\AppData\Local\Temp\99a803f00b5c0f1142a265867a88343a90e9958d.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.1
Modules
Images
c:\users\admin\appdata\local\temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6340"C:\Users\admin\AppData\Local\Temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe" --local-serviceC:\Users\admin\AppData\Local\Temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe
99a803f00b5c0f1142a265867a88343a90e9958d.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.1
Modules
Images
c:\users\admin\appdata\local\temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6348"C:\Users\admin\AppData\Local\Temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe" --local-controlC:\Users\admin\AppData\Local\Temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe99a803f00b5c0f1142a265867a88343a90e9958d.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.1
Modules
Images
c:\users\admin\appdata\local\temp\99a803f00b5c0f1142a265867a88343a90e9958d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
778
Read events
778
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
634099a803f00b5c0f1142a265867a88343a90e9958d.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conftext
MD5:ABC5FA0F11A8146B8C004C3153D0D70A
SHA256:5C03A9E92EA64138B0262747B98C8946C8CB1A9A45553D1D00AA359C5EA84E15
55699a803f00b5c0f1142a265867a88343a90e9958d.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conftext
MD5:A787C308BD30D6D844E711D7579BE552
SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
634099a803f00b5c0f1142a265867a88343a90e9958d.exeC:\Users\admin\AppData\Roaming\AnyDesk\global_cache\device-id.cachebinary
MD5:B155386A3CE171806D466646F7389238
SHA256:1CA12E980A8F379956CA1B8BD4E0AB0CA80FEBD1880DFF94C8A46DC0151B961C
55699a803f00b5c0f1142a265867a88343a90e9958d.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-msbinary
MD5:F32C31EB362D9B22B6BC75513020BDE8
SHA256:8D925C178C1751321BAEE84E167A2730D956872D3CB75D0AE75A571BFFCDDBDE
55699a803f00b5c0f1142a265867a88343a90e9958d.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSKDRMTC8BAH0ROPQPQV.tempbinary
MD5:F32C31EB362D9B22B6BC75513020BDE8
SHA256:8D925C178C1751321BAEE84E167A2730D956872D3CB75D0AE75A571BFFCDDBDE
634099a803f00b5c0f1142a265867a88343a90e9958d.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:0C04AD1083DC5C7C45E3EE2CD344AE38
SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0
634099a803f00b5c0f1142a265867a88343a90e9958d.exeC:\Users\admin\AppData\Local\Temp\gcapi.dllexecutable
MD5:1CE7D5A1566C8C449D0F6772A8C27900
SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
36
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1488
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1488
svchost.exe
GET
200
2.16.164.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7088
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7088
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6340
99a803f00b5c0f1142a265867a88343a90e9958d.exe
POST
200
18.245.86.105:80
http://api.playanext.com/httpapi
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
1488
svchost.exe
2.16.164.107:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.107:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1488
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.185:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.107
  • 2.16.164.104
  • 2.16.164.113
  • 2.16.164.128
  • 2.16.164.131
  • 2.16.164.122
  • 2.16.164.97
  • 2.16.164.130
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.189
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.179
  • 2.23.209.187
  • 2.23.209.149
  • 2.23.209.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.140
  • 20.190.160.14
  • 40.126.32.136
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.133
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
boot.net.anydesk.com
  • 15.235.218.150
whitelisted
relay-2826fa6a.net.anydesk.com
  • 138.199.27.224
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Driver Updater Setup Process
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
99a803f00b5c0f1142a265867a88343a90e9958d