File name: | AnyDesk.exe |
Full analysis: | https://app.any.run/tasks/23ebc4f7-753b-4c4c-b195-a162b6fb959e |
Verdict: | Malicious activity |
Analysis date: | February 22, 2020, 08:49:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 245B48D46A3181EA46917F791AFF484C |
SHA1: | 25362686E2BE1031CB8BD31CDD5012FA336B6F54 |
SHA256: | 774C97309B1F7B6E032992FEDAEECAFE4A39CA97193DC694196A24C9A827E0F7 |
SSDEEP: | 49152:LxPC/oZ7iU89FaPH6+gTUQWpSCAwA5Zf+6e+sT2:LxPCEWUWFaPXkWA/t+T2 |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:06:12 22:31:31+02:00 |
PEType: | PE32 |
LinkerVersion: | 10 |
CodeSize: | 10752 |
InitializedDataSize: | 2033664 |
UninitializedDataSize: | 6762496 |
EntryPoint: | 0x1ce9 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 4.1.3.0 |
ProductVersionNumber: | 0.0.0.0 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Unknown (0) |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
CompanyName: | philandro Software GmbH |
FileDescription: | AnyDesk |
FileVersion: | 4.1.3.0 |
ProductName: | AnyDesk |
ProductVersion: | 4.1 |
LegalCopyright: | (C) 2016 philandro Software GmbH |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Jun-2018 20:31:31 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | philandro Software GmbH |
FileDescription: | AnyDesk |
FileVersion: | 4.1.3.0 |
ProductName: | AnyDesk |
ProductVersion: | 4.1 |
LegalCopyright: | (C) 2016 philandro Software GmbH |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 12-Jun-2018 20:31:31 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00002835 | 0x00002A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.50891 |
.itext | 0x00004000 | 0x00673000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00677000 | 0x000002F3 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.60299 |
.data | 0x00678000 | 0x001E8D54 | 0x001E8A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.9999 |
.rsrc | 0x00861000 | 0x00007038 | 0x00007200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.47325 |
.reloc | 0x00869000 | 0x00000300 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.18127 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.42155 | 1576 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 2.81306 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 3.03061 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 3.17157 | 2440 | UNKNOWN | English - United States | RT_ICON |
5 | 3.57548 | 1128 | UNKNOWN | English - United States | RT_ICON |
1000 | 2.64638 | 76 | UNKNOWN | English - United States | RT_GROUP_ICON |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1504 | "C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" | C:\Users\admin\AppData\Local\Temp\AnyDesk.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1836 | "C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-service | C:\Users\admin\AppData\Local\Temp\AnyDesk.exe | AnyDesk.exe | |
User: admin Integrity Level: MEDIUM | ||||
2744 | "C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --local-control | C:\Users\admin\AppData\Local\Temp\AnyDesk.exe | — | AnyDesk.exe |
User: admin Integrity Level: MEDIUM | ||||
2516 | "C:\Program Files\FileZilla FTP Client\filezilla.exe" | C:\Program Files\FileZilla FTP Client\filezilla.exe | — | explorer.exe |
User: admin Company: FileZilla Project Integrity Level: MEDIUM Description: FileZilla FTP Client Exit code: 0 Version: 3, 36, 0, 0 | ||||
3524 | "C:\Users\admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-drv --update-auto --svc-conf "C:\Users\admin\AppData\Roaming\AnyDesk\service.conf" | C:\Users\admin\AppData\Local\Temp\AnyDesk.exe | AnyDesk.exe | |
User: admin Integrity Level: HIGH Exit code: 11341825 | ||||
3260 | "C:\Program Files\AnyDesk\AnyDesk.exe" --service | C:\Program Files\AnyDesk\AnyDesk.exe | services.exe | |
User: SYSTEM Integrity Level: SYSTEM | ||||
2784 | "C:\Program Files\AnyDesk\AnyDesk.exe" --control | C:\Program Files\AnyDesk\AnyDesk.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM | ||||
3500 | "C:\Program Files\AnyDesk\AnyDesk.exe" --new-install | C:\Program Files\AnyDesk\AnyDesk.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1504 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O03LOX3JA2G0ZUA1Z6BU.temp | — | |
MD5:— | SHA256:— | |||
1504 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NE2O2IQFSJC3W2B3A8XV.temp | — | |
MD5:— | SHA256:— | |||
2516 | filezilla.exe | C:\Users\admin\AppData\Roaming\FileZilla\layout.xml~ | — | |
MD5:— | SHA256:— | |||
2516 | filezilla.exe | C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml~ | — | |
MD5:— | SHA256:— | |||
1504 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ENGDJ66L9RZ1ABW9ELH7.temp | — | |
MD5:— | SHA256:— | |||
1504 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms | binary | |
MD5:6BE014ACBD8BBF4F6EE60FFD98412604 | SHA256:A51B3C0C4D1EFFCFD1779A77E835BFC730D677D92470E027F3FCB06282682CB8 | |||
1836 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\AnyDesk\system.conf | text | |
MD5:51DBEDE987E4249F43CEA5D2FC8B9D78 | SHA256:5AD193A4464469BA8913F813F8327E8A579824A29884919E7FE4420B4EA408DB | |||
1836 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\AnyDesk\service.conf | text | |
MD5:B1FE756D4F1B0B201C8CE6A617BB7FEB | SHA256:2F7B3880CABD2067323C7EE8CEE8247D8AA33A7AC5C7EAAA70AFCC37B579BDB8 | |||
1504 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFa672b7.TMP | binary | |
MD5:6BE014ACBD8BBF4F6EE60FFD98412604 | SHA256:A51B3C0C4D1EFFCFD1779A77E835BFC730D677D92470E027F3FCB06282682CB8 | |||
2516 | filezilla.exe | C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml | xml | |
MD5:90F43C057C9B31BE9D16384C16C6C1FC | SHA256:62979581B4BC7ED5CBD4F2A8E1B407F999981BFB3875747BE3E30784A25381A3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1836 | AnyDesk.exe | 116.202.114.37:80 | relay-78e70832.net.anydesk.com | 334,Udyog Vihar | IN | suspicious |
1836 | AnyDesk.exe | 94.130.141.62:443 | boot-01.net.anydesk.com | Hetzner Online GmbH | DE | suspicious |
3260 | AnyDesk.exe | 94.130.141.62:443 | boot-01.net.anydesk.com | Hetzner Online GmbH | DE | suspicious |
3260 | AnyDesk.exe | 144.76.172.170:80 | relay-dc242902.net.anydesk.com | Hetzner Online GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
boot-01.net.anydesk.com |
| whitelisted |
relay-78e70832.net.anydesk.com |
| suspicious |
relay-dc242902.net.anydesk.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1836 | AnyDesk.exe | Potential Corporate Privacy Violation | ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software) |