File name:	a56262fcabe243cccb04f63bddd2070225384c56.exe
Full analysis:	https://app.any.run/tasks/7ec8dea7-88ec-4d20-99a1-86d8ff6c1e8b
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 19:22:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	anydesk tool adware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	397D3D86E19723430C2926EE7714678D
SHA1:	A56262FCABE243CCCB04F63BDDD2070225384C56
SHA256:	7F358693B4C4D0876E7D2A83E2C67D776B0385C894A2607F5483799A78E70A3D
SSDEEP:	98304:EjoeriUqnjFruRx0rROA0D/kB5kYonn4W2DC0Gnkw0JvNO7/Deq96UOkgIPj/fpe:nVii/FfAQ/z

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:09:12 14:33:54+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	10752
InitializedDataSize:	4962304
UninitializedDataSize:	16698880
EntryPoint:	0x1ce5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	8.1.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	AnyDesk Software GmbH
FileDescription:	AnyDesk
FileVersion:	8.1.0
ProductName:	AnyDesk
ProductVersion:	8.1
LegalCopyright:	(C) 2022 AnyDesk Software GmbH

PID	Process	Filename		Type
1520	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\AppData\Roaming\AnyDesk\service.conf		text
		MD5:2203B9722E9BE4D9BEA805A24A4CA39E	SHA256:A6473E672D551A29FC4E1FD7F80112119341EAC28135BCD02F4D35AA6095092C
4824	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\AppData\Roaming\AnyDesk\user.conf		text
		MD5:A787C308BD30D6D844E711D7579BE552	SHA256:8A395011A6A877D3BDD53CC8688EF146160DAB9D42140EB4A70716AD4293A440
1520	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\Desktop\gcapi.dll		executable
		MD5:1CE7D5A1566C8C449D0F6772A8C27900	SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
1520	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\AppData\Local\Temp\gcapi.dll		executable
		MD5:1CE7D5A1566C8C449D0F6772A8C27900	SHA256:73170761D6776C0DEBACFBBC61B6988CB8270A20174BF5C049768A264BB8FFAF
1520	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\AppData\Roaming\AnyDesk\global_cache\device-id.cache		binary
		MD5:F04139851F145D27BB889929E12EA1A0	SHA256:DCD8EACD7FF0BB18D58672CF51ABEB4F474337398CB4D5F316608407C2177743
4824	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LV1C1KF4GUIJ7YK4J51U.temp		binary
		MD5:56B31618350FD76252460A200FDEB39A	SHA256:82B00A934445EBBB9695CED6066C3961D650DD198B21D2FFE05BA8E21D5E83FE
4824	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms		binary
		MD5:56B31618350FD76252460A200FDEB39A	SHA256:82B00A934445EBBB9695CED6066C3961D650DD198B21D2FFE05BA8E21D5E83FE
1520	a56262fcabe243cccb04f63bddd2070225384c56.exe	C:\Users\admin\AppData\Roaming\AnyDesk\system.conf		text
		MD5:0C04AD1083DC5C7C45E3EE2CD344AE38	SHA256:6452273C017DB7CBE0FFC5B109BBF3F8D3282FB91BFA3C5EABC4FB8F1FC98CB0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3884	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3884	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
524	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1520	a56262fcabe243cccb04f63bddd2070225384c56.exe	POST	—	13.32.27.120:80	http://api.playanext.com/httpapi	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
3884	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
524	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3884	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3884	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
524	RUXIMICS.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1520	a56262fcabe243cccb04f63bddd2070225384c56.exe	37.59.29.33:443	boot.net.anydesk.com	OVH SAS	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
boot.net.anydesk.com	37.59.29.33	whitelisted
relay-8897650c.net.anydesk.com	186.233.185.58	whitelisted
relay-5677ec2b.net.anydesk.com	212.102.60.97	whitelisted
api.playanext.com	13.32.27.112 13.32.27.62 13.32.27.110 13.32.27.120	whitelisted
self.events.data.microsoft.com	40.79.150.121	whitelisted
relay-cff9f821.net.anydesk.com	64.31.49.178	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
—	—	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Driver Updater Setup Process

General Info

a56262fcabe243cccb04f63bddd2070225384c56.exe

397D3D86E19723430C2926EE7714678D

A56262FCABE243CCCB04F63BDDD2070225384C56

7F358693B4C4D0876E7D2A83E2C67D776B0385C894A2607F5483799A78E70A3D

98304:EjoeriUqnjFruRx0rROA0D/kB5kYonn4W2DC0Gnkw0JvNO7/Deq96UOkgIPj/fpe:nVii/FfAQ/z

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

ADWARE has been detected (SURICATA)

SUSPICIOUS

Application launched itself

ANYDESK has been found

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Access to an unwanted program domain was detected

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads CPU info

Creates files or folders in the user directory

Checks proxy server information

The sample compiled with english language support

Process checks whether UAC notifications are on

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings