734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2023 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.9MB
MD5

bca01af10aac7833188c47d7fec17196
SHA1

7f7898da333b924bd358aeb9936a944eb8bf3c09
SHA256

734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a
SHA512

4429536226a6f3e72d008525c99bc0e676973be04670f7bb49f93ad20e7c8957ceb945c9eeea3ff47e6a751525976b0f4702e90d682940d225d6cb82a6567032
SSDEEP

49152:6ZeC+Xpi5ZnHuNO7HrDequJVU6GTTC/gZAjj4agcXz75rtelRqEiruLh3fZlTP5t:cpfn7HruwEk00agcD7fkRX6uRfZrnAnC

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3140	AnyDesk.exe
3140	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4080	AnyDesk.exe
4080	AnyDesk.exe
4080	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4080	AnyDesk.exe
4080	AnyDesk.exe
4080	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3140	1860	AnyDesk.exe	81
PID 1860 wrote to memory of 3140	1860	AnyDesk.exe	81
PID 1860 wrote to memory of 3140	1860	AnyDesk.exe	81
PID 1860 wrote to memory of 4080	1860	AnyDesk.exe	82
PID 1860 wrote to memory of 4080	1860	AnyDesk.exe	82
PID 1860 wrote to memory of 4080	1860	AnyDesk.exe	82

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
21fec4dc2ba24b105d77a6259c9c03fd

SHA1
ad0bcec6943c2e47dde9e50c1a94d6de7664c7f1

SHA256
00bd980683cc78e13f37ec41f23de5878fc9a8241a6482e32ae167ea2f7b1520

SHA512
4b48cbd19ab71158cb4120be201f7057a3fca9bd5bcb222f710235a0a6b42c5dbdc0c956c3fa3d174b7bdc1e4d022741c7a7beb8d0ddfabb7f30a00ca6f19315

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
21fec4dc2ba24b105d77a6259c9c03fd

SHA1
ad0bcec6943c2e47dde9e50c1a94d6de7664c7f1

SHA256
00bd980683cc78e13f37ec41f23de5878fc9a8241a6482e32ae167ea2f7b1520

SHA512
4b48cbd19ab71158cb4120be201f7057a3fca9bd5bcb222f710235a0a6b42c5dbdc0c956c3fa3d174b7bdc1e4d022741c7a7beb8d0ddfabb7f30a00ca6f19315

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bcfdc6929278d397230aadb9e63fecc2

SHA1
e489f0640741cd916c941c3f5d22f6527665638e

SHA256
a94fe77d5cf7ce4bde71ff5d9c923388c542652ab24355d42a8fb9d9d70fd1c2

SHA512
35b9711f18ccdeb6d78bbfcafa11b7aa840c0dffb5df8f0fecd359ffe657239f4fd476f6f7069b69ccc963deb166c834842571313dd24e10fa0d7bfb694552d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bcfdc6929278d397230aadb9e63fecc2

SHA1
e489f0640741cd916c941c3f5d22f6527665638e

SHA256
a94fe77d5cf7ce4bde71ff5d9c923388c542652ab24355d42a8fb9d9d70fd1c2

SHA512
35b9711f18ccdeb6d78bbfcafa11b7aa840c0dffb5df8f0fecd359ffe657239f4fd476f6f7069b69ccc963deb166c834842571313dd24e10fa0d7bfb694552d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ab95cd545832ba28a0629e9499486534

SHA1
18cc6e2e3c339a47dee87ff74691858ada09eb37

SHA256
08eb3c08f38dcd00eae31b8881f971f534474f648ca92ad97d71120e05a0ca23

SHA512
8406435d96a107ae366f47211485f428c96c6eff99d543cb1309a705cb198b3c6d164e2e9cb9a719eda46a8aa3dd90409a663dca56e9c5454438eb04c0582670

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ec587a170a563061b41fa7782a53164

SHA1
55bb9ed486c313d1a171a55527e404ca715f0762

SHA256
d1d153efae34b85a5b6f3afed18559d4248eb5aa16865cb289e7d9a6f68dfdcb

SHA512
fe7747d602b81a0ef46d2e72f3b785d2b0a93cd0174a0214ceab5c0eb49f1245532a563dfaf15e9de9a67fd36e01a9234caa7af8ab3bf652c7a9865798574de7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a9d376cdb67b6c474cb66066dc6db19b

SHA1
b263b401353762ce9877eec2a3dbf67a1e7cf10c

SHA256
e84429d66b2ad951d5208ef4eefcb18b6db484bb2f85caa3a05d754f30d7aa07

SHA512
700857409486e073e10b2da7a9e6a3c6b21f3e5b5abce6dc15cea3dd6b5860cdebb69e3d616f254d633f168361a2feaab7009c8983915502187bca0a80e092a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a9d376cdb67b6c474cb66066dc6db19b

SHA1
b263b401353762ce9877eec2a3dbf67a1e7cf10c

SHA256
e84429d66b2ad951d5208ef4eefcb18b6db484bb2f85caa3a05d754f30d7aa07

SHA512
700857409486e073e10b2da7a9e6a3c6b21f3e5b5abce6dc15cea3dd6b5860cdebb69e3d616f254d633f168361a2feaab7009c8983915502187bca0a80e092a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
e6db56a98a7ba45caff372d8c8f6611f

SHA1
6f2dfb7d123e523b202c724e24fa8d88ede1df03

SHA256
2c5adbbb94c46da6d44131f2e8dad2b590361a467368e4e8c88e19d7f97e5a55

SHA512
7ecd04dc86ef7e3f3d10cf7c4a7385f8047566ddbdefed5fc7667e03b66f490f421422e99b96fab4969b1951c56819484d2947dcaacd559f6c0b54bbd27be695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
1983a8bae4bacd5486240fd87c6e97e6

SHA1
12b8926c99291e863e8d91f5901f0d8b32d5a159

SHA256
8380fa653e401b0544fca343e20336c5aa9032d98f878cc3b457c946dbe783c0

SHA512
46734874eab1a86754640d2e8f584e9a9e621e9efa231fb3f146ebd3ecdf8e0a2c0ec6208741c45934dfc2de2f9993a74b2e7f26b477fd576589d3b107e5c523

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
68f6b5558aaa252bf2cec0a492b6ac42

SHA1
239c6dafe6e717b28207b4ffe6edccb0be488b0c

SHA256
12a3bff5a8c78961adbc9ac152f9a428c4cf3860f7aaa1f56a26e124d9c3136e

SHA512
1378fcd3b7d094a12c2397dc75c3a7be4638ef14ff193a6ecbcec2d0f9527bf12c82ed105a5bc9e0e1b57271fc5b6d6e3317c23b459f0f3717148512c910025a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
060916e37dad13528c9964eebeb6bb14

SHA1
5f13c7414a6fdc97ac41fe0d1b445252ec49b722

SHA256
2ccb4e40b200f9982b974b33f9f4035c091fdb5b9acd6b05ae63b93920c70ac8

SHA512
e8fa9b6feefb6b8460ce616e150a9825821000d5fea1631fe54488e542fd5783653e52a090a9394302939c0314491c997b206b8050213c9d3fae66d5398fe97a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
060916e37dad13528c9964eebeb6bb14

SHA1
5f13c7414a6fdc97ac41fe0d1b445252ec49b722

SHA256
2ccb4e40b200f9982b974b33f9f4035c091fdb5b9acd6b05ae63b93920c70ac8

SHA512
e8fa9b6feefb6b8460ce616e150a9825821000d5fea1631fe54488e542fd5783653e52a090a9394302939c0314491c997b206b8050213c9d3fae66d5398fe97a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b5c2696a1c9bcf587fef779726630ba2

SHA1
b665db3c509a9ab5a82b41802b1cf13cba01a202

SHA256
805162714302c0d35472b3be8ef6fa5b3405adc22e2b9772befc665851f65152

SHA512
c992ee119a79eddbcade1b8b4c220598e9cb2dd9d99a1cb7c1fc126334edcab9174b56ec0b614d3bc9ed517c5415bd3ef6d03d3b5927f431effc9cd099ca9d6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b5c2696a1c9bcf587fef779726630ba2

SHA1
b665db3c509a9ab5a82b41802b1cf13cba01a202

SHA256
805162714302c0d35472b3be8ef6fa5b3405adc22e2b9772befc665851f65152

SHA512
c992ee119a79eddbcade1b8b4c220598e9cb2dd9d99a1cb7c1fc126334edcab9174b56ec0b614d3bc9ed517c5415bd3ef6d03d3b5927f431effc9cd099ca9d6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6df023bd5c46c011e22e0eb83d6b8c36

SHA1
c365d5aac1f5527ee8467c05e4b0dd64e964a687

SHA256
233efa56bf87762d79c53c45ff80c69ef0628ab02b219ac567a8806b73213932

SHA512
ed156b4158bba48329631dcb1a1fd9256073fd64753d3d5e0b4e45c24f2886d0d82014a59f736948050156bba7c5b03c92063a125a3ee8b6a6917084a2972b18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6df023bd5c46c011e22e0eb83d6b8c36

SHA1
c365d5aac1f5527ee8467c05e4b0dd64e964a687

SHA256
233efa56bf87762d79c53c45ff80c69ef0628ab02b219ac567a8806b73213932

SHA512
ed156b4158bba48329631dcb1a1fd9256073fd64753d3d5e0b4e45c24f2886d0d82014a59f736948050156bba7c5b03c92063a125a3ee8b6a6917084a2972b18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
29082e139c1969538ea5ec837b0d8aa5

SHA1
3251a3a2f36e0dc865ff4340f800eb88b9eede13

SHA256
49e8d514e9ab10825f27d2651e356bf434fa7a1c6059726190360eb36099a03a

SHA512
9f4a5bd76553a1426283988b94a147f2aae84fc4e024dfe2e5f33b7aaeda0d36071d9254ddc84628ad8a808a9f7d47121710fd140c6cf2886170bab63349484e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fc536eff94caa6ea29bafe910fe804c6

SHA1
8c4351db2842131c49dfc3a3c5228a4702a4b020

SHA256
628570cf5ddb207e7423f84db3fafc948ee19cf7da3f8669c8fb164e1558086a

SHA512
00af66b1fb3045a717674ac187fa82fcaa562b23ca6bb58d54103ee75a4d74bc1b956ccc880156769dbbe0a08988071a1fa850e1dc09f38ef4435d6015a2901d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1b885de04827937df73abf1ee100f3b6

SHA1
3db302d115735d5e72da1e1de4063979e93ffee6

SHA256
800bad947aec001d30e17fa10983c1a07cf9d19d5fb5895209090d3f64f80125

SHA512
b10e3301ecd38f339b292f76819202d039257168ab354e3449fba6bb9415d06c4259dc4a3cede0a588bee0039caedaef8d7de53e1f1331c8d9571456a40fd82a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af962fd49fb9ad25c15df38fef730b6e

SHA1
b5e0abf83930c692b54ab1bf024eb46e9edef5eb

SHA256
84999c03d82cfc63a844201fede136af07ac32be6e88c1056bac68fa3b4382e6

SHA512
3c43675cb720c7d2f489156ed8db7baa084d4d54941c2220b8213cb4112bc25b3db2636d4789caa7af4065b42127f04ee5d7bb4e332e143189915f4e0ab51bbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af962fd49fb9ad25c15df38fef730b6e

SHA1
b5e0abf83930c692b54ab1bf024eb46e9edef5eb

SHA256
84999c03d82cfc63a844201fede136af07ac32be6e88c1056bac68fa3b4382e6

SHA512
3c43675cb720c7d2f489156ed8db7baa084d4d54941c2220b8213cb4112bc25b3db2636d4789caa7af4065b42127f04ee5d7bb4e332e143189915f4e0ab51bbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af962fd49fb9ad25c15df38fef730b6e

SHA1
b5e0abf83930c692b54ab1bf024eb46e9edef5eb

SHA256
84999c03d82cfc63a844201fede136af07ac32be6e88c1056bac68fa3b4382e6

SHA512
3c43675cb720c7d2f489156ed8db7baa084d4d54941c2220b8213cb4112bc25b3db2636d4789caa7af4065b42127f04ee5d7bb4e332e143189915f4e0ab51bbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af962fd49fb9ad25c15df38fef730b6e

SHA1
b5e0abf83930c692b54ab1bf024eb46e9edef5eb

SHA256
84999c03d82cfc63a844201fede136af07ac32be6e88c1056bac68fa3b4382e6

SHA512
3c43675cb720c7d2f489156ed8db7baa084d4d54941c2220b8213cb4112bc25b3db2636d4789caa7af4065b42127f04ee5d7bb4e332e143189915f4e0ab51bbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af962fd49fb9ad25c15df38fef730b6e

SHA1
b5e0abf83930c692b54ab1bf024eb46e9edef5eb

SHA256
84999c03d82cfc63a844201fede136af07ac32be6e88c1056bac68fa3b4382e6

SHA512
3c43675cb720c7d2f489156ed8db7baa084d4d54941c2220b8213cb4112bc25b3db2636d4789caa7af4065b42127f04ee5d7bb4e332e143189915f4e0ab51bbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af962fd49fb9ad25c15df38fef730b6e

SHA1
b5e0abf83930c692b54ab1bf024eb46e9edef5eb

SHA256
84999c03d82cfc63a844201fede136af07ac32be6e88c1056bac68fa3b4382e6

SHA512
3c43675cb720c7d2f489156ed8db7baa084d4d54941c2220b8213cb4112bc25b3db2636d4789caa7af4065b42127f04ee5d7bb4e332e143189915f4e0ab51bbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af962fd49fb9ad25c15df38fef730b6e

SHA1
b5e0abf83930c692b54ab1bf024eb46e9edef5eb

SHA256
84999c03d82cfc63a844201fede136af07ac32be6e88c1056bac68fa3b4382e6

SHA512
3c43675cb720c7d2f489156ed8db7baa084d4d54941c2220b8213cb4112bc25b3db2636d4789caa7af4065b42127f04ee5d7bb4e332e143189915f4e0ab51bbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7a604c4de35583c529f7081cdc679ec5

SHA1
fef4872180cd666128bec198b84aa08dcc2bcb08

SHA256
168e9d325983e53be23449576d45fa8446b63e4f5676ac77940770946f4a5dfd

SHA512
870657d48193426a6e9c62a0340a7c9e4d58a1fd70d00d037e699e05349c88ca1e9fdb5b32dc2b0c67a7da2a916c4de6ce70945f4948d92a0d843153b33195ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7a604c4de35583c529f7081cdc679ec5

SHA1
fef4872180cd666128bec198b84aa08dcc2bcb08

SHA256
168e9d325983e53be23449576d45fa8446b63e4f5676ac77940770946f4a5dfd

SHA512
870657d48193426a6e9c62a0340a7c9e4d58a1fd70d00d037e699e05349c88ca1e9fdb5b32dc2b0c67a7da2a916c4de6ce70945f4948d92a0d843153b33195ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6111be477b9f51ae2eabbdd381aa9f80

SHA1
18281af007fe1230f032706411c59d1708d31106

SHA256
5b231279175ca22e2328b979074a11a8a57caff4a2566583be339578763cf59a

SHA512
76bf85f19eca7c9895ddc9c3639568d694034b2daf9010447b3847938e20c4a2588e0925cee4d3198830a0cc77678ec00fb9a344623a8fda73335dda661c783d

Download Submit
memory/1860-133-0x0000000000AF0000-0x0000000001B74000-memory.dmp

Filesize
16.5MB

Download
memory/1860-153-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1860-152-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1860-321-0x0000000000AF0000-0x0000000001B74000-memory.dmp

Filesize
16.5MB

Download
memory/1860-136-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/3140-143-0x0000000000AF0000-0x0000000001B74000-memory.dmp

Filesize
16.5MB

Download
memory/3140-332-0x0000000000AF0000-0x0000000001B74000-memory.dmp

Filesize
16.5MB

Download
memory/4080-162-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/4080-142-0x0000000000AF0000-0x0000000001B74000-memory.dmp

Filesize
16.5MB

Download
memory/4080-333-0x0000000000AF0000-0x0000000001B74000-memory.dmp

Filesize
16.5MB

Download