fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
4872	AnyDesk.exe
4872	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
4400	AnyDesk.exe
4400	AnyDesk.exe
4400	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
4400	AnyDesk.exe
4400	AnyDesk.exe
4400	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 5060 wrote to memory of 4872	5060	AnyDesk.exe	90
PID 5060 wrote to memory of 4872	5060	AnyDesk.exe	90
PID 5060 wrote to memory of 4872	5060	AnyDesk.exe	90
PID 5060 wrote to memory of 4400	5060	AnyDesk.exe	91
PID 5060 wrote to memory of 4400	5060	AnyDesk.exe	91
PID 5060 wrote to memory of 4400	5060	AnyDesk.exe	91

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
b49f013017113f23dcf9adf222e04266

SHA1
6718e7ee2dba32f64c896cef7024aaa24fd84626

SHA256
b434bd4be43f1505816b71561384c91445f232760d354ad3710e8ea0e8c8e3c3

SHA512
38b8eb57a982bb019b01d4090bc7716a3264919fc44438b4d6a18b150b980213b32567ac96d618572c2b74631ebb1bfebb678d76834662cb66bcf7d039f0efda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
b49f013017113f23dcf9adf222e04266

SHA1
6718e7ee2dba32f64c896cef7024aaa24fd84626

SHA256
b434bd4be43f1505816b71561384c91445f232760d354ad3710e8ea0e8c8e3c3

SHA512
38b8eb57a982bb019b01d4090bc7716a3264919fc44438b4d6a18b150b980213b32567ac96d618572c2b74631ebb1bfebb678d76834662cb66bcf7d039f0efda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9726e763dd54a1eaa4d2e1a133bb7154

SHA1
86f355081d9fa41527808542b829829b33d978a7

SHA256
40c9a38bbcc98f0f623481df654f326cb0f12d2a719faea7a1c58c91d76318b0

SHA512
de34eb0d3628ad5815869301b6ebc57c9012ec51df7abb37ae1242c0deab5c19ed7ff3795d47c513373fcd203ead9446e978c5bc84beefaf4743abc5a3d810ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ad2fd79f4cc17b8bb87a3e5961e5828e

SHA1
9df0e1540ed3299f606262570e836455323d649d

SHA256
21a38ca9d8ac55e8f1647ca11e43b5bfb5230dcb8d4a52ff75cd2da286a052e9

SHA512
e92ed6cd97abf015bbcd1f57e7ce06dad5505e58bd01a7c61c4620cb857b46e6f07f4d75ce3719186957e5bd0e39f6d082f09143802fe91e97f622fd219aa4b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
29b7344f34e0e833660dc4944c9bebbb

SHA1
51ed50c0ddd4ee388ce92e2c504023c113183254

SHA256
003d89e7d1a40bfd7edf4ec703597919ab2634f8ae07e0c7685484e783c072a6

SHA512
db4f8215b66bac3361ad36e3dd06886cfa4fd2d7f9467095155ca1c53266dd5b103da2c1e377aaa0ba172ede7a5e75d24004789dd296815fdf8c396cccdaa1ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
29b7344f34e0e833660dc4944c9bebbb

SHA1
51ed50c0ddd4ee388ce92e2c504023c113183254

SHA256
003d89e7d1a40bfd7edf4ec703597919ab2634f8ae07e0c7685484e783c072a6

SHA512
db4f8215b66bac3361ad36e3dd06886cfa4fd2d7f9467095155ca1c53266dd5b103da2c1e377aaa0ba172ede7a5e75d24004789dd296815fdf8c396cccdaa1ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
a2996d5c662168e395e035869817c607

SHA1
60bb54dc023fdc636f88383eeb9bff7e3dcac249

SHA256
c81898a9debad32cb1af8eb56a3b5a580c610f8eaf53562b2f0e592804251448

SHA512
9d695117313c48dbc4c3ca97e19e2999d9054905b351819f53e9d62c42f002b061fba8b699ab11050e369b3a9d54f95efe013ad079b587804f73c0a39c12b81f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
70b298a467da3ded3a8b82a61da424d2

SHA1
575d4bdcd556f24633a3bddeb1ab451f75dcb7a2

SHA256
8da9fc1f986e50892ac1b8619d742b1a47a02c0163968a58948175fa435e579f

SHA512
7daae2bdb6b3f16590550b7c2380ed9c9384b3fc77ed87337ebd6ea82e41428a967f22cf32fe13be74a3d0cab95b7f4a7d97c2fd2d1829ef65c9d20d62d5e2cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
ddb46facb5e4a2705ea4cb1f139003ab

SHA1
447e1d7ee843105f3d0c906c5910d1150a14d708

SHA256
de81ddc4ac7e4f625806bfb789cb5540221ec2b1d2f326f69347a0f4ea88f75c

SHA512
2c589880f95bcea083bd345da40fc1d79166d2570f7d3852cbe1f38a9dd4002ad52fab371cfaeac6483432cdcd0a75aa16e8b34187e49d566ba55308a5ab8cbe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
ddb46facb5e4a2705ea4cb1f139003ab

SHA1
447e1d7ee843105f3d0c906c5910d1150a14d708

SHA256
de81ddc4ac7e4f625806bfb789cb5540221ec2b1d2f326f69347a0f4ea88f75c

SHA512
2c589880f95bcea083bd345da40fc1d79166d2570f7d3852cbe1f38a9dd4002ad52fab371cfaeac6483432cdcd0a75aa16e8b34187e49d566ba55308a5ab8cbe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f25aa6a35ad359e74a7456b0dfada5d0

SHA1
2025d3df49b5d846a3e026e365b7d301cdd044d7

SHA256
6f57c5249e2f4fc46da9fe062e100095de4a67007ab83c7a85ee8cc0e4702b6e

SHA512
2918bcb9c3be49a748064d8e21fc07a4a2b6944514fce63586da58702c21d9c7fc944563f4cdc08f663de15d53a59068cda32ba1af2ec581c4a7b6cf9030f301

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f25aa6a35ad359e74a7456b0dfada5d0

SHA1
2025d3df49b5d846a3e026e365b7d301cdd044d7

SHA256
6f57c5249e2f4fc46da9fe062e100095de4a67007ab83c7a85ee8cc0e4702b6e

SHA512
2918bcb9c3be49a748064d8e21fc07a4a2b6944514fce63586da58702c21d9c7fc944563f4cdc08f663de15d53a59068cda32ba1af2ec581c4a7b6cf9030f301

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c12561d11890b0d98fe455464e0c742

SHA1
ed412c7d48ae003eb7b78bcbaf79387b35d97bf9

SHA256
74e7516d4b78077ff79d5b34f9e633f547d3250638cfdad50e1f9d5edcddfb7b

SHA512
1ecd06136d8b7598069d328231049d18caecdc6a747ad25988d05546b4aff16c06daf8c55776b13f19add66dac662660328b4878d3e8af8af73d8118c785a582

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c12561d11890b0d98fe455464e0c742

SHA1
ed412c7d48ae003eb7b78bcbaf79387b35d97bf9

SHA256
74e7516d4b78077ff79d5b34f9e633f547d3250638cfdad50e1f9d5edcddfb7b

SHA512
1ecd06136d8b7598069d328231049d18caecdc6a747ad25988d05546b4aff16c06daf8c55776b13f19add66dac662660328b4878d3e8af8af73d8118c785a582

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c12561d11890b0d98fe455464e0c742

SHA1
ed412c7d48ae003eb7b78bcbaf79387b35d97bf9

SHA256
74e7516d4b78077ff79d5b34f9e633f547d3250638cfdad50e1f9d5edcddfb7b

SHA512
1ecd06136d8b7598069d328231049d18caecdc6a747ad25988d05546b4aff16c06daf8c55776b13f19add66dac662660328b4878d3e8af8af73d8118c785a582

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c12561d11890b0d98fe455464e0c742

SHA1
ed412c7d48ae003eb7b78bcbaf79387b35d97bf9

SHA256
74e7516d4b78077ff79d5b34f9e633f547d3250638cfdad50e1f9d5edcddfb7b

SHA512
1ecd06136d8b7598069d328231049d18caecdc6a747ad25988d05546b4aff16c06daf8c55776b13f19add66dac662660328b4878d3e8af8af73d8118c785a582

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c12561d11890b0d98fe455464e0c742

SHA1
ed412c7d48ae003eb7b78bcbaf79387b35d97bf9

SHA256
74e7516d4b78077ff79d5b34f9e633f547d3250638cfdad50e1f9d5edcddfb7b

SHA512
1ecd06136d8b7598069d328231049d18caecdc6a747ad25988d05546b4aff16c06daf8c55776b13f19add66dac662660328b4878d3e8af8af73d8118c785a582

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c12561d11890b0d98fe455464e0c742

SHA1
ed412c7d48ae003eb7b78bcbaf79387b35d97bf9

SHA256
74e7516d4b78077ff79d5b34f9e633f547d3250638cfdad50e1f9d5edcddfb7b

SHA512
1ecd06136d8b7598069d328231049d18caecdc6a747ad25988d05546b4aff16c06daf8c55776b13f19add66dac662660328b4878d3e8af8af73d8118c785a582

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c12561d11890b0d98fe455464e0c742

SHA1
ed412c7d48ae003eb7b78bcbaf79387b35d97bf9

SHA256
74e7516d4b78077ff79d5b34f9e633f547d3250638cfdad50e1f9d5edcddfb7b

SHA512
1ecd06136d8b7598069d328231049d18caecdc6a747ad25988d05546b4aff16c06daf8c55776b13f19add66dac662660328b4878d3e8af8af73d8118c785a582

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
61c76ecd87a25bc668db40c4cf8af216

SHA1
4f8429ff6af2a79034f60cc61546fb535d6b196d

SHA256
f3c5cf652ebc4f07700e86bd4ac2c3ac7ca54fbbe6c148f625bb10d84c061470

SHA512
07403bef296b8680ee6f7594bf6dbb74acbffc6d8fd6606b0e242331b2fb6b3c5768d2a61f5ab0d166a8e9dc0f6ce36c7d81f8d02b4246c4c7e8f8c9dd7f7926

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5870c0370d2b01f91867ba0d7f140985

SHA1
b748de8f4dd719a755ff34e7770012620a3430e7

SHA256
7d516e139105d144ce02fab03a5e3a321258a5c856f8a4958010279779fbbf82

SHA512
8820b4db356026faea62cbdf9e151c6ec59f511b022179e0ff84f87f8b07115fd902317f6a95fc7a5fefb6ff1ace07e74e52a0840410434e32d7bb93830f57e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5870c0370d2b01f91867ba0d7f140985

SHA1
b748de8f4dd719a755ff34e7770012620a3430e7

SHA256
7d516e139105d144ce02fab03a5e3a321258a5c856f8a4958010279779fbbf82

SHA512
8820b4db356026faea62cbdf9e151c6ec59f511b022179e0ff84f87f8b07115fd902317f6a95fc7a5fefb6ff1ace07e74e52a0840410434e32d7bb93830f57e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
17136cc8f90540488b5070b9290f42e1

SHA1
73dda3e12762abfad74861249a9eeb4a9a013576

SHA256
c5ca0c18771fffea1e369d90f0a6b80076cabb2aca24b46809042506f6647691

SHA512
ca890ebd58cc72c305a66b80d14aa2efc6e9770042ffdc783988a94d8dd190633faabb35229bb667da3c9bb62f20a1094958378829d0da6f1d0e0efab50b4150

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35f6307be164ec2bb306b94eb219f024

SHA1
ca2dc36c55dc0cf2befb23cf473fb4729101d8d4

SHA256
94d437e2c0e3f757c140eb6df9ff610bd4bc7ac2264fd0da0476f6bd5c5e3a90

SHA512
bb5799b769425675aaeafbe2ca2e006c7fa510ccd326228af29246113ab2c815827d1661133399ab027b02e2be0e2203c68122ad97f3d8749404a09a4875808a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35f6307be164ec2bb306b94eb219f024

SHA1
ca2dc36c55dc0cf2befb23cf473fb4729101d8d4

SHA256
94d437e2c0e3f757c140eb6df9ff610bd4bc7ac2264fd0da0476f6bd5c5e3a90

SHA512
bb5799b769425675aaeafbe2ca2e006c7fa510ccd326228af29246113ab2c815827d1661133399ab027b02e2be0e2203c68122ad97f3d8749404a09a4875808a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35f6307be164ec2bb306b94eb219f024

SHA1
ca2dc36c55dc0cf2befb23cf473fb4729101d8d4

SHA256
94d437e2c0e3f757c140eb6df9ff610bd4bc7ac2264fd0da0476f6bd5c5e3a90

SHA512
bb5799b769425675aaeafbe2ca2e006c7fa510ccd326228af29246113ab2c815827d1661133399ab027b02e2be0e2203c68122ad97f3d8749404a09a4875808a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35f6307be164ec2bb306b94eb219f024

SHA1
ca2dc36c55dc0cf2befb23cf473fb4729101d8d4

SHA256
94d437e2c0e3f757c140eb6df9ff610bd4bc7ac2264fd0da0476f6bd5c5e3a90

SHA512
bb5799b769425675aaeafbe2ca2e006c7fa510ccd326228af29246113ab2c815827d1661133399ab027b02e2be0e2203c68122ad97f3d8749404a09a4875808a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35f6307be164ec2bb306b94eb219f024

SHA1
ca2dc36c55dc0cf2befb23cf473fb4729101d8d4

SHA256
94d437e2c0e3f757c140eb6df9ff610bd4bc7ac2264fd0da0476f6bd5c5e3a90

SHA512
bb5799b769425675aaeafbe2ca2e006c7fa510ccd326228af29246113ab2c815827d1661133399ab027b02e2be0e2203c68122ad97f3d8749404a09a4875808a

Download Submit
memory/4400-30-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4400-22-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/4400-13-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/4400-192-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/4872-15-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/4872-194-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/5060-25-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/5060-89-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/5060-0-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/5060-24-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/5060-10-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/5060-6-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/5060-4-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/5060-3-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/5060-193-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/5060-1-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download