ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

Resubmissions

31-12-2023 09:11

231231-k5vvksadc3 6

29-12-2023 08:53

231229-ktts5sgbh8 10

Analysis

max time kernel
91s
max time network
1361s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
31-12-2023 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

75eecc3a8b215c465f541643e9c4f484
SHA1

3ad1f800b63640128bfdcc8dbee909554465ee11
SHA256

ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
SHA512

b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff
SSDEEP

98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4596	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\romastyle = "MS-IME"	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\WX\Color	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\WX\DisableFunctions = "3"	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\InputMethod	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\LESSTHAN = "269484800"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\convWnd = 1e0000001e0000000901000030000000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\ResourceMode = "4294967295"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\WX\SDkey = 81aa204374726c2b453d38302031312031372031432032302031370081ab204374726c2b583d3830203134203138203142203231203138005441423d38302044322044322044322038302038300053686966742b5441423d46462046462044322031432046462046460095cf8ab73d46462046462044322044322046462046460053504143453d46462046462044322044322046462046460053686966742b53504143453d46462046462044322031432046462046460000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\VJE\Color\colb = 00000000	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\IME\15.0\IMEJP	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\UseCandidateShortcuts = "1"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\Color\colf = 00000000000000000800000300000000080000030000000008000003080000030e000001000000000000000000000000000000000800000308000003000000000000000000000000000000000000000000000000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\MS-IME2000\S8key = 53504143453d38372046462046462046462046462046460000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\ATOK\S3key = 4374726c2b4261636b53706163653d38302046462046462046462046462046460000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\ShowCharComment = "1"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\AT = "151585536"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\key = 4573633d3830203444203146203336203046203045004374726c2b5a3d3830203444203146203146203046203045005441423d38302044322038302038412038302038300053686966742b5441423d38302046452046452046452046452046450053686966742b4573633d3830203444203045203045203045203045004261636b5370616365204374726c2b483d38302031352031352033362046452031350053686966742b4261636b53706163653d383020313520314620314620464520313500456e746572204374726c2b4d3d3830203039203039203242203039203039004374726c2b456e7465723d38302030392030392030392030392030390053686966742b456e7465723d38302046452046452046452046452046450053504143453d38312030362032442033302030372030360053686966742b53504143453d3838203436203143203143203037203036004374726c2b53504143453d3830203833203833203833203833203833004374726c2b53686966742b53504143453d3832203832203832203832203832203832004374726c2b4261636b53706163653d3834203535203146203146203030203135004374726c2b53686966742b8abf8e9a3d38302034302030302030302030302030300053686966742b8abf8e9a3d3830203430203030203030203030203030008abf8e9a3d38302030362032442033302030372030360095cf8ab73d3837203036203244203330203037203036004374726c2b95cf8ab73d46352046352046352046372046352046350053686966742b95cf8ab73d38302034302031432031432030302030300096b395cf8ab73d39372032382032382032382032382032380053686966742b96b395cf8ab73d39382032392032392032392032392032390044656c657465204374726c2b473d3830203136203136203336204645203136004374726c2b44656c6574653d38302030302030302042372046452030300081a9204374726c2b533d38302031312033462033462031372031310081a8204374726c2b443d38302031322031382031382031382031320053686966742b81a9204374726c2b4b3d38302031312032302032302032302031310053686966742b81a8204374726c2b4c3d38302031322032312032312032312031320081ab204374726c2b583d38302046452046452031422032312046450081aa204374726c2b453d38302046452046452031432032302046450053686966742b81aa3d38302030302030302031452030302030300053686966742b81ab3d3830203443203042203144203042203042004374726c2b81aa3d3830203533203143203143203030203030004374726c2b81ab204374726c2b4e3d3830203534203041203041203041203041004374726c2b81a8204374726c2b463d3830203134203141203345203030203134004374726c2b81a9204374726c2b413d383020313320313920374420303020313300486f6d653d38302031332031392033382046452046450053686966742b486f6d653d383020464520464520464520464520464500456e643d3830203134203141203339204645204645005061676555703d38302030302030302031452030302030300050616765446f776e3d38302030302030302031442030302030300046323d38302030302041442041442041442030300046333d38300046343d3830004635204374726c2b593d3830203632203632203632203632203632004636204374726c2b553d3830203634203234203234203234203234004637204374726c2b493d3830203635203235203235203235203235004638204374726c2b4f3d3830203637203237203237203237203237004639204374726c2b503d383020363620323620323620323620323600463130204374726c2b543d3830203646203246203246203246203246004374726c2b46373d4631203030203030203030203030203030004374726c2b46383d3830204638204638204638204638204638004374726c2b46393d3830204639204639204639204639204639004374726c2b4631303d46352030302030302030302030302030300094bc8a702f91538a703d434420423320423320423320423320423300897090943d413420413420413420413420413420413400834a835e834a83693d43392043392043392043392043392043390053686966742b834a835e834a83693d43392043392043392043392043392043390082d082e782aa82c83d434120434120434120434120434120434100838d815b837d8e9a3d39342039342039342039342039342039340053686966742b4631303d383020303020303020383920303020303000417070734b65793d38302030302030302038392030302030300000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\KeyTopIsTop = "2"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\CandSelByClick = "1"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\GREATERTHAN = "269484800"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\PltTiny\BmpID = f4010000f5010000f6010000f7010000f8010000f9010000fa010000fb010000fc010000fd010000fe010000ff01000000020000010200000202000003020000040200000502000006020000070200000802000009020000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\option3 = "0"	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\PltSmall	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\VJE\S8key = 53504143453d38372046462046462046462046462046460000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\ButtonsAvailableForIMM = 010000000200000003000000040000001400000005000000060000001100000012000000130000001500000016000000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\SLASH = "269484800"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\deffont_alwaysuse = "0"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\MS-IME2000\S4key = 94bc8a702f91538a703d434520303020303020303020303020303000834a835e834a83693d43452030302030302030302030302030300053686966742b834a835e834a83693d43452030302030302030302030302030300082d082e782aa82c83d43452030302030302030302030302030300095cf8ab73d383720303020303020303020303020303000897090943d43452030302030302030302030302030300000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\WX\Color\colb = 00000000	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\L_BRACKET = "67371776"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\R_BRACKET = "67371776"	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Dictionaries\DIC00 = "imjp15cu.dic,1"	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\style = "NATURAL"	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\DisplayName = "Microsoft IME"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\MS-IME2000\key = 4573633d3830203444203146203146203046203045004374726c2b5a3d3830203444203146203146203046203045005441423d38302044322038302038412038302038300053686966742b4573633d3830203444203045203045203045203045004261636b5370616365204374726c2b483d38302031352031462031462030302031350053686966742b4261636b53706163653d383020313520314620314620303020313500456e746572204374726c2b4d3d3830203039203039203242203039203039004374726c2b456e7465723d38302030392030392030392030392030390053686966742b456e7465723d38302046452046452046452046452046450053504143453d38312034362033302033302030372030360053686966742b53504143453d3838203436203143203143203037203036004374726c2b53504143453d3830203833203833203833203833203833004374726c2b53686966742b53504143453d3832203832203832203832203832203832004374726c2b4261636b53706163653d3834203535203146203146203030203135004374726c2b53686966742b8abf8e9a3d38302034302030302030302030302030300053686966742b8abf8e9a3d3830203430203030203030203030203030008abf8e9a3d38302034362033302033302030372030360095cf8ab73d3837203436203330203330203037203036004374726c2b95cf8ab73d46352046352046352046372046352046350053686966742b95cf8ab73d38302034302031432031432030302030300096b395cf8ab73d39372032382032382032382032382032380053686966742b96b395cf8ab73d39382032392032392032392032392032390044656c657465204374726c2b473d3830203136203030203030203030203136004374726c2b44656c6574653d38302030302030302042372030302030300081a9204374726c2b533d38302031312031372031372031372031310081a8204374726c2b443d38302031322031382031382031382031320053686966742b81a9204374726c2b4b3d38302031312032302032302032302031310053686966742b81a8204374726c2b4c3d38302031322032312032312032312031320081ab204374726c2b583d38302035342031422031422032312031340081aa204374726c2b453d38302035332031432031432032302031330053686966742b81aa3d38302030302030302031452030302030300053686966742b81ab3d3830203443203042203144203042203042004374726c2b81aa3d3830203533203143203143203030203030004374726c2b81ab204374726c2b4e3d3830203534203041203041203041203041004374726c2b81a8204374726c2b463d3830203134203141203345203030203134004374726c2b81a9204374726c2b413d383020313320313920374420303020313300486f6d653d38302031332031392033382046452030300053686966742b486f6d653d383020464520464520464520464520464500456e643d3830203134203141203339204645203030005061676555703d38302030302030302031452030302030300050616765446f776e3d38302030302030302031442030302030300046323d38302030302041442041442041442030300046333d38300046343d3830004635204374726c2b593d3830203632203632203632203632203632004636204374726c2b553d3830203634203234203234203234203234004637204374726c2b493d3830203635203235203235203235203235004638204374726c2b4f3d3830203637203237203237203237203237004639204374726c2b503d383020363620323620323620323620323600463130204374726c2b543d3830203646203246203246203246203246004374726c2b46373d4631203030203030203030203030203030004374726c2b46383d3830204638204638204638204638204638004374726c2b46393d3830204639204639204639204639204639004374726c2b4631303d46352030302030302030302030302030300094bc8a702f91538a703d434420423320423320423320423320423300897090943d413420413420413420413420413420413400834a835e834a83693d43392043392043392043392043392043390053686966742b834a835e834a83693d43392043392043392043392043392043390082d082e782aa82c83d434120434120434120434120434120434100838d815b837d8e9a3d39342039342039342039342039342039340053686966742b4631303d383020303020303020383920303020303000417070734b65793d38302030302030302038392030302030300000	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\PltTiny	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\Color\underrop = 00000000000000000d000000000000000d000000000000000d0000000d0000000000000000000000000000000000000000000000000000000d000000000000000000000000000000000000000000000000000000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\WX\S1key = 53504143453d46462038312046462046462046462038310000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\msimedsince = "738798"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\S5key = 4261636b5370616365204374726c2b483d46462031352031352033362046452031350053686966742b4261636b53706163653d46462031352031352031352046452031350044656c657465204374726c2b473d46462031362031362033362046452031360081a9204374726c2b533d38302031312031312031312031312031310081a8204374726c2b443d3830203132203132203132203132203132004374726c2b81a9204374726c2b413d4646204646203137203137203137204646004374726c2b81a8204374726c2b463d46462046462031382031382031382046460000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\DisableFunctions = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\CommentDelay = "300"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\R_BRACE = "67371776"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\DOUBLEQUOTE = "117900032"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\SBkey = 44656c657465204374726c2b473d46462038302038302033362046452038300000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\SCkey = 81a8203d46462038302038302033362046462038300000	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\InputMethod\JPN\roaming	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\MS-IME2000\S9key = 81a9204374726c2b533d46462046462046462038452046462046460081a8204374726c2b443d464620464620464620384420464620464600456e7465723d46462046462046462033352046462046460000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\MS-IME2000\DisableFunctions = "2"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\VJE\S7key = 81ab3d38302031422046462046462046462031420081aa3d383020314320464620464620464620314300506167655570204374726c2b453d38302031452046462046462046462031450050616765446f776e20204374726c2b583d383020314420464620464620464620314400486f6d65204374726c2b413d383020333820464620464620464620333800456e64204374726c2b463d38302033392046462046462046462033390053504143453d38302031422046462046462046462031420053686966742b53504143453d38302031432046462046462046462031430095cf8ab73d38302031422046462046462046462031420053686966742b95cf8ab7204374726c2b5a3d383020314320464620464620464620314300456e7465723d3830203134204646204646204646203134005441423d46462038412046462046462046462046460000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoAlphaStr = 31002c0068007400740070003a00000031002c00660069006c0065003a00000031002c006600740070003a00000031002c006d00610069006c0074006f003a00000031002c006e006500770073003a000000220031002c002f002f007700770077002e002200000031002c007700770077002e00000032002c00770069006e0064006f007700730000000000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\L_BRACE = "67371776"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\VJE\S1key = 53504143453d46462038312046462046462046462038310000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\EnableDocFeed = "1"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\Window\PltSmall\ButtonRect = 00000000000000001600000016000000	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\MS-IME2000\S7key = 81ab204374726c2b583d38302031422046462046462046462031420081aa204374726c2b453d3830203143204646204646204646203143005061676555703d38302031452046462046462046462031450050616765446f776e3d383020314420464620464620464620314400486f6d653d383020333820464620464620464620333800456e643d38302033392046462046462046462033390053504143453d38302031422046462046462046462031420053686966742b53504143453d38302031432046462046462046462031430095cf8ab73d38302031422046462046462046462031420053686966742b95cf8ab73d383020314320464620464620464620314300456e7465723d3830203134204646204646204646203134005441423d46462038412046462046462046462046460000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\ATOK\DisableFunctions = "3"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\WX\S9key = 81a9204374726c2b533d46462046462046462038452046462046460081a8204374726c2b443d464620464620464620384420464620464600456e7465723d46462046462046462033352046462046460000	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\EnableKnlThread = "1"	AnyDesk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth\DOT = "134742272"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IME\15.0\IMEJP\StyleList\NATURAL\S8key = 53504143453d383720464620464620464620464620464600834a835e834a83693d43342046462046462046462046462046460053686966742b834a835e834a83693d43342046462046462046462046462046460082d082e782aa82c83d433320464620464620464620464620464600897090943d43372046462046462046462046462046460046363d43332046462046462046462046462046460046373d43342046462046462046462046462046460046383d43352046462046462046462046462046460046393d4336204646204646204646204646204646004631303d43372046462046462046462046462046460000	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
168	AnyDesk.exe
168	AnyDesk.exe
168	AnyDesk.exe
168	AnyDesk.exe
168	AnyDesk.exe
168	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	168	AnyDesk.exe
Token: 33	4200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4200	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3084	AnyDesk.exe
3084	AnyDesk.exe
3084	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3084	AnyDesk.exe
3084	AnyDesk.exe
3084	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 168	3404	AnyDesk.exe	28
PID 3404 wrote to memory of 168	3404	AnyDesk.exe	28
PID 3404 wrote to memory of 168	3404	AnyDesk.exe	28
PID 3404 wrote to memory of 3084	3404	AnyDesk.exe	27
PID 3404 wrote to memory of 3084	3404	AnyDesk.exe	27
PID 3404 wrote to memory of 3084	3404	AnyDesk.exe	27

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:168
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2132

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:968

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"
1⤵
PID:3448

C:\Windows\System32\IME\SHARED\imebroker.exe
C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
1⤵
PID:4264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:580

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2096
- C:\Windows\system32\taskkill.exe
  taskkill /f /im 5s2gxp.exe
  2⤵
  - Kills process with taskkill
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
645d62b2662821c7c7806c62568b8c9f

SHA1
c56d0da7aaf448cec17a883dac95bd6d71c84bc6

SHA256
53001843178c6e4daa55ac7a10420e342ae1bb33f7b650219483c9d3b8f569e8

SHA512
4816a7235cd3aef89be0c36b6b5a40e2158d4bcc68cc610f577876df13b492fdf5dd4d8559b0cbc7d59aa236e217254eaa934aa05bfcda06e37a41235ca70271

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0bb7be27c644f75492fb69ec4c2d2a8d

SHA1
0d01ee546e36c67840c0379f84a1f9fddbf05487

SHA256
7905d569282df2857f8383f61f7b1b827ec773570eb1a82b466d37e59ef78347

SHA512
f50104949ed5adc07a06560d16fda148dca0a55dc27b1ab9a0f1a47880be97a49f8358de956d2727881b4cc1185fd41ed97ab9a65a571b05ba5e34e74278816d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
da7436e6e3f5311a6d04d1c252a8ebb9

SHA1
c228d1ef07c6788b4d73abd6764374311efd2a61

SHA256
44192ca7a8c3e0a7e50899596b500b49b441a18c858ba3f5e76b5aa7378a4375

SHA512
265697670ad12a5f53df9ce52ecb0adc168454468946b993819cd0e028fcce09c7da4248af8f8a2bb9b72143ff773f17b1e5cb5c1e1a8f523e054902beb4e2fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
34af9713412f70a72757f04ee739348c

SHA1
e59a52d47473fc29cc2941710bb83d60008e7ab8

SHA256
77f00bc63e807bcd58297f832f34eb613e2c5af8791e10032a456c90ca3d2ce9

SHA512
dba45526d571adfa015bb61f53ccc2c2ebb378e4d60a5bec2a3d6b947416272e75d382d53c44025d63fbb3f48bd8db8392a4727bb854bfdfbb5461805b89874d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1b86dd6480f584cd4f7c18abf5d5fd67

SHA1
a930bf1439140ea1e258fac4f2325d4f32b104f4

SHA256
44772ad3d7f9aa685fd6d900d7234fc1a67d77048d2ff656bab0fa4f7a3c17a6

SHA512
5aeba1e4f3d439213e6bac8899cee17cb162b3cfd13d5999063588b8076843c0467b9990c07ed3e42be598ddf595ab4afb90b99c26d7cbc787c87da816fa8ac9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
6446e900bc8e20ee7d1d408005b606f6

SHA1
9493bf477ed7a55a29ef49dd4e35e7ee10db4008

SHA256
65f6f7ec788624d4d04049668ae705b214394e4ba18df10ed5680b8b8fe73e65

SHA512
f97f57ced7c0a6dc63c32fcdf498f6fa2155117525d167c7515509d391eff2ab68f869fd27c6ccb8c555bf8d29aa9b85a04b371b4463db1cb08e592adcdb26e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
21872d903ad4f793ec08762a744ca4d3

SHA1
15c760ac95089d0aae80ccea54b59dd5ab8f1bf5

SHA256
82ad4e198c67f3e853a0438e62edc71637aa4b84e9af7c3ca11b2fbbf96731cf

SHA512
0d1ab88c0c86c83ccd8a14e4793a011f254a15f75659995f335ac1f8d4b224ba294ad18ddac298340c99ac134aa0df86dd24af69329d2f3a0a62aee742e3dd2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8ca4820d8875dc8ea5677b2e4dc1f606

SHA1
021d3be420d636b99d6987929dce25a30d39d135

SHA256
9d3dcc790b5a536c62dc3ca4e14ce95235787fb5c17fef45da02d243542b8074

SHA512
57d525a032b5fc33477aea41ccaff7f4e870d21cd02b6c2bd3b61c26307592a1a48161adf7c334d208d1b269e0d41ba2241dc4104bd9fdc332cc5c0fb0fae3a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3a068a5a8e13774b095859d2e809f9c2

SHA1
9e2e140df645ded6241e923dcd74b62ca83c993b

SHA256
39bcdc2eb73a627decb1a6de940f920897a326b3555fa00fa789f40fffc2b191

SHA512
a7c89dac1ce75d436da50eddbff2bcef4f8f139e9fff9d9525cb8ad30b784ab572edfcdf9922882cc8b09a4aab9599229c12dfe185665f118159fba80737b4ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
406ee87d859d51ce263f18c8cbcad897

SHA1
b3fdcaf5a5bdd019bf7bc4fa3f33c08a055b6c6d

SHA256
11122cc26c74e630fdce46df1769235ec13b7d88f47d151ba2e854b8bd7e1f08

SHA512
ef7f2afd5c6c52e81a95e7b272c0bfd92542c9c06d86ae06c36a95d114b692d97be1cebb9c5534350b11dfc7c9b358cdbc8622c8d1217f29d596297410a5a0f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3a6a71d8cc372f007d63333feb7e7a36

SHA1
615cd7c965e2f8b50f81c40e475c4362798dc128

SHA256
bab68d3433f436c901b1efa1308c94bc4384ce176206bf23845c35cc1ab5bd04

SHA512
792483fc18e1c8ba222ecf70f48709d98a4024771293bd3b0b1ffb5dbd0d15b17fd8fdf0055bf21a9a6136f093062861055ba38c3368cc0e321e2d1c907e1d8a

Download Submit
memory/168-32-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/168-201-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/168-267-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/168-14-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/168-332-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/168-339-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/168-359-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/2132-258-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/2132-239-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/2132-817-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2132-391-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2132-366-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2132-365-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2132-358-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/2132-341-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/2132-227-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/2132-232-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2132-248-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/2132-261-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/2132-266-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/2132-338-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/2132-264-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/2132-321-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/2132-320-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/2132-319-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/2132-317-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/2132-329-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/2132-265-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/2132-263-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/2132-262-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/2132-260-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/2132-259-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/2132-240-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/2132-249-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/2132-247-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/2132-246-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/2132-245-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/2132-243-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/2132-244-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/2132-242-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/2132-241-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/3084-202-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3084-340-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3084-268-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3084-30-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/3084-360-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3084-12-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3404-4-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3404-150-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/3404-27-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/3404-31-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3404-0-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3404-1-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3404-200-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3404-330-0x00000000012F0000-0x0000000002AC0000-memory.dmp

Filesize
23.8MB

Download
memory/3404-89-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/3404-90-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3448-428-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-436-0x00007FFA671F0000-0x00007FFA6729E000-memory.dmp

Filesize
696KB

Download
memory/3448-425-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-438-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-441-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-444-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-446-0x00007FFA288E0000-0x00007FFA288F0000-memory.dmp

Filesize
64KB

Download
memory/3448-445-0x00007FFA671F0000-0x00007FFA6729E000-memory.dmp

Filesize
696KB

Download
memory/3448-442-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-440-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-439-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-431-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-427-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-423-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-422-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-588-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-591-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-683-0x00007FFA671F0000-0x00007FFA6729E000-memory.dmp

Filesize
696KB

Download
memory/3448-684-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download
memory/3448-682-0x00007FFA671F0000-0x00007FFA6729E000-memory.dmp

Filesize
696KB

Download
memory/3448-685-0x00007FFA288E0000-0x00007FFA288F0000-memory.dmp

Filesize
64KB

Download
memory/3448-421-0x00007FFA68850000-0x00007FFA68A2B000-memory.dmp

Filesize
1.9MB

Download