55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1802s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20231215-de
resource tags

arch:x64arch:x86image:win10v2004-20231215-delocale:de-deos:windows10-2004-x64systemwindows
submitted
05-02-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3216	AnyDesk.exe
3216	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 3216	244	AnyDesk.exe	83
PID 244 wrote to memory of 3216	244	AnyDesk.exe	83
PID 244 wrote to memory of 3216	244	AnyDesk.exe	83
PID 244 wrote to memory of 4076	244	AnyDesk.exe	84
PID 244 wrote to memory of 4076	244	AnyDesk.exe	84
PID 244 wrote to memory of 4076	244	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
526084429f0b111b254fe7db6eb14d1c

SHA1
b423b3389e3c8910b26f08a0df409cbd694093be

SHA256
b82c87d6bcaef1d80024af143389b09479ad69e537bf85c76fc2e3ae85faf381

SHA512
3440670f88b14f332f7f164b34d439348bb6d4e6627e1545503beab8f780d147dd3b30ccd9df314b2c78407fdb5bb91e6c61723c2c95d34a4b43d8a9848c6a2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
82fb22dc1610a509baa9b92d13af2468

SHA1
aabef77df53fc708a18f26118286c834b12f3121

SHA256
f0c171aa8a44a2be69988386cf2bc81d068bb81a4b09221ba12044897517b815

SHA512
eb96498a76bf749c063bd9a357d9d784f42cd1253d3e9e8ff71bcf2c503c4eb6bc503efc93675e42d117b86c7ad32c14c73bbc54eed34904f03928b7c89e338b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
84eddf2b76ae87661409d3b00cb45af7

SHA1
46b99207faf703a6394465b46f59301a58e0eb01

SHA256
6e82da79b4b85de16be9206c73c2c82cf8c40ba8f575fcdcde8830ad067d2c85

SHA512
02546f050ab3504a3603bb29357efdfa2b5fa784fdb1d3cbd9a7f1cd2f06e43bfde8036d4b6de421f524f5161b54fd24fd6b0c3eed20e28f43489b6176337259

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
d6ee027e8c43dae6a2704879395a148c

SHA1
ababc19d4875f6507d12c9154dffc720bac7717c

SHA256
11c5f4f38adae64b727f285ec07760427507c4a0562ae05898459b93933f93cd

SHA512
6f1770253d09ddd33e349118368ba73ad11311c73de6fb115989feef6d4dd36050014dadcddb9ec72f752c0d32ad4064924f191de2d41e145584203181e7dcb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
221d12ff5eca83d3637adb7e04868f6b

SHA1
83a7c757586bcf0a9c094bd35c850c607dd44908

SHA256
45c423f6abc34f778b79e848e83d39c0986735efa14cfe37fec9cb3449af2f85

SHA512
621e675d6d798955725bb4d65cddfdcec2414ea385ebdde6253c7e6ec3033db7d4f316a9a1a73d37048ece1b047567439109187c5437d48e6987981acc5a0b4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
e37de47f589b1b01d3fd25c464a4bf70

SHA1
b9c9547cd91a44561c4dc0cb5e56acf9866de356

SHA256
03dda6a3a48cb359f0470b72fddd6bd71d0078b8fcd75eae5a9ff0cb1dd27edb

SHA512
7290d15f11c4bec5250e893bc6065da60d1740768abc3cb6240033c7a79efdd9c9c99482f1a2a5c53ba24779ea54aee16f856c0090ffd07bdab4e21245fc499b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
2KB

MD5
fb9cd99213ee4f659747c0cd708d7b15

SHA1
f21141246e4cb7e9dfe68d28c1a7f7b77ef15e01

SHA256
479940a215c93e77388dc6feedcd9c2539f9411fa71d8b4d376f15e8cf46bd66

SHA512
d86b501f61b24e99c28927bc123b586b5537df86a1a326b4900efa301d9992bd3d67e152dc44c5022a9fca566d5af55b72b84b112ab39f9c3b1a018abc6d285a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
29b4690eda560360e7d3389e8e0f4227

SHA1
143a6fe9861277b0b4403f8e72784d7ef911a623

SHA256
c4a436459190a5ce12e06bf6b6b46248eb7ed30e24fa6eb9a4371e394318b33a

SHA512
a09d0fa1cf27c1988a6f3ba1e53474d2e663b34735a0b6fe677e881f31a841999e8b11c17cc19dc26059386aa21e33b6e2a0371b52feae6c4a4abb63e0548738

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5291f7acf9856eb9f855a88582c25cbb

SHA1
7eedf627f13de25e0ffb1b75529fb6f096a667c8

SHA256
c7abc2642752414ea67a803a8440084abbf689322223661c323fef1f7b6d8b8c

SHA512
28223175142767e0a3092304b7f177930bd77989c91c086414ae7f3aaac3755bf9d6373dc3a3c878c30eed52e37b9c9f77ccc8b2882897d7fc201a220eb46e92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
076123266cb8ed8e6a4cc7d16986644f

SHA1
2d36c12b3b48119f9694635f0b5b8faa7489b13a

SHA256
3f80d609e84f3bcc826a6b3cfbdcdc6a1ae8d5c6902ea1fc587d6277da3621d8

SHA512
fc1bd89aa81bdd0ddfa85bf162f8da160bbf8ad327f5150848e59c5bc1ce1717ba27891dda21d11ee8ae2b3abf375e3b317ad84ac72847354dae847bb4cc15ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
80aaae4ed6791779417f827737922520

SHA1
a1cca3eae772b5a94fd3b0c4cb93b18d78c9dd87

SHA256
d1d4ab67d553fc039b060bb35b83e9d288264b5120b1cd6349a186146dfeabcd

SHA512
36e75c8d800b4791f7b5949d46681c90152af34c288afec7ff078fa1f493882e51b5f4a696b7398c71959a2403e1b9f074d5eec83fee07a573e255f8316e9ee7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
bcf227840b5b550a71e563490dd47ea4

SHA1
7506af13e101c39d10dc7aa6256cc4872427c8db

SHA256
935bbb433ea34f8d54f30b0a09e8f86164a58308b5c0aaca9c8259309482c531

SHA512
7285dee20741d71551ad6935ccdc0eed351d81d35e80cd31ac24f58db76ac5105a354b8a9c665babf8b5aae83581582e3a2b060ddd1f22e99072de08fcac5780

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
86e47bae8ec409b0c48c26e01a1d2682

SHA1
53833ab83d705b443ed0c555e7d64b3748dff85d

SHA256
2d3108562be33fb2a07c459334f2c69a5eb6c539b93298cb4bb47ce011876d52

SHA512
a8ede48a2d333c8b44a2bb9d800e62ff2ad28a6062afa2e010fa78b7b5b7ad97918bef921f33486d5941e1582f4599ab0001af2baa5bd3a084f9174cb889fa79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
69a9151dbafa2b2d35ab1e86b44eb6c4

SHA1
4255f2ca62673bd697a5b02251f55243e45e97a2

SHA256
55c454d71a57a5ce0f29e21321fae264c8561f1288ebd1cc09560f47a74ab6b0

SHA512
88f49add3e68324652a8c80cefa8378d17476ca61fccbfd26efd2fd69e131a888f402e41fb57bfdc011317df56244b8aa539ea9953f6e96dfc2b0b8566d2c8dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
68880419d0488295d94f15e120592678

SHA1
4c34bf9cee11e9298fb35ee31a85ed100d18d1c7

SHA256
25d1be52bc92cb20a8b768cb450244e10102169b7fdf44e046562ca8ab711c78

SHA512
21f71cdb4b4edae43a84978cc655d42eaa68f9036d745429d2e04d347192abe9456ab8909b35e6072ed3f59563452ceb669a5d25b0dc6535a33de0f73a3d4b84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ae12f27c4997661068933737b6318850

SHA1
b3a28ad6260a63998df423033b74588642be0ead

SHA256
8619361f933c1e73ebd62f0902ad8175510db8e44ad350c927df7be746b2ae5d

SHA512
6efc19669eafe8a9c511cfabc836078dab4732565392d487b96ffb7b4750d1ebc8b0a11422799bbd464f6060f9a09127c75a5ac62118f882913680190c5621ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cea11ea210cf2d8ccb3ad077058ff773

SHA1
592a43cfee2f07d58d003e7bd00b3b595815bebf

SHA256
819848baec2f34b771df5e10017a646b6d8ed240f78b494a2dda9bf7168dc5da

SHA512
5caff142facca30b2751e87b47050086f63b9644a33d04874802b9a4ab5a81736e924ca05223b15d2446e372f28c68ab9a5d39cf6d8828bc6e0f631e17ad28db

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
1f5beb4470939524c8cdbe2089b7e616

SHA1
8ed2e738efb8e38119fe33fbb59257bed324a5f0

SHA256
db52d7055179696d4c6c1db0f9b8a1cfe921733492f1a379f0e5f01333367793

SHA512
783bd6f21dfb5e4303aa866f6cbb1c420675b8d34e4352c18574474de6afe69443e5f0dad7e53f09f7014cca63fe576bb8728949fc10539c67a0d7cba3c5e91d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d19461dc548f231faf17c09a62647a87

SHA1
5460513cc070d2daf7954ab820f40556230e4a0e

SHA256
11049f3605aac17c603cf98c71f771080357919d89468fa0403655fe45556355

SHA512
097ebef3082a52d3d3c4faad1dc653fa8d8fe1c1265a23955761461d42ecdc811a8f03f71f95377b8b0b267eafce77669e6e637179363ad8f1136e0142efdb9f

Download Submit
memory/244-296-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/244-304-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/244-112-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/244-111-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-357-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-1-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-32-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/244-23-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/244-348-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-271-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-272-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/244-3-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-343-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/244-342-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/244-278-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-279-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/244-5-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/244-290-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/244-298-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/244-297-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/244-0-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-295-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/244-299-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

Filesize
4KB

Download
memory/244-300-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/244-301-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/244-294-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/244-302-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/244-293-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/244-292-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/244-291-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/244-303-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/244-131-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/244-305-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-306-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/244-312-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/244-313-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/244-314-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/244-315-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/244-316-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/244-317-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/244-318-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/244-319-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/244-320-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/244-321-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/244-322-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/244-323-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/244-324-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/244-326-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/244-325-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/244-327-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/244-328-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/244-332-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/244-331-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

Filesize
4KB

Download
memory/244-333-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/244-334-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/244-335-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/3216-276-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/3216-15-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/3216-34-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/4076-277-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/4076-13-0x0000000000760000-0x0000000001E97000-memory.dmp

Filesize
23.2MB

Download
memory/4076-33-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download