fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
507s
max time network
549s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 16:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation = "191"	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Loads dropped DLL 2 IoCs

pid	Process
2948	AnyDesk.exe
2944	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe

Modifies Control Panel 52 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iTimePrefix = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sTime = ":"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sLongDate = "d MMMM yyyy"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iNegCurr = "8"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sMonThousandSep = "\u00a0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sPositiveSign	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\AddHijriDateTemp = "AddHijriDate+2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iFirstDayOfWeek = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\LocaleName = "pl-PL"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iTLZero = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\NumShape = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\AddHijriDateTemp = "AddHijriDate-2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\AddHijriDateTemp = "AddHijriDate+1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sShortDate = "yyyy-MM-dd"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sDate = "-"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iCurrency = "3"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sDecimal = ","	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sList = ";"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iLZero = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sMonGrouping = "3;0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sCountry = "Poland"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\AddHijriDateTemp = "AddHijriDate"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iCalendarType = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sTimeFormat = "HH:mm:ss"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iDate = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iCurrDigits = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iCountry = "48"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\AddHijriDateTemp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iTime = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iDigits = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iFirstWeekOfYear = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iPaperSize = "9"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sShortTime = "hh:mm tt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sYearMonth = "MMMM yyyy"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sCurrency = "zł"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sThousand = "\u00a0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iNegNumber = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sNativeDigits = "0123456789"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\iMeasure = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sGrouping = "3;0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sNegativeSign = "-"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sShortTime = "HH:mm"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Locale = "00000415"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sMonDecimalSep = ","	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\sLanguage = "PLK"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Input Method\Hot Keys\00000104	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\PreferredUILanguagesPending = 650073002d004500530000000000	rundll32.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000200ecb0cb657db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e0d0cf0cb657db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e0d0cf0cb657db01	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000806fcd0cb657db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e0d0cf0cb657db01	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e0d0cf0cb657db01	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 01000000000000004032d20cb657db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2948	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2944	AnyDesk.exe
1676	lpksetup.exe
1676	lpksetup.exe
1676	lpksetup.exe
1676	lpksetup.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2112	rundll32.exe
2708	rundll32.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	AnyDesk.exe
Token: 33	2800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2800	AUDIODG.EXE
Token: 33	2800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2800	AUDIODG.EXE
Token: 34	1636	rundll32.exe
Token: 34	1636	rundll32.exe
Token: SeSystemtimePrivilege	1636	rundll32.exe
Token: SeDebugPrivilege	1676	lpksetup.exe
Token: SeShutdownPrivilege	1844	rundll32.exe
Token: SeShutdownPrivilege	2448	LogonUI.exe
Token: SeShutdownPrivilege	2448	LogonUI.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeBackupPrivilege	3060	winlogon.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeTcbPrivilege	3060	winlogon.exe
Token: SeShutdownPrivilege	2448	LogonUI.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeBackupPrivilege	3060	winlogon.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeShutdownPrivilege	2448	LogonUI.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeBackupPrivilege	3060	winlogon.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeShutdownPrivilege	2448	LogonUI.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeBackupPrivilege	3060	winlogon.exe
Token: SeSecurityPrivilege	3060	winlogon.exe
Token: SeShutdownPrivilege	2448	LogonUI.exe
Token: SeShutdownPrivilege	2448	LogonUI.exe
Token: SeShutdownPrivilege	3060	winlogon.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2660	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2112	rundll32.exe
2948	AnyDesk.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe
2948	AnyDesk.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2144	AnyDesk.exe
2144	AnyDesk.exe
1776	mspaint.exe
1776	mspaint.exe
1776	mspaint.exe
1776	mspaint.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2944	2660	AnyDesk.exe	29
PID 2660 wrote to memory of 2944	2660	AnyDesk.exe	29
PID 2660 wrote to memory of 2944	2660	AnyDesk.exe	29
PID 2660 wrote to memory of 2944	2660	AnyDesk.exe	29
PID 2660 wrote to memory of 2948	2660	AnyDesk.exe	30
PID 2660 wrote to memory of 2948	2660	AnyDesk.exe	30
PID 2660 wrote to memory of 2948	2660	AnyDesk.exe	30
PID 2660 wrote to memory of 2948	2660	AnyDesk.exe	30
PID 2492 wrote to memory of 1636	2492	control.exe	44
PID 2492 wrote to memory of 1636	2492	control.exe	44
PID 2492 wrote to memory of 1636	2492	control.exe	44
PID 1636 wrote to memory of 1712	1636	rundll32.exe	45
PID 1636 wrote to memory of 1712	1636	rundll32.exe	45
PID 1636 wrote to memory of 1712	1636	rundll32.exe	45
PID 1712 wrote to memory of 1932	1712	control.exe	46
PID 1712 wrote to memory of 1932	1712	control.exe	46
PID 1712 wrote to memory of 1932	1712	control.exe	46
PID 2708 wrote to memory of 2804	2708	rundll32.exe	49
PID 2708 wrote to memory of 2804	2708	rundll32.exe	49
PID 2708 wrote to memory of 2804	2708	rundll32.exe	49
PID 2708 wrote to memory of 2508	2708	rundll32.exe	50
PID 2708 wrote to memory of 2508	2708	rundll32.exe	50
PID 2708 wrote to memory of 2508	2708	rundll32.exe	50
PID 1676 wrote to memory of 2780	1676	lpksetup.exe	52
PID 1676 wrote to memory of 2780	1676	lpksetup.exe	52
PID 1676 wrote to memory of 2780	1676	lpksetup.exe	52
PID 2708 wrote to memory of 2112	2708	rundll32.exe	53
PID 2708 wrote to memory of 2112	2708	rundll32.exe	53
PID 2708 wrote to memory of 2112	2708	rundll32.exe	53
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 3060 wrote to memory of 2448	3060	winlogon.exe	60
PID 3060 wrote to memory of 2448	3060	winlogon.exe	60
PID 3060 wrote to memory of 2448	3060	winlogon.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60
PID 596 wrote to memory of 2448	596	csrss.exe	60

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2144
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2568

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2392

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\intl.cpl",,/p:"date"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\intl.cpl",,/p:"date"
      4⤵
      Checks computer location settings
      Modifies Control Panel
      PID:1932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3056

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cpl
1⤵
- Checks computer location settings
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\mctadmin.exe
  C:\Windows\system32\mctadmin.exe
  2⤵
  PID:2804
- C:\Windows\system32\lpksetup.exe
  "C:\Windows\system32\lpksetup.exe"
  2⤵
  PID:2508
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL input.dll
  2⤵
  - Modifies Control Panel
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2112

C:\Windows\system32\lpksetup.exe
"C:\Windows\system32\lpksetup.exe" -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\lpksetup.exe
  C:\Windows\system32\lpksetup.exe /t
  2⤵
  PID:2780

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cpl,,/p:"keyboard"
1⤵
- Checks computer location settings
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1304

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1765a4f5da8bed97ed52b6ccd38dfee4

SHA1
d25f54752ec5b6b2698760909438b59383b644aa

SHA256
364cc307ca0bb25a9b0b3bca08e59374206023f882861281d421b4458820b3c8

SHA512
aba69effd95a5b4f435d5c1f5d4b4b793a04305d5212c876b55674ec3f8270984934ac734cec11746917f7cb7e0fe8d035e2afd1e61e793358b1a7278529b181

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
43KB

MD5
c39abdf7a5d33f74eadf47d8bb56e694

SHA1
adfe5d92f81e7664980b4abbb2bbdacd2f516e28

SHA256
9a40597105ac74a2acb2e5761eef2f45fc499cac37d2f4e25bc96aa32e136b07

SHA512
f8e59bf12403a533a62efbb5bfc365f13b34141674b2a966be34c8a60d031a51c35e2f09e44a92b3a2685cacd93579b9c0e00e3bb51384e2266895e9f95d498d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d35c2cec775814c6356debfc4c99e6db

SHA1
47e6effda544d5b59b50c97e19b3aeb905d1b642

SHA256
831183439ab4d540cd5f3785fd6d6da57c1602ce1d76da9a079b36057483f558

SHA512
c289a8f06ca01cf75d878d40580617f54f6fd015846212298ed65629f6409b6acc381b3ebef4c85dcfff13d1d8945ae0f70d4a8c6eb9a8eef299417f0b121cbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
76a7c7d56108b2122fa81eb7c7e9d6b4

SHA1
887bd1187420efb6b9e2ba049926fe1b67fc8691

SHA256
408aa5a03440ecace0b9904209fd14807ac474503b2192a65515e525b16006f0

SHA512
5b8fe4271c7ecf4a9c2b79b28d9630e07c2f768cf0f3ca422e60a40c746d96ad52383d1fd4274fcff1a4d79bcee3ae45e5f55b4a44800fbcb4de904ae62b6d05

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
697B

MD5
bc6e18059b3cab46c0f9a418bcfd3557

SHA1
64605cd61fc8a0f844da2e4079fc72e9b576a4da

SHA256
42eb25082f105f8dfd6ec1f962593608a37ce2db091187b894feacae31a014f6

SHA512
121ba48ae655f96ff6b655bb55ca2492b12508ee0c457a029851afa4ce068c1938450b857647853fc11877c0b05e6621d83b5e338de29ba363d20084c78d8374

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
754B

MD5
421cdf774e810434578b86cf42ca41e0

SHA1
4b4f4a268f7c4173f34dc489942575862ce2b59f

SHA256
f32ba8fdd839cb2abfcd5357d5678f871db1a832272851e86c1ba0360950676e

SHA512
d1f807cef231cbf424f125510794e3eba1e206a376960ae1207ffb5e2e7dc915c4dcf15c9eed8e2ede6fca8c43c54113baab717aa6d18a8ce6d7a0b9f0e9f053

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
d1d659685f669a316b69f60f5ecb38ef

SHA1
a8b5ca2ef7cbf0eeee45edff6299ab89f45f806a

SHA256
16b4b8c2434f52ef108aba465e4cd7f6f56428ff6c7495fa43d85d2fdb04985c

SHA512
fb9e0f23be333eca4dd0a32b04c3b53148423f05c6282b93dc844b2f7c9ea7f26e39de930a8557471766cc7155da27d478a3c1ac34003a3e5e73741265434bb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
e8f92e10407276764f50b4c498550b1f

SHA1
898e26f13a8c9fe7776e3f6a12b1ac4a375cafae

SHA256
21027fee5878551f46cf83bcdb3b243149d37f098067390231abd9f245421c46

SHA512
1c42fe17b83658e50bddf689a69a0647956a122761c1bd4ec66db3b076357e200b15743dca65bca1638f98c6860127550a6eef9be205e6d6741dc9eaa7edca9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
727554f39cc52965796fcae1c6ca4490

SHA1
81874dc6af755dd0c72042964b0651f8b1b6bf8d

SHA256
646570f6ddb2a219734ff11061332577bb31f2aa5633a8fa153b7addf09c9e54

SHA512
40a44c27e3c9955c1b71e25776dae1aa195e0bced5664498b2b2ce336f6b0b12fb7493a2a62cf2290147664c389907a777b70fcee2d330eedbd06987573919ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
86817217c0f819a693911736b1260f27

SHA1
52780e8bcf4c6938cea88a12b48f15e099a21479

SHA256
cccbb1f6813174421e69a9ede365a84526c7ae8b5e41c8801e0ff5c1941e9162

SHA512
d6e87315cf6b0584c79ac3464ef0ea2e115d767f5c92a12ca45b39c58661514b6216c5e3700419d3660821497318cddbdf67f7eff01b9e9f5e7c360894cb7684

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
72bb93b46d833ba05d3d9e6bd5a182a5

SHA1
dc0f1644ba6434b1cf07c64c77e6775740ec2dd1

SHA256
a4d0aad13cc46066e5b9cd33a5527b264989073c6b8925f94674b2221fec2867

SHA512
d30fb44c08323fcb54318cf136ec520956785d2754b96be4593c19f2b5c249df37fea1e965d5d7c931d274406025f0d555c112ba077531697e4ddf7643d35f9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
077407a5898e0f38ba9459fc9a73a83f

SHA1
33a2de0514be2280ff92bee986550fb42e508541

SHA256
fc29b13c2ab45295f570372d2d603fdf236c5d27aee7fdb634217d70853e15ac

SHA512
fcfe0ad6945c9fb6a97d6f03af48d3761aeac28068bed4a49c89d7c40e5419f32143b4c14891e9bad697a2ced81e8b2afd4362efd0b3236ee67324327c991098

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
7f8a918e553e82f64cc925353c4f9703

SHA1
df0f8210a8b2302a9e506b8babde96ff37aa9a31

SHA256
93585b1fe80cf824b1e03de12b916c5cc6f7f8fe44f80c950a3a59fc83c86190

SHA512
5c65669c3dc3c4d1a9b47c37242a98b0a902c22fe6a530ac5c34022da77dff5a7dc0ce679fb3a6cafc75c568bda50cccd827ae8c644b249d1f5ad9dadf0068d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
512f03a96f2c5a03d97d4a493a9d80c0

SHA1
ab9ad2429f3012d4d3c64fb46aa4ddc6a5d7e4b9

SHA256
b2c8f26ed22f88892e831e18314c25bb2930e6cb0eb900a319e1809776d63aed

SHA512
5451d2853646eae9d32231e85a33b4435f4ee724e3f1fc5d8f4d6fa4644529b1eac3bd5755d6a9d9d7914618390b5581a8bb43f79f5d2462ede5eab29b431f19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c7cc0a5384c82a69c08186c4f01b5fb7

SHA1
a0874ee7712975457e88e0c7c2dab054faa6bad2

SHA256
dd16cebc25724db7be50348fc7db0d7456b3c0e0e0c6000428dd1eabc74bfc65

SHA512
228f6b7424484dc2338cf165009e301800ebbc13f017f38424ec10b556df060e73f0d22930c9a79b38030b2e57c6651525899d167be8daf1de2d9bb5e9ff73f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
de1f4cdabc52245e8a2247cbfb904264

SHA1
2fb8537ade3d59f706722e268348519d60ef6566

SHA256
4fdbad3b1baf255bd6bdb4155f23ddc8b4a7b68ce1b1aed18242233fd323b108

SHA512
415c3057cec59000fb287491c9b62dc3aec4a8a4683070f3b1c35a6bf3b1ed6d06d46825e7123d0abcac4e35dee287f46fd0f2fa1f322a8dded26f23c20420df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2b082ed9946f4ac3b408863e092ab55a

SHA1
0b1330c6f3b1251c14829e804d2e2ddbfc483842

SHA256
e1846cb90e30a3c333428accae293c8a5981ba6a90c50a51e3a28a5cd3d09d39

SHA512
3aab673fa402fbe68d1b1a58e18978fea931763d036a7a021bc9c00bc9ae57688621c8bc02afc4138ddf18d5db506c31dba4ef249b969ac165500aaebd0b2b64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a4d5730775cf94a9ec1163854359859d

SHA1
6e9d1671c43a31b3a5d3f568de76f3cd04f9be74

SHA256
6e976503198a7e71062b6c50556c4ff63a1ef4fba9acffd9a6e3ac9de0fa1e6e

SHA512
8260d821a7a43b660bd4fe579a13f216118758e7d25baec53aa6f95b4101fef407cfdc1c42294be2302bcc9783f19cbb165c329f1ca74c85bac14b5b2ad6bbca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
39a229dd3314efb6e9362971732440b1

SHA1
9341c2b4ae9aa179540f1e8f4c4d1c5cbb947de8

SHA256
aacd0b734d22c36f27e6d8b58dad0b2ff97281915eee6d62c4cf0cd280c68285

SHA512
44d91cbfc567e43ef5c1733a98e0baf5388bf9f73581c08be5d250054ba75918ca5cd5b6eabd1d60dac980a299ccd71ea015d0c3c897ff6751c21fb1e5f97ecc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
84bd97954298f005838783bb7440bc76

SHA1
7e35e1944a2dd64c1bea6c9888aa0421dc8e0257

SHA256
75ba49bbc085687e00a6bd5a78e1300327a3a18358617f7c6a9845fabb59ad97

SHA512
630d3c5036b20029c91bcaa2e07e2d64665afdcb8a42cd0fb6bde817d234630858f7f3203b189e0df256feed37ea1b6ccde733d830b4a4ede6093313f5ac5bce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d1e850f5d1726590c1d3f7b45ce72430

SHA1
d00ff2d008b2bd6f05091a3bc3e435a9306e0f94

SHA256
945c0914da3a8af84c4fca2399d0362d91cb8a91d90a19ba479b475cdb2f4b66

SHA512
9cac115d6755e61fe232c52e82ef6dc824cc0939fdb6073e2c96f858977d4f7866a837ca4fb4a1745c29a6fb0073a6b8d0a98d50040676eed80c61ae4fe8d368

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg

Filesize
116KB

MD5
7c25b3dd1b943584cd785555c7d4b3e0

SHA1
26270b879165e53696e4e12fadd48df49bc40cd1

SHA256
4978bbdabdfc0bdea0b560ff5da2aa66264a9639698bbf9d0d5f84faa8f86e85

SHA512
347f4e466473bd04d5989f995bd5f1ef5b6e5247afc01a0278df57ad0922cd039580e3b47976583b4b187e3370fdc4c2d10c69c8c39ce514a6e47ab15b5915cd

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/1776-450-0x000007FEF6810000-0x000007FEF685C000-memory.dmp

Filesize
304KB

Download
memory/1776-460-0x000007FEF6810000-0x000007FEF685C000-memory.dmp

Filesize
304KB

Download
memory/1776-373-0x000007FEF6810000-0x000007FEF685C000-memory.dmp

Filesize
304KB

Download
memory/2144-357-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2144-364-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2144-368-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2144-353-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2144-300-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-4-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-2-0x00000000001B4000-0x00000000012B6000-memory.dmp

Filesize
17.0MB

Download
memory/2660-262-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-257-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-350-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-57-0x00000000001B4000-0x00000000012B6000-memory.dmp

Filesize
17.0MB

Download
memory/2660-546-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-0-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-34-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2660-547-0x00000000001B4000-0x00000000012B6000-memory.dmp

Filesize
17.0MB

Download
memory/2944-255-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2944-362-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2944-351-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2944-10-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2944-297-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2944-263-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2948-363-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2948-376-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2948-17-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2948-264-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download
memory/2948-256-0x00000000001B0000-0x00000000017F2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads