fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2025, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe

Loads dropped DLL 2 IoCs

pid	Process
4312	AnyDesk (1).exe
4504	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe
4080	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe
4312	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4504	4080	AnyDesk (1).exe	82
PID 4080 wrote to memory of 4504	4080	AnyDesk (1).exe	82
PID 4080 wrote to memory of 4504	4080	AnyDesk (1).exe	82
PID 4080 wrote to memory of 4312	4080	AnyDesk (1).exe	83
PID 4080 wrote to memory of 4312	4080	AnyDesk (1).exe	83
PID 4080 wrote to memory of 4312	4080	AnyDesk (1).exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
3c8f8d9aaf1b4741fdfc87a1b2010433

SHA1
5eb384a499f95f05422ece805beb55b22bf97147

SHA256
252ae1339b4a3be9d897404db5f200298072e16adb101968f03f60219579e2de

SHA512
521dce4d1652c26b8c533bd851dbd4a28fba744f0b58d361ea9e6942bccf0724442015fd63cd97b041cc8f91d16dcb9b0383662b7af36d456b97db8eb5029e72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
610e430219ea837997059d33537912d0

SHA1
e258338e1d2ad514c3eaa1d247b7f91e1d9bfe43

SHA256
6c09f0e1c2071a001ac2f737e160c4758886121b6a08663809fd965bfcc00e91

SHA512
ca0542c7185551068ecf5ef4564257bacb157f0733d926a15d927bb7319a7eaeb64490316833a481bd7a422741f898a0927806ba6387f51cf612ffad3c626be2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fce37391fdb2a01c18dff4368de8933f

SHA1
146cafb66666351734a72d16bd51a41cdd46514e

SHA256
6fe82e5ddccd02ae7d818d9808c0ae9420ec6f1085866ccc7c919dd781d3505b

SHA512
409b3fb33086a2ae63b7dbdda1f129c170f35c8a2995c836de9911738733ee1c87fd5d8d2dcfb3fc772713d5a37376c083631344d8d026c962b38a494c9e22b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
e7b1650e33a5fa138a90bb722547ce6d

SHA1
66aae7615538551a1b761d9936e01cefb2d3e22a

SHA256
29bff2069292095aaaa0dbb14827000156a8af38c368809721343a592604be69

SHA512
4424f60502474a660f585e7e2552803b83f4bfb2a56efacd3b5174bc3257aa6def5dd41ca566508957958dbd25922b31bb9071f7d866f78a6ac018f777aa9038

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
3e3abbd490265b0820c6a419b75aaffe

SHA1
f591a418977a3bc2f9c9e4a08da1b02ef91d9f07

SHA256
ea68744c91d154f7050231fc0e4e0634a088bfb5caac114e99397bbba09a28f5

SHA512
077af65a07e7726857c664a501b2c9dd0c82a202601b419e2ae8b9c7b0d63a42b6eaa7878fed3f8e867a44401b4b510936fd51cdad0b23a30c8bef32d382b444

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
3f7eae44de9bfa45f3f0ebfb0428554a

SHA1
a595c19e36aa1c20a2fbea8916fd1b0c220ecb69

SHA256
7ee729e9c64d792937b3fc3775104fbbeb39c68f5a5d3e43250174e606512e08

SHA512
b215d1ae7d18dea50522ab687b1638d567d2b6d728e87acd841b0b80608db170c046b184f0c3426f97eebb2f69e10ec96d22f0ec09fce715071fd3740353ea87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
c33a2d3b90dc77de776743687beced27

SHA1
9f9603be5a31dcd9013941b6c12df5a1f35d3910

SHA256
7a337daca12e0c0dd3968e40f5dc7b827df115d0d497f58bbc2e7ada07155e52

SHA512
b2328b08da02454ea964648f7a95f653e419f1b2f4172256d33c6fa86012f98cfa7242cab9fa62a5c1330483db311696195aa45afa1d5a1e4cd3ecac5e406586

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
dd26c1feb3e151636ff8e6cc068923a5

SHA1
d79f92546767e2b70bdbc9533296819b1cb08a32

SHA256
77f8ed7354fbf659572af611c64c2325674733f71faaeebd9241e20f20f2cba3

SHA512
c6b4e70960e62784582c56674af26c74787177bbea09990e751ca17feca1e37c6d941804d5d3142d0cba701c0af33b435af3a954a2d6450a84e8243b0ffa89da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
518f5b9249ea929323b0f5620050719f

SHA1
afd81238727f2571e6120c8db03fdaa45b16ffeb

SHA256
44447cb8b93b6f268a012fc0e2d01d1ec690c6687d7b0a17a05f3a4680697d56

SHA512
749a48fc37e8ae73340c818e5369bde79061a8e8fd46f0e038000443c06082422c10aac51b18e3608c2bc831efabd5476503d825ee27dd3302e9a87f0a293b51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e56fe861cb0cfa58722fa3bba7b74f66

SHA1
69e5147303d8e29e86bc12547d61f562126ae4f8

SHA256
61dd763125c1fbbe214864b933d3ba1d9e26281ed1cd1715fdbde0cdec04dfc3

SHA512
ecf30c12a124906b8a00574f97e9bcde754a611db288aab9aee6a6b4e759f1d10bfeabe15276dde5d934d923926b1931173a8665f463817a3c72ef5da9ea7f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b4a3d12a84eff11dd3fcda8caaccf362

SHA1
947d6778ccd2219cdea207b4d6d7019832c7a056

SHA256
0be286844792426b14927b31cfeb23efdcac273a41f432a856a6a1752fdeea77

SHA512
064fc044083d4df10727b26528d95895089d8fb36d0fa8d7750cb4c62ef80d53bfcaec51adc718358cc07aa0fd346df673987add67a80fef8ae652d53b3e7b70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
43f51c52e99804c02293b098231b86cb

SHA1
21cbca3643f6465e51fd67fa067cd5dc5062e11b

SHA256
94be1d3558f27056e406de2145adc0afdf5ad37f38911b377e1c29ed13f07272

SHA512
45866619fbf2b9437ea83f9135f51aace30ae536952d03908c13f03243ba783ca8edfeb38e69c59e156deb5f9e6185d7aac215cd06261c5ef426b3095e08c017

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
61e5ad7542d25f009efbe21f26a59520

SHA1
f50690529bb37e790b1a585fd4dcae7fe9857710

SHA256
9fc10d4950d294a16840bc9120dad5f8809622a23a7b72f4bf7b0ca6c8f75a3e

SHA512
c6b4be7b30ad0872920b09909d2bad6ae71b4c71ad6e4fe807822bdf2ad0b2a7ddda5c9958683987161cb30dd0a65e8a980bcf6beea694455da389b5f9c9ee75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
db88d8c9142756cee4ecc9d2bac2363d

SHA1
dbb9fc709b4e2fbee7e0b5e6321427f4e1c067e2

SHA256
36e0e312dc69004a589e9e9363930bdf1992304a4527184065c0a1c7b8e841c2

SHA512
ccbabe93bc0c5203efd66323e5ae9734683325e63d3bbe810767f20287b0e74f5b7149a6d48b058244de4539d69a3b70ffe601d7b379aecb36c233603574707d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1542bb52c097b3f914bc94255f320b18

SHA1
dbbec798ee8f46fea00b330dc6eb3beb22b3375c

SHA256
3be660ef34cba88485a84a1535cf6e9b24c52192405373579153cabb70fa5cc6

SHA512
0fff44579d86175b51910303f2f8945c1097aed6613691c2debeb95d4743832c5af38baf8f6750394730532a178cc58ee2039f441a590f36b8bb113a23cd549b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a8e5e66c832bae726f6df5f21490c35e

SHA1
5384d7a8664e2ec09f2b395b00cbdeb34215ea7a

SHA256
ba7c8a6c9eec7909166f7ae138f0e2e37c72b33c6fd16ec4b4f69ad755ca485f

SHA512
b43cc48c5fd85f576e12ed8a14a70038c5744db3a49619ad6eb762293d7a780f164ba12b1743f3040a1e5479fe0b4896dd3d5f5805e6fe39af90ad7a3d778484

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
754f290c97e52c4569805183468e644e

SHA1
d43fe99a1884854f387374fd7d13ea339b646e44

SHA256
aaa387d54150b94dddefe4cffc56f6a49dd1dfae0289ee3deccefb701cf91c1b

SHA512
ba3c0b9af4322aa2a97f49b419438699ece20be2a954892d5ef38205dbd29885d14c4a213b66c910f2ae1509f13aca01eb05280eed293278c187e3b144d0065a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f6b8b5289a2ac3afc46ed0f2d9b29671

SHA1
a74fdbff97567c436f8f51f14c6f18aca76dba00

SHA256
fe33166d504de230d3c1c41cb6c9c150087620a3701379ccb1bddbaec175c528

SHA512
d7185c30f30220de2d99852fd617f27a80364a0556fb8294b8903852e463cc89343adb577bf0b595a116910486a2c1e5f10bfff67ea323f74545492a146a6ecb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c043969390d88159bb3cd1f3175848c1

SHA1
8b9bd5b93e8a23d8dfd6987e25f7985aa7be4c3b

SHA256
4ec8e662660571ef122a308c19d6d241b4119df867850d2f15fa7c7137b59e8e

SHA512
ffe7424c81cf1b84cfc195d89c83b3d84d3794880806aefc03b44d5c7e89d036b1793be9528099432e08cb4ac232a8ae7bc7cd785823e86301122138969b15bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
182c4420a5ae3f2a359489d7cf2e7a51

SHA1
c5ff7c9f228a337bd0e851aca5de91ed3d36e257

SHA256
620d47ebee21fa5f03e3e816fd78de50e4385f8c2d1ea64e9dd35b4c6a835800

SHA512
b8656e6db4b60dc929b8d2aa15c1340f787b39836765d7e094d05ac365f030b039d4c730181aeb51a23b7db86486882a59ba488cf7b5f490d3edeb2bbc1dfc5d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e12783524c2ab1e0a6e2e0391d622ac0

SHA1
4aab94b7f4b627ec8e131aae8591b33cd68563f4

SHA256
b269013a3c8632d95ec7bcc8f81f58c822dae61fc36f2f19e9eb3230f00ffc40

SHA512
4323fcdadd5f6de357cabee51da2a04188b42b8f3e25264e0e1e3922f49d59846d6c9364fa847ed1dc8dec8f161a73ceb3123d7e40e1fcdfc270b3daa2dad016

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
65e0ec42aad3b29d344c86d70b0c5ca7

SHA1
6f45fcb08841e74cb04a74c2aca05648e2b5859c

SHA256
f468089452920c8f3b3db71bd6f9b6d86dde0ddedbd008739125a9b110d459a2

SHA512
cc6b9b2823475acd53886124b2ac3a20180b20199cddb3403c350e7ed4f3d113c67a3b6db971f5d970dbb4b1bb244b6d44f82604f3aebf7dd13691992d1649ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a7d6beeeba664c88f62433cd1199b8cf

SHA1
ff39b184445f83bdb108774882e41d46117f594e

SHA256
fe9d51ad3bb100249763792241a017a9c3cd18e4a595611f42a0d100771fa509

SHA512
7d25164e3a1eae79cf86e1915fea528ba5f5220a51bafcaa5555025167b48da007fcf34827aeb2796536bcb67442557ee982a1d3bdb46e9d062d33c09d203ec5

Download Submit
memory/4080-198-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4080-197-0x0000000000AF4000-0x0000000001BF6000-memory.dmp

Filesize
17.0MB

Download
memory/4080-0-0x0000000000AF4000-0x0000000001BF6000-memory.dmp

Filesize
17.0MB

Download
memory/4080-306-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4080-2-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4080-5-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4312-12-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4312-308-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4312-200-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4504-41-0x0000000005BD0000-0x0000000005BEB000-memory.dmp

Filesize
108KB

Download
memory/4504-11-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4504-14-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4504-42-0x0000000005BD0000-0x0000000005BEB000-memory.dmp

Filesize
108KB

Download
memory/4504-199-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4504-307-0x0000000000AF0000-0x0000000002132000-memory.dmp

Filesize
22.3MB

Download
memory/4504-38-0x0000000005BD0000-0x0000000005BEB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads