Overview

overview

5

Static

static

1

AnyDesk.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDesk.exe

  • Size

    5.3MB

  • MD5

    0a269c555e15783351e02629502bf141

  • SHA1

    8fefa361e9b5bce4af0090093f51bcd02892b25d

  • SHA256

    fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

  • SHA512

    b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a

  • SSDEEP

    98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score
5/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1796
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4988
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4984
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2948

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gcapi.dll
      Filesize

      385KB

      MD5

      1ce7d5a1566c8c449d0f6772a8c27900

      SHA1

      60854185f6338e1bfc7497fd41aa44c5c00d8f85

      SHA256

      73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

      SHA512

      7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
      Filesize

      5KB

      MD5

      d8b275c3c918a9eacc7eea6f0852f031

      SHA1

      3bc8773058d1027a8ca6243b34732ff5be8a14bb

      SHA256

      7c04f406539bf6f5ca16e511abed53c8f7233e4105749d73e13308b92e593561

      SHA512

      a5d86a8f3846109a077ec62ed09b2ac0f33c70567541692ba708d7425aaa9ceac1d899be4f9301b9746213e990f1fcb979d6d3f8d5c37e843e2c96d4954c53dd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
      Filesize

      2KB

      MD5

      125dd8fbd20fc4170a55155a6a41d296

      SHA1

      7ace0883c4d97e81096f710c7029c407ab1fae2e

      SHA256

      9cfe178b34f7c6043148086063a53f38669b320e3aacb585fed0df374a91b2e9

      SHA512

      42a789ed9ab9a0c60fe9ceeef0ddcccee6e28a360a3d094357e7cab0b7df8834700244cacbdffb6896142aae27fb6a2dc61645fe87c20dff817413fa1ca962a1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
      Filesize

      2KB

      MD5

      7f5355c3d835ab3226c768ab14ca6b32

      SHA1

      f60d80caefc23f6af6cc88a01ec2e8a51f5e4d7a

      SHA256

      32cf1c407aec6a23e18b122fbb6b6280f9e501c5e628c832e8d821ceac5b9fbf

      SHA512

      daf87d49c62c4059ae9f6e55009182d1cca06e917299d6f4998b9e95ae0b00b40e7b20a759221dafaf58b9c6470be522b59ed9c3e2996543893514f4aca90a03

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
      Filesize

      744B

      MD5

      19a3e7dc99fd028f4e65a651a10f0834

      SHA1

      42ae77f258aada64b291dc9e6d4200319999bf23

      SHA256

      0035da1478f875641250aacdd29846cde2f9cc6b23f2762bfbfc5c4cb8c0b356

      SHA512

      0a6686c158813a3b2703a6139aec1fd19bf480ef9abbd43eaa8392b91043f62bff45b30b3e41a47e29d8414f0fd79d9a2088390d264ce6847855fd070679a18a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
      Filesize

      765B

      MD5

      9be14064b82ce6256eb3fcd441bb16f3

      SHA1

      1dcfd91aa7a7754f5bda5a89207f54da2008a5ac

      SHA256

      8d8360541f062131f673228c2d086573beb015b4fc1f139e781a30b91294c00d

      SHA512

      c5f69e379ed2e2f2bcb302ca7cefdb177f455056cc54e4f787863a4e3999ff9fa2640552e0937aa7d11a9e0ae0d18cdb147a05045b75a4cd8b1e03e0801047d6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
      Filesize

      773B

      MD5

      7d10a2748f6b684ee86e02c31dfe61fc

      SHA1

      060d160babaeae1485a35383bd4ba7f11db17958

      SHA256

      a492bf02fe4946820f3ce78f9974263b367be5190a1473d0a821a33b2df1dfe8

      SHA512

      22fefb6e507c902d8a3980e4c56be05122313bab368412af8ea59ce8447283d006364962268800a926557c4614a8ca62534788d06a11c47e879ccb9ca46de5e8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
      Filesize

      830B

      MD5

      05f61e048ff4475bff6a13a5d9b94056

      SHA1

      c94ba9962611427ffe64959cfa13f11ffc7537f5

      SHA256

      ff9b7ac521ceb62e048868da251fcc99635b61b9625a471f204c0a631ab3f7ff

      SHA512

      d4b1bfb416bf144ae3b879a83ea17bde00890b5be4af0d1a3b687a8b8fee45dd453ec8fe5a8b233f2916ac13cd4456c4c2c6b81877c86f623e5ce8a2b074c8fd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
      Filesize

      312B

      MD5

      0c04ad1083dc5c7c45e3ee2cd344ae38

      SHA1

      f1cf190f8ca93000e56d49732e9e827e2554c46f

      SHA256

      6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

      SHA512

      6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
      Filesize

      468B

      MD5

      28f8da8333d91dc29407d0bcf46eba3b

      SHA1

      d69de6b2cef13252e4a1c862bad0564d9c4be7d7

      SHA256

      d82af5e612f0017cc1fd0fa7d39618a45ec8bd8eab6e0b0ca32c49fefc7327c4

      SHA512

      8c53ea482e2ae5a85ecd82c830554c43e1de9f8fe8a681c6b84bd82b245db51be1c2ccb79f8218d2d73328e841bb99d370f0743a16e0d33274b837c73f7a87aa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
      Filesize

      468B

      MD5

      7d12af05e0fd44a574062494cb6b6648

      SHA1

      cfe90c02ed6d5eb28bbb193235998d0e4d726f0d

      SHA256

      84695338a0d9cbfb8702fe6974075e47e5179b298989a69f406aa5af3be606eb

      SHA512

      d4629b1313d53d3d45b09ef7d5e93eb66a5aa9a1db6766734006e944dc65ac836ac6a2fff610ace3e20319beccbd4681a3d493fb7237b0cea097dee5c9e75e46

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      2KB

      MD5

      13d25735adb2ae4f7086d343097fe929

      SHA1

      a3150b5f225bd6e1a0b3fccc8809b9e794c40b94

      SHA256

      9044553664cff2aab4f7dc7ee0dbcd4fed8dc2d86b5f4d7d17f47ce9654e4b0d

      SHA512

      dbd65295baa33338d5b8b9aef4aae058704c460f786075327d8e9836760dbdf96ed4b85f9d80668632f7f66f32c148b6f664d674817b619ce4c3b765d577a209

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      2KB

      MD5

      472a29db9f59966b12e6a7e41dea11e5

      SHA1

      7e71c06b62df63f996e3640ecbec347fece6d8b3

      SHA256

      53e1b23a1c0614096fe89def2c6a51ebef4b2f31a1455da9a8ce6cb0a0606801

      SHA512

      89ed01867d357b9f27b34b99051b20ef7da2ad466eb59d0f672b373def57dc3886fb3a5e223ea6dca045401ef0449681b8f58e4eb785e67bb989ffc5204c59a1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      2KB

      MD5

      432959aecb1ad08d18218f3c367ec21f

      SHA1

      7abe4dcf3d0d523ad3762c7dd1c53dbd1afef9fa

      SHA256

      4ae6e7cb0909fed4ee3190162301dff38bc5fdfed7b823634bdb93c096cd7572

      SHA512

      3c5cf76d92f36b1981342452aa17860df08330797484e0e95fb56ae446d5dbaf434b18b449597fef2b80fc7ed4ffded166ddadc274697dfcea6df4f9a41c13e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      2KB

      MD5

      e28e281d3666fc9b73b2df14e50cb2ce

      SHA1

      4dac64c020f9d58fd097044baf106e2a6b1dae22

      SHA256

      ad250a144038f0281601ff2fae52ac8460c63b0a40985b0bc656ba80d7c81eaa

      SHA512

      ee60f2d5430c39a79b06f24acb6f909dff4bc20dd7441a90acd192194820c174374b42778e2976ed0409a1810311c878f8da6bc3d0f6c6695465df8c6097ae40

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      6KB

      MD5

      527b54d6e29d4709f123f4028caa10fc

      SHA1

      f8f7d6c4c8be94720312fdf000b87b13d0cc4dff

      SHA256

      8d01aff8a6341dbed541509488c22865ebb4cc2ceb189d2da36fd1ed652315a6

      SHA512

      0f6cb347d976b4c34cc88b8178065f9cbf8aa4060fbe64bfbac5b59a3f969ddadef71ce0f353289c77be391c3e2e844844a9382ba864751650f4bf231cee30f3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      1KB

      MD5

      0f9f590ae7ea07f140078e6e5ba0fd12

      SHA1

      00549c47fb4e91de5d8f8078d3a4752b8d54f1aa

      SHA256

      ccd8e732e41b69487df935314e3bb23226c790b50aed7c71cbf2100efa635a36

      SHA512

      f460a30c5c613b41d1372bf6768dcbdf7a05ba927fb8647a86c10084fdef4c6788ea7cee29c224699f1b027a252ad60179351ac2e1efbd2802764171c0c6a450

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      6KB

      MD5

      250a0c55d040019cc35b717bc26af996

      SHA1

      e91d46a552055bbe30ae472f3353bfe8244a1178

      SHA256

      2de2c8510dd0681e9df1e19310fc878926d896360ec363130c19c075e53af716

      SHA512

      0e09e3419612c6f6ebb879568bc8b5374fa895e5fe62d85dc1f3a3d5b48bfbb5331650ba57a91eeebadf0f9e907923e5da32d8fd3aa3a5038da252eacb3b9f81

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      1KB

      MD5

      40e71c25ed7bc92f5331b5a3f9d4b972

      SHA1

      468f5baa03b81ff1048a4ed979e21d7a52979eae

      SHA256

      043d428c771188d3d0f8e281f0cf9f17588cc9509fa015d7f7a542839f77fe4a

      SHA512

      7dcdbfc175f31a6d400f054748db138d375cb9546460bf688f3e686f27bf0d2a66f08948c13c23d1c9f7957d5ef7c064ed70867680e1caff13e4533e6c3b56d8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      1KB

      MD5

      370142f910c5a5968133c8b48f486788

      SHA1

      977ff14bd7678de8f7cf7cb1fe041d2ed8498be3

      SHA256

      8aad6c2888cf12572abbb2add71aa606b0e5af522484b6bc68a778c90a31e7ce

      SHA512

      bab76e59c8b2ad17247752024c85de74ae7a989fb467ddf060a85d135f3e8309763df8f48a2e8657e77d81b5a8ffa36620cebf532360628fa9fb12503b850515

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
      Filesize

      1KB

      MD5

      b0313f22be034462fcd8a998f4f2abe8

      SHA1

      75e7003ad8581f614c0d74b55525f2e7c62339e9

      SHA256

      8915e5c752a06b8f52fcb706ee22015f97c07bd233ebae7234bf89b3f7f22e76

      SHA512

      c49eca42f921030cacf36547f9ba5f3f5d4b5956ad5f3fe9fc2df740823b67eab9d5abcfc52033325e4d5764f9efa37ac3a032a60db20703f42e9b9929125e52

      Download Submit

    • memory/1120-226-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1120-0-0x0000000000414000-0x0000000001516000-memory.dmp

      Filesize

      17.0MB

      Download

    • memory/1120-266-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1120-1-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1120-241-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1120-238-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1120-235-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1120-5-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1120-225-0x0000000000414000-0x0000000001516000-memory.dmp

      Filesize

      17.0MB

      Download

    • memory/1796-10-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1796-227-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1796-41-0x00000000055A0000-0x00000000055BB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1796-42-0x00000000055A0000-0x00000000055BB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1796-14-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/1796-38-0x00000000055A0000-0x00000000055BB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/4984-255-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-244-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-243-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-245-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-254-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-253-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-252-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-251-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-250-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-249-0x000001905B460000-0x000001905B461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4988-11-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download

    • memory/4988-228-0x0000000000410000-0x0000000001A52000-memory.dmp

      Filesize

      22.3MB

      Download