fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
300s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3552	AnyDesk.exe
3564	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3552	AnyDesk.exe
3552	AnyDesk.exe
3552	AnyDesk.exe
3552	AnyDesk.exe
3552	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3552	AnyDesk.exe
3552	AnyDesk.exe
3552	AnyDesk.exe
3552	AnyDesk.exe
3552	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 3564	1512	AnyDesk.exe	82
PID 1512 wrote to memory of 3564	1512	AnyDesk.exe	82
PID 1512 wrote to memory of 3564	1512	AnyDesk.exe	82
PID 1512 wrote to memory of 3552	1512	AnyDesk.exe	83
PID 1512 wrote to memory of 3552	1512	AnyDesk.exe	83
PID 1512 wrote to memory of 3552	1512	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3564
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
f9878a7518dd43f3c3c43c1e0cd071bf

SHA1
fcc751aac4a25633aa03668ed27afa2513807b21

SHA256
1402a7a5ccf9ff725afe2f06ed3abe8e9a84da7284e5753e09f07bae7ddfd924

SHA512
4dcae0eddf3c628782b43b0e163aa118322053286d349a08dd4ecaf295777168e869c76e3b5d985437d7b9f995df357bbcbf35ae1e18f9eb5c1d18cb3118046a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
45e17f87f1514f5e04a09ff7967cb8f1

SHA1
0022d0d09cd149bd48196bcbaf72d3364375da52

SHA256
fb8c2450109c5509f0066a4822d66d63f8c68eaa9f876dd0be266baead83d29b

SHA512
56c690a5b2d5024bca905a3ab4c58a3cade55dcb3d000f3afc8b207597206dfdb649c092666d15d4cbfd5f8b49aa558d6d6892f467fcf83ee79b55148a77a6bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
42bf0104ae4301ee41dd123eae5fab75

SHA1
753001dd3ab16a7e5357d9481271d343999a8c2c

SHA256
5db7a40e807e52ddef67cf1fc2a79fbbf92c083bbb0fe18646321dbcedec680b

SHA512
ebf7031073e96223574eb54f7bb7029a6add44bc003ea68650ec3b6edf58f1c8afc2687d8a9d8ad6312e4ebc0fe17cf0fcc7f2ca9cf68d5b77399b3e17033473

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9d2633a12e2017a7bde071f54ed48a68

SHA1
aa45b34061dd59ce8efe63da841999815ef50d9d

SHA256
65052547294132c09e416f2c3ce193263d08c09e0daa9447cd89e42f8ad9921b

SHA512
b9eb56ac9552637a3bc4e557639284fe0209f51a8b896f1671683781f515d42dec7eb88fe77fe921fac9ad84fc2b2ef1a65ce406bec19f29da1a4cfdb397899e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
83de5c06ec852e74b8e4b401549bb14d

SHA1
9990adce93533022602de51b9c7470f67ef4fd3d

SHA256
f8e9972bb59520a25ec19ac317c6fe9307b49ac7fb14789aec55eacae1f533de

SHA512
518d9d38f9182b5d1394078bcc595d7bf587018576e040962b0f9532a8314a4766eee522080612b70e67136be161fc90a0242b155074669fe7a3170f163b40fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
16a4c78874bb356fd441ba055037959a

SHA1
813e9c267cce614041c8f51e9c04eba7d99d5a35

SHA256
53ed04c25e920bc9ea62651f961c9317f9bc6ab42ddee3bdeeb94c307c2168d3

SHA512
2fbb8a5543423d50108ed24295a241f10ebd1701ee1011779e6f224b31adf98a8ae679454a39c60c858a1340131dbcbd4729ed58e7a89dd6053a8a8fbc845410

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
caecc5d2e4f376a6857ff5b277b528a0

SHA1
af591207d6ee937bc0d4b7fc58a157834460a9bd

SHA256
2e39791e370097f4f403aca5642d59777eedf918f3eb2a85a426c42af7c34c1e

SHA512
77fc6286eccd4ea899963d4d196f5ec5f5e23c788e64166db5935fd9a016b68a087a74a9496b79dcf694ecbcc51836fb8a4644095e111d259679a62183986c75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
876921e0654cfe778ced285756e76ea3

SHA1
7984ee0746fbecfd8df5839711707089dd42f581

SHA256
522986f4972f08b4a8483183011420dfc719b6d9a9a74c7f0a223612320341d6

SHA512
ea222548546cc99613ce8beb66543b6c9356700dbc53b4f9ad84c72d443d5370bfaffc4ef7275f8abdeaa0c8a3de65ebabf8170ec64b3d472dc448624033a603

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
706ef88b06fad9ac7478fb58322c3d28

SHA1
20fad8ce43788c2e8ae1962890eb90a906dee7be

SHA256
418dcc124d1ff51914771874d5149350f14e3f25780a59d09a751be6c147b4c6

SHA512
57b99884df1c2dd85ab0f04cfd4d2a5a24a21a5416f841d5ef2f4db3d2803d10b7b23e876fa0499f47f8f3666bcfdc8b4b286b1238d9070f930c85dbea94a6c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
157b4d572463de25d504976fa14ae19e

SHA1
29423901dc5db013d8010cfba0742fe419470ac7

SHA256
c7a968a002cb9d322fea2cbe71d7c7221865e8960e29b51d857d702c5f0d20c5

SHA512
9760583f6758f452570da4045c65e5460e5bfddc71938e79cdce9e54bbb6beac45ec32fc4d73ebad02a4e55609f9948a0aeffc031910a0d228b695a93ee98d66

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4ba197dd5f6297d2f1fdb6cbcb08f40a

SHA1
dc74b4ecf34da037f2bb3a2c75b968cf277271f1

SHA256
46be8dc8ca8bb39526e99721b3d69c5e000e481033bb44d83f6b7248a34edd1c

SHA512
669af8464ec346763ebb90a98441dc1d23e6b585ad798a9d83d443a6649caa09c6e1163ff575969518ab139a3189196394e9499cfa8ce3e332213aa0febc1914

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bda8815874bb859fd161847aa77b1eab

SHA1
4fa51229e7f8ef19c074d48ec58cc827e0f3944f

SHA256
e9d2aedafa146996e282bbe89ec5ee3b391ec2882374a00cc47f38abafc246f4

SHA512
78e299e60acc9aa515bd935243642b2ba292616d81d12a9900e713be546ecdf164c36bd7363e1f2d3c0e3d95ffa1d6d2ea2b8d04cd252ea32552ef11ad248494

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
11034492335b9f5ec36df9aa7f645096

SHA1
a33b13a86ce7aedc083fcfdc916288619c1df85f

SHA256
aebd936877ab07aaa69613a3357fd5b0324a3ba149c10bdbb770560b343d2e9b

SHA512
ee6a2b07adcfd5c7e746abca43af280c76cf439e8161b2bbc5223bc0820e4308a031eed34a41ad0217e54b407ce5f870df9fc1a37f08515eee8161e3da8bbf61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
c0dee4ddabc691569afadbe42054bbaf

SHA1
f1dd76f7e53ab574bb157b6a992b736ea6158977

SHA256
20514353ec40c8b118a3c76c50f1a88912c68190633f67d7b5ca662e86856d2b

SHA512
0dd855206f6561a7a1bf9a720d3e052ad99a096c1ceda72e4e3d5f58cb1d4ffb345b58ffb9443fa498be2180216ef9f2367c7c359eed299c1c8e88b01c1a7419

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
08241aa22f94e5f6da0edbf40925f7f0

SHA1
80efe52b8b85ece11d875dbc9d21e98b155e6430

SHA256
f257370d959826f242839a36c9bade076f797ff8a5b9ea5e224f5e63cae6f3fd

SHA512
2dab0b6ddae9c73c1465c06fc1d7b33f7e560234df178122b9a46b16f6b1c2b52cd2391100ed907f1c4c877e42c7f45d199bf68d57675b0a5e85808e95e557e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
db9b029c72796da7ff4698791111b2f2

SHA1
f0a8490733572cba23f352c7cdd650a271d434f9

SHA256
1fc20733acc56dc266b30e80749669afe2c3e00317c54a95f042929476c683c9

SHA512
5f0f3fdcdfbc95034dd2313a991ba45bb285eebe4db89456ab865b4f9abec3946fe33c48ec062407f91ebd186c7fb3fd96eac5414561d83310a31652ddedd95c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
51d6eb2d3b9fddeab4730c0e53931c27

SHA1
03670e00829e0a413f30bc644ad323ec35f767fd

SHA256
940af8741086ce4254b61255e725ca7e9f79d9711aa985b6d1aabab8b7bfb8d8

SHA512
ba28cb64160ade3436fa58d5465963e807270deaa1a426a1507563da8b804d2a7e601bd5d32cbf6f333f6b5093770e669f0212a4aa153465a604fe31abe71eea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bafcd5187a8cd11d0c1982db818029da

SHA1
766a0eec513fac3526c26f7bbe46e8c2ed3222cd

SHA256
21806d7b045848d0a852a4d94f91c919c3faa95b9872184344faf89915fff3ea

SHA512
b9ad169e59c675764ae53b1aa0f6bb658ee7bedde2b4dda8005203f24c7b6d6b25d4c48e6a211f85e333f58532e18c5aa909eea1c7353579580cc756b1b548ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8c8d362df295ba5cb70040696101de47

SHA1
008ccb6b7f753a072e0ae5dc7e37cad01cde0dd6

SHA256
d2d14882e2bbe1df1d67b9f07a556911b03d40dd85a5b07b67e06c037580817a

SHA512
e4681a4ab16ee750f76bbc44b87308ee72ff7663045c8010719b0166b2ff40510a87e1b8b91aa1f15dda64ca80369a4c05041f6710b8a56e7f4dd2250d0cc7ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
887f3a3bb0b0b258cdd978a6cb386bb5

SHA1
a18c72466dbef251f645a1dbd42df463adea40e5

SHA256
80586ad65f217aecc5d8de709a8b53e37ab794be2fe186dc245d229c5b00fd48

SHA512
b6ee2ef045770f940ffce18c6bc779dc10465225fe99eac8d623b725734bc748437b75682dbd395a8c0cf72c04d3812b7fc9126633f6ef3d8d7a6dbd4cb267f5

Download Submit
memory/1512-216-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download
memory/1512-1-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download
memory/1512-5-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download
memory/1512-0-0x0000000000104000-0x0000000001206000-memory.dmp

Filesize
17.0MB

Download
memory/1512-217-0x0000000000104000-0x0000000001206000-memory.dmp

Filesize
17.0MB

Download
memory/3552-10-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download
memory/3552-12-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download
memory/3552-219-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download
memory/3564-43-0x00000000052C0000-0x00000000052DB000-memory.dmp

Filesize
108KB

Download
memory/3564-13-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download
memory/3564-39-0x00000000052C0000-0x00000000052DB000-memory.dmp

Filesize
108KB

Download
memory/3564-42-0x00000000052C0000-0x00000000052DB000-memory.dmp

Filesize
108KB

Download
memory/3564-218-0x0000000000100000-0x0000000001742000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads