1abd13caa0ce729854040c8048a90fab150e7d71315932d788bf722c2ea9511e

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_1_0/AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3164	AnyDesk.exe
4472	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3164	AnyDesk.exe
3164	AnyDesk.exe
3164	AnyDesk.exe
3164	AnyDesk.exe
3164	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3164	AnyDesk.exe
3164	AnyDesk.exe
3164	AnyDesk.exe
3164	AnyDesk.exe
3164	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4472	4992	AnyDesk.exe	86
PID 4992 wrote to memory of 4472	4992	AnyDesk.exe	86
PID 4992 wrote to memory of 4472	4992	AnyDesk.exe	86
PID 4992 wrote to memory of 3164	4992	AnyDesk.exe	87
PID 4992 wrote to memory of 3164	4992	AnyDesk.exe	87
PID 4992 wrote to memory of 3164	4992	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4472
- C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
6777911ec207f098a4242517c9eb0610

SHA1
2261e6b261b1d4993a2c72f3ff015c2c9230fd20

SHA256
6790d3e8c0518a9b968563d926c4e868c6dd548bdc88382e6aa1766a092b8b18

SHA512
50cab86385b59e7e3f0a7957e8ef1675c53106d23d837c3b420e1aa5ce2166ad27137eb232d975a1dc059963530d0ab64c6502d6066fe2e0281ffb29fd309307

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
866aae20fa99b3d3c00247e8218f8ada

SHA1
b11d108d73bfb7cc00a7edb2fd3f033f27b25fff

SHA256
1c3eb2c2d5eb50c1e0b9f215f9611668596ea2350a4d854cca9fe642ffdee066

SHA512
5353082981ee61abe43f8cf9357e815b5f918d399b5213da0574d29bb2cf35de7feeb29c7dc5536cc68ffa6323bc2b934debf1287c7702a53ba477c700b284de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
dca1683b9574d3e413951016d967a561

SHA1
5cbc31da49b875b92491612e0d681c42ff95f98c

SHA256
f16ec5e58229bc287ba71b7c20c1a9aabe4d0756abd80939733dcb98a00859c9

SHA512
c67775711e0ded96aae98f809eafe9c93d0f606961d05b40c8ac5972daa92ff9570c314941dee6fb923d3f7899b1af2b32d35b2cf24a31eb867dff7019d1f880

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b1a75d1af1a828fec7af3f4f8dc9a08c

SHA1
cf4879d75ac89d661b9da6e5ef629af8baabf512

SHA256
f345364c3539b3477d03e46425537f7254da5e90f5e42a96afce61bca9020423

SHA512
8eccfba66570483f480dbcebc9df76eca3a7d49cc7c7c8139418a5f95a3b34827e36e507dbb0ced1ec13815c092cb19a90d592e2f803c24665aa661d78fff929

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
696B

MD5
e87128ecff12face4e59303ebba10ec6

SHA1
feec4605b6348b7f16a30d62af285f3f5ad9bcee

SHA256
3a84c9c8f72f2184fcae7c1578bb540dd4d387d13cfd4678cfb20dd28075b3e5

SHA512
06ccddb7c59863e1857d06d1374b0c85b03e30c5754da395ee440230b5dffcfdb858a407eef629708c65de2b639b011fde43b2b82106a90820d2ca419265b5bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
704B

MD5
182f01c2603b386c0755498bb9312c21

SHA1
c79c12cf7a016d005560bf072bc676b0cc773773

SHA256
362fecd2dc8d54bfbd9abff9af6eef03d89f39c8286a038425a0ccbe44e3c216

SHA512
60959a18d81637af78d0aadc28ac66829503a1a13b9c5f98e375fc1330a2a742a13e75148e5d354a215b974c3f0630e34365feae10f86a396699a8bdfb82819d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
761B

MD5
b3802fad0dd17219d922d6176232d7d0

SHA1
938dd0f66d0d3d6450a9f62a4de9c6f31eda2995

SHA256
0ae2b4acb0454053b5a341d8dda14902297e3793043d6a103dac5eedc280e353

SHA512
40a3b434b29f0a6d9c465753c6e3ffa8ffaceaa86d1779e98a9d4654ec973e3b4bcc62fa39445d8cb3ef73b51e1ba697c448003dee7c6e09e0f8e056d3f198a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
830B

MD5
2bc3e95f0d295791718d010cf3d6cc0d

SHA1
deb26111633f7dff3722487ea967acd3809d5fc0

SHA256
e2586bd0afe7d7536ca3005122081fd3a65774ae20beaa2409952bdd5804c5f3

SHA512
e016cff01791629eaa2b3523461f2ac35154d50b407d109c6500af99ca57be701f19244ceab392fe1e67bef00b0aaf38a3e9fb36d1d12dacc95df4540f6e363d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
ac356b102f229796df71c504c8e81439

SHA1
2e7d77ad6b163412602d59b1784f69db8792478a

SHA256
7d32d5512afc54ce5c039d0887037c578861a5ed36601180f9efb36478398c14

SHA512
e915858d026b79b7236388121cd56f01ea446ddbb503ed58412fb7bedebcbdc5bb1591c783d8b3014dac59a65e2e46283f2f298494349a6e7033391b260c7f7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
c900730a216e2081fb4c9b5981710e82

SHA1
0c47d79aebe3ebe6f91664daf7885677c4d151b1

SHA256
1ed5ed342372278f0792d97e9b2dcf2168c36301f1bc031077f23366064f67f8

SHA512
edace76f9c39b6c47d09ba2cde8aa3f2d12f85e60a3ff29d70c38a69d7b9927425557013b4cfd09db496fda666fdab3db4b96e083db05293bdf7f8c1127ca9c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
bf88d09dbc10bcb931f8242b76522d03

SHA1
a9551d3c6af9a1d8bb0d5306ed7edb06d433c87c

SHA256
4db6299ebc3c7b35ba2ee09428023617798aa1c36a0579e3b2dac35c40b08c2a

SHA512
3968888ebda92e898886e08bc7b6094e2bc5963d1315be52a10abe9b8ddcee8c07a2e663ecd28408fd896567e10395ae28b0ff5d739b22559f1b6f32142bf5ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f7a7bcea711154f96ba40129c848b829

SHA1
821d852872118af409faeafac559cc3c2f661a4c

SHA256
240189d07b1b6de6f13b546598735e2ca042fe239b8fbf8950e4b04aef1e1170

SHA512
dc17207d771514e70035d783b2d4bd0b2de45d8a1a9f06b142b2be4211cddd9fdf6b8459f885e25eeb6d564b6b2eae23ee81ab687a1ea2f708490b455ad9d375

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3da6a5e67346a63a9c21e9cdbda53ebc

SHA1
eaf49f28f5cb9584b8e3b7c66bb53a9c0d00fa65

SHA256
0baed03453dfd8f43481cb148fe3cd31d0719769612fc998741a1d19c94695c9

SHA512
9c349a5f250cc668636e253c67668f7e291207088a12ed39b46df35faee16d61d9e96a33686202a71eecc00a7ca0aa2feb80aaa23f1fd4eb7ace7f32f3bc5dc2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
64dafed4584039785ecd482239b90897

SHA1
7431006f25490a69a23bb6f86072b74aa61f3a88

SHA256
40e03812a7042129263213e8e5c7740827febf0b7709929f747fed19dbfc2258

SHA512
9941627aa80457435a25841a513c232245836c7840125b08fc8953dc89c7867d599e2c029e663715b0e14f5a386a44e8d1797c80d0ec3e8398c34bdde9ba7e0b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
efeeae7484feecdb67f536d4f7e649cb

SHA1
706e560394d4a36611d8f30fee850e4dec493e14

SHA256
f53a863450f46d254d89ce8a1812fe8891a29a421103e0bbfe9b9e9cba280cd7

SHA512
d704b60f60743faca83aa8010ed1e9edd2b1b083074e1c3c33ff7098717707aa03c19b1e131b5de898bbac28e3fb235c5ff215b6a2e62aa2ced97b7ac25cc913

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a5b70ab5be389d5082506c1f9f795336

SHA1
059dbd2f3efe2ddda6003a9452280344a2f64aea

SHA256
9030767cef24dc7d2fd3c3dde0b57baabde778eb9ce29d331dc83b477acd342d

SHA512
5c74e9c79f398cb124c87de34af710cd420c042cb627fc838586cb1f26defb111a743d56c870381166c85a99aa2b228706006246e81e46573d8339b50853f699

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0ffbacddd38140d0452ec55a0399c5b5

SHA1
1b382006ab9c978ab0b688147a3f1ff307ec080c

SHA256
ce661bc1d641de0b19ac1f9ba73d2a221a47960cb868f68374f05abe8793d268

SHA512
b8524f1d3a9b6f204fb205cd440f81d4efd5b34a018f6d70767626b164ea64d6b717c14b1285cc0857d169adb2f2097ee051f1f131ece65f2ea9141c190e3da4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
29de5e3a18f6fa55ea7813437e7cdacd

SHA1
4bee206df688573d4be9740ba8c5d2c10756d3c7

SHA256
d11b7af847a773d22e17d2c6de29abb4919b6ceaba957458fefeb7d3c8d53227

SHA512
99d13463afd859293e6f12cda3f3b70bfd12be12d3df45eea967d1323d2b45e95f71697b3efe63eee0de51db27e1c3841f43aa808944cb8ec0dbea6ed4acc7b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf999fecdcd0f4a7e2f3cb01e53a4cc7

SHA1
dd2def64cd13db5c8ad847487c5d808375cc8e87

SHA256
b7df3441244fc0ec8d5c2e18e5b64da0c35fe50ce06360f09dd9670eb662a500

SHA512
e534ce25ff46b013b25a2e40dd5f6e1b1f31b549cbb5348a6cc45882e4872633f428c1a46e5bf383611d94fcc32e55440a4fc1283d8ace30e284eb8c9a220fd8

Download Submit
memory/3164-12-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/3164-190-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/4472-14-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/4472-41-0x0000000005640000-0x000000000565B000-memory.dmp

Filesize
108KB

Download
memory/4472-10-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/4472-38-0x0000000005640000-0x000000000565B000-memory.dmp

Filesize
108KB

Download
memory/4472-43-0x0000000005640000-0x000000000565B000-memory.dmp

Filesize
108KB

Download
memory/4472-189-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/4992-0-0x0000000000444000-0x0000000001546000-memory.dmp

Filesize
17.0MB

Download
memory/4992-7-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/4992-1-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/4992-188-0x0000000000440000-0x0000000001A82000-memory.dmp

Filesize
22.3MB

Download
memory/4992-191-0x0000000000444000-0x0000000001546000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads