1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

18-02-2025 10:22

250218-md9krszkhm 6

17-02-2025 23:11

17-02-2025 22:39

17-02-2025 10:36

16-02-2025 19:11

16-02-2025 19:09

13-02-2025 11:50

08-02-2025 16:12

Analysis

max time kernel
898s
max time network
892s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2025 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
228	MicrosoftEdgeUpdate.exe
4640	MicrosoftEdgeUpdate.exe
1248	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	AnyDesk.exe
4720	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2592	AnyDesk.exe
2592	AnyDesk.exe
2592	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2592	AnyDesk.exe
2592	AnyDesk.exe
2592	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 4720	5024	AnyDesk.exe	91
PID 5024 wrote to memory of 4720	5024	AnyDesk.exe	91
PID 5024 wrote to memory of 4720	5024	AnyDesk.exe	91
PID 5024 wrote to memory of 2592	5024	AnyDesk.exe	92
PID 5024 wrote to memory of 2592	5024	AnyDesk.exe	92
PID 5024 wrote to memory of 2592	5024	AnyDesk.exe	92

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4164,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:14
1⤵
PID:2564

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUJGMEExMUYtNTU1Qy00MTI0LUExMDctRTNBQkFBREREQ0QyfSIgdXNlcmlkPSJ7NzUyQ0VGQzEtODA4Ni00NDlGLUE0N0ItMjQ1NkIyQzczNDdDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTIzRjNDQjctNkE4Mi00N0ZCLTlDNDctRDBCNjAwRUEwNzkzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjQ2OSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MTM1MzQ4MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NjgzNjc5NjIiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:228

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3336" "1268" "1164" "1272" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4888

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUJGMEExMUYtNTU1Qy00MTI0LUExMDctRTNBQkFBREREQ0QyfSIgdXNlcmlkPSJ7NzUyQ0VGQzEtODA4Ni00NDlGLUE0N0ItMjQ1NkIyQzczNDdDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxMDI0QkQ2Qi0wODM1LTQyRTItOTE4Mi05MkU1RUYyRUY3N0Z9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzMuMC4zMDY1LjUxIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTU1OTg2Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ4NDc3NDE5MyIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4640

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUJGMEExMUYtNTU1Qy00MTI0LUExMDctRTNBQkFBREREQ0QyfSIgdXNlcmlkPSJ7NzUyQ0VGQzEtODA4Ni00NDlGLUE0N0ItMjQ1NkIyQzczNDdDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3NDVGQkJFOC1FNTZCLTQ3ODEtODkwQy1FQTRDMjM5RDI2RkJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC42MCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntFRTgzQjkzNS0yMTBGLTRFNzktOTg3OS02MTAzNjcwMTFGRTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMy4wLjMwNjUuNTEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC41NyIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQzMTQwMTM2OTM2NzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIxIiByPSIxIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MUJEQjBFOUUtOUMzQy00MDMwLTlEMjEtNkNDREQxMTlEMkFBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuNDMiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InswNzM0NEQxMi1BNEY0LTQ4OTQtQkM3My00QkZEQzBFNkJDQzF9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3848,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:14
1⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4064,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:14
1⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4044,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:14
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4036,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:14
1⤵
PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4356,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:14
1⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4324,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:14
1⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4748,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:14
1⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5396,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:14
1⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4272,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:14
1⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5508,i,2736955615342517531,6776059445485411500,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:14
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
351KB

MD5
455764864e2266103400b7a04742d1f6

SHA1
8e459914a26ae98532625678ace0a44174b3068c

SHA256
ad63ba73150a185e59298efdcb73054ed233506ea4528912808bdad5070e42e4

SHA512
d5c8539ada386166f2a25b9296e2ae278b293bb0bc87aaffb54658c3cf8d5307aaf263ae7e113a566c777853c3860b4d6cc101804ceaa685c72d8b87bb3e4991

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
376KB

MD5
5496a0995a7cf31d27efef69734a3fed

SHA1
051f5edbddacc8ea7ed0afc71fa5ead4e739407d

SHA256
a7f19fec4292a6e11b9dd43c9048d73ea2a99fbe2460fc5c3385e30fc1e8968a

SHA512
f2893f0d7de6561f92a53f679cd9f9de1ad8b65dea26afe76c7a5bfc89aa2f3fdd1c780a035ab5f82ab91f6953d7998face26c3bec6c02aebaed554069e6bd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
e0c57c36bc5d09d414c2d64bc2269aa7

SHA1
d5ce5858e6421c2513fad36f62055c83d582b93d

SHA256
04c669d982d84897258ab388df6167c987ecd48e2460fe8c706fdfc5bd7c8d67

SHA512
7149025057624063bdedf0b5c622a05417ee05cb31e231e9b8b2d52d473d88c757a4912aa056e22ad13c522a29db944ccc4b9a0cf28fad77f909915ef2ecf5ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
515702432683fa592114ad4cb5811400

SHA1
4bc3aafc7879ffe1399410a12f3afbc8972669cc

SHA256
b35ce8b5e7e60925da3c6fad5649ab71886a36dec9453d70338150873b4bc7e2

SHA512
934ff84722ca66dfbc4a5b5d91fce55475d0353ac3c0b40e1705df3bf3d23e2080f41c668742683e04f98d3e54cbb17a2020b60cfc351e08935208d2e0a6c2c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a7926c2ba17e8d26d442300f11d20734

SHA1
3c09c50a86799506895056ffe037af6774cf347b

SHA256
ae9dc2cd874c346135b5ddbabe183d035a55d91af453474f0ce69807b877b034

SHA512
fd39518d7a0b5d3669143b728a082b1df01dfd73035e803ee5904645cd59f2ac518b39e701132cf271a0c84b735ef0ad739876e28e8399c7d603de6877b4e45c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c2939d0017ad59c01321945d43e209d3

SHA1
4faebccc5e29e79df33010a4b37df202fe2814ff

SHA256
4dd8dd383e4d97811f2ba62cce6fea65b08a9263de5befa4c233d8f123eefb1d

SHA512
1aa13540a56898e479fa04157e831ab9d6989114c02541f99377038ac537e4bf2bab34ea34c97300cc7a70a43f5cc0872a835e84d6d5f7f872584da2b28cc393

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
8df1b399aa03f1b586c97c4d13b415fc

SHA1
4b7bf35e37a6b4ed0ed2d665cdff6a4f74a114ee

SHA256
25f2b81ed53dc9d225b8a76e30845627306f8777a4802e10c4c847f443248b2a

SHA512
42d07db185451edfc9a020234d69edca81e739f8fa2bff8bebc8b9776d8d6c6fc956ad947ed695bde695320af5aad9a4c408e89fa88fc77c18f09707bab06b66

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
686ac9125b849751f70016bf6d844600

SHA1
d0e950bae6e0bd17f0e3561f8aee0fb95134ae96

SHA256
1daadd95dd360370cff02f0588254b4bde209b78d8cd022bcae493bf7023a660

SHA512
aff370a1523cc687e7661313ecd0bea3db1d4826b6150bc90b3d996d5239f09a3b612ae92c953870d2e0954b52db46afe302a72b008dca9add201eae57e0ebff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4fd79132657f4833651cc633c649ee4f

SHA1
6421d342e3d509e9790961d3f9f0a77b90163eb0

SHA256
e52c2e98886b23d1459eb6064b78f05bf93ae41d9461bbbed1d48d5616d29a4c

SHA512
bc92b5fdee5541e491a705ee781d01aa2ca60ad56783b04fd9b80297301d29d20222f18dd870190195857fde137f1d47086ec521478fbfe74718596c86bf85b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4a89a4a079ebe12a439f8bb0700ee36b

SHA1
7d476696464e0bf43709fbfac19c770c7fc261fa

SHA256
adcefa35e7c2b739d90ac4b9e87172cbda2aa41e0fbc8018c8bf2b9d7bb1f811

SHA512
ef299fea0decafb0327b34563c9d6c803c578f93a692b9d6f5fb3f9b1401752baa2a160020b1172f1f4b5cf38f2ba837a954a2e69beb9d3cfd37946a8125d228

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2c62f911caa95a7e36e4186f8d01ac7f

SHA1
8aa3e8c5b2be4686bab3789213dad74ff19d81d9

SHA256
290e8e95d20ce79955eb2fc10ea97ca7607c76bd5f31a99ad39dda1e2b034a99

SHA512
90bd0c02a73e1b52b17cbf2ed3fe919a2e49b893138fb9c96b1f20db3f892fb95dab299691d798bbf6c96e749c2be18b7ea3a3083f8dc0f5751bf63263a3a9f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4641252c3f922a5f8527c74be43ddd98

SHA1
173432f6d8b6978091a1ec4511cd397d803fddfb

SHA256
737f0444e473e0640a6df298f6982c85a45ba74badcf3762b876709b0a16029c

SHA512
9e429df3574f907e68495d79ff8a1e1704482adb4d9567f02b50c80f1732497ca533bd51f00838a8a5ad5805d63a672eeebe60af594cd50b470714277101b809

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f5d84a57966a69214c9f2297f5148094

SHA1
0c520c22d2ad68b47ca8f4701b14144852f2d3c9

SHA256
03a9a60eae2b3621f286d149c46b94ed127c008acfd54b3487ec17acfe2c3625

SHA512
859cc4ed64e42bcabbbf5bcf63f31925c8e2454b90e713d9c77130e3a0ab2f182b0a2eca4d2744ac578c70c1c76190039749161d692aa532f766ca82cc253619

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1371e2301bfc6b32b851c8258dae9b91

SHA1
d1fc35a9cecfe9137cafa9e226f93ef02e89bd3b

SHA256
0e098f565cf682132f5b2b960e74a679b9097d942b3ea64ebc5f92dff0b1988a

SHA512
069efebf59923eefbe4ca369a815916aa4f982099c75334cdeec8d7ef6f1e461e99e2317b757ea6356e889b119c0e69ced9b0e1647d24f91c5222e9049bd24f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
25d422fcdee0da154eded24e0781ba6a

SHA1
9f42632c9a1ea74b373182d8c4226c5f9be57453

SHA256
80e5aa0291145ed8c5b4ae10d03cd788e8b179647db56c3038aacdc0d189c1e0

SHA512
4bb4ac7c7624e817ee679d10d932377b5239722eb1bfcb0e5dd641a10f462da028dd01f8415339c888c34d9fefc2e73e2355d701e75796348c170c1482eb44f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
97ab2d2723ff6c124345cb5a9ed79ed1

SHA1
0f9e0aea62e3afc67fcd9c432b23989f09b89d18

SHA256
99d1a2245eae04a11e77bc265c1a758b6984459eb0c29506d98c441d9ad59ec8

SHA512
5729ac409e61fd8e3e6ec685a9ae9201d7a72e2a2f9e1da9417c7437001bc7a70729e54ab1b63e48a967fad997c218ecb028a954d303e31530b736f87dc45181

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a14edd1b47d683dba747841afb9fa4cb

SHA1
2ed3fa7a7b079994ecb76e5bfbf2ae2fb98130ef

SHA256
2ef336746302894e37772b2683b6940688552c92c41d1da8be50d0d76fe9c87c

SHA512
70fd7de95b2bac4e77a9fa008e8572bc754d17cffaa160882c62d682838fe79ffac1f7176ed56c182e1fe53f8b366c24476f367d810fc409abb225fd0c6b5d3a

Download Submit
memory/2592-12-0x0000000000100000-0x0000000001849000-memory.dmp

Filesize
23.3MB

Download
memory/2592-220-0x0000000000100000-0x0000000001849000-memory.dmp

Filesize
23.3MB

Download
memory/4720-10-0x0000000000100000-0x0000000001849000-memory.dmp

Filesize
23.3MB

Download
memory/4720-219-0x0000000000100000-0x0000000001849000-memory.dmp

Filesize
23.3MB

Download
memory/5024-2-0x0000000000104000-0x000000000133A000-memory.dmp

Filesize
18.2MB

Download
memory/5024-217-0x0000000000104000-0x000000000133A000-memory.dmp

Filesize
18.2MB

Download
memory/5024-218-0x0000000000100000-0x0000000001849000-memory.dmp

Filesize
23.3MB

Download
memory/5024-7-0x0000000000100000-0x0000000001849000-memory.dmp

Filesize
23.3MB

Download
memory/5024-0-0x0000000000100000-0x0000000001849000-memory.dmp

Filesize
23.3MB

Download