fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
24s
max time network
27s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10/02/2025, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	AnyDesk.exe
3020	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3024	AnyDesk.exe
3024	AnyDesk.exe
3024	AnyDesk.exe
3024	AnyDesk.exe
3024	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3024	AnyDesk.exe
3024	AnyDesk.exe
3024	AnyDesk.exe
3024	AnyDesk.exe
3024	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 3020	1552	AnyDesk.exe	30
PID 1552 wrote to memory of 3020	1552	AnyDesk.exe	30
PID 1552 wrote to memory of 3020	1552	AnyDesk.exe	30
PID 1552 wrote to memory of 3020	1552	AnyDesk.exe	30
PID 1552 wrote to memory of 3024	1552	AnyDesk.exe	31
PID 1552 wrote to memory of 3024	1552	AnyDesk.exe	31
PID 1552 wrote to memory of 3024	1552	AnyDesk.exe	31
PID 1552 wrote to memory of 3024	1552	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
45329d890c7a95754f7c8786062537e5

SHA1
bac61aeb4ccce90b534d9444671fb6915c6d6feb

SHA256
9e5650cc5d1592e0c1cb7e7b13834a161974a8fe6afb4d8faca02e64378f511b

SHA512
9d60c33f6b586830ef39495ad4951c32de2f201f1d218acdebbc40e5c50e33fd1de19a8b51be3d2c8b0db586e7ee5c105b99507ca2bf73bcbf66580a03959163

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3e8d4399b5b2ce01b8910388cee2b128

SHA1
2c81b6b308c9034fc32ab1b3d8362ee783cee508

SHA256
542108e2e85a9683b3619054a7503cfc373485995c7b7a84cbf326aaa81ea36d

SHA512
13d65cc08a24d3daf440556eaa8ae4208475e56f8f8999e0f096846a242e60d0bbb7215f7c467be164f6b2ca159e9495a4bc3a529410ecce8bca7778ba215b0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
35e9e1f28def5e6e7646c497963d6d92

SHA1
6db3204537cf548943d0d7f2e2ad39c06c020a13

SHA256
e271176ad31d3584681c12f3e8bb8b74b866470fb3ffc400c1aeeb480230e3a3

SHA512
63c3de7e9c430cd5c45a333660690b884e174ce5592a0b0c521ff545344916abb91d2fc3e194913987c7c98760b256a487c01fd87d2b29b0bbcf06fff1baaf93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
913896b8526b9869be5c14bfde94aa06

SHA1
680e677a803c8c93527c335217d3721559d46628

SHA256
14d9c71bfa42a93006d94caaf8570d7d50b942e0b2bb5edf07ff6029221e3442

SHA512
79f0da9965c611c2d4b868f27462030fb13cafd37070aa37bc1bd9c9d1ca87f1d3a29e3a082f8b46bae137283a6f1be83795aae9fa61c7bd50b7fcc81a0c9f52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
7f32977fa0dc51c360c012d8f93b49dd

SHA1
dc869c9ef947a2edc620fe95d1fb8ab536789840

SHA256
2d29f653cdfbb4fe2ce201a20e7c02a5b50e00563143acf04d8b9c83a07c99d3

SHA512
a51b83922a5c0c3b22e2b04bd3d755dbcabac8e3f9e98931cadb308450e0abb2231cb9d31065dc9fafe125b4b655a704365ee36c61f76506f6b673718ba3ff48

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
5acda103ae18cd95a212f3bc624eee20

SHA1
8ba35b7abd13582acab96e0db235f60c24790ed7

SHA256
394a7c9c107d79e00c8c5d4c870a015ec322b8bc23ffc1bc08202008ee883200

SHA512
622524854babfbb91b6eedb6f7ce740e61f4767368ccbafe5b33fe83fa34ad9879d96bbadedc1ed38974f97dbb04b72e0af6666e38617e52cc5285f46bea43c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
368c32a35c433bf770bcc50592c4e7e0

SHA1
49624af54b51dead822c85353ef7b4e290027933

SHA256
f86a598fb76b9a065c39d93f1aeadce21adb20a00f6d34d46fe5d2d1943c0d1a

SHA512
78af9c1fddb4cc443d053493d5f1dd06c789af0b65acfe303c9b75a6460a789e7a4da522c27766c1fed1b70590375006b4b0cb4127bc7cd237a898958148abe7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
ecc745492b184a9979a056f35cc16f3b

SHA1
46fa940f2e22ee170f5660a17ed5d74296b5eb6f

SHA256
041cab4de777171a2cee02041e9a871ad33cf7a323399337001e6f39c50402e7

SHA512
29e542f40a5e8d8821364697b7bcb08ef8fe83f0c18e829d917f3137ebc013459769c5fbe811bb9ff0465e10861915d9faaf457087db30aa81ee9f12eefc9c0d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e58de0df5fdff3da4794eef6cc692e30

SHA1
5ed2a28c3296f852884b606bad3c8e6a9f94feb4

SHA256
64f3199c4388fde268e109286708216b8ce83bdf1b72f0aead52c4cd3c21f6a4

SHA512
9ef2962a269c230e1d4fff649f1fd47c44714c77741a66f624b410aed55ebc46b3c7a53b9c544bf52ef7eaa8ab9058a0c6185f37c9f61b4bce216b0414978eba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
49ee7de0348c2eb3cfce809dbf6641d3

SHA1
19e18a99e8b49107e228a383445cb5aa662e32e1

SHA256
d033c6ba5f9044d889181b11bf9b169b9aa4f4066f4b449b66252f28aad1b588

SHA512
29fe8e6add7878f533af6a767e4de41c3f2454a3dc100ed10738b38538018196a099498f3f5b5143e49908b385aae6c0b51796fdcb9ef6b6704b9b8f91a18103

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
768788c6dff4b0b7a879e44022bfa201

SHA1
35ec534d2deac6c32b3a2c08932c4557fb4aa1f7

SHA256
5f6f52f4a0a1a70aa373521d6bba2eaab135f0bdb3205af32615ccb02fe7090d

SHA512
e4d86ab6430e914bad498e21f9653bd8b5950d06b280f37b658b181fea7a21bf7ebba00d5207161a26455d700cd1c45d207bd9a2e0d22ad29b9f51b4fa27a36b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
242432629b6ddae99e4a68fb2a4fc1c1

SHA1
6e767f02639e6ba8b313ee1ee1607631d31171ec

SHA256
433821daa7a492c0b667e30d4f81d090529bbebbcde6c1189d4e331f8f529ee0

SHA512
ca312303ed77e0449b0c10e779b8b985c4dda2fe15c8e23126aed32946405e9eb7a4ff3975fef6c493a003b0d8d285c00a85771295e1023d9fb1f521783867dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7474e8e94da77f8e136cb32759fc17ee

SHA1
d6cb4a6aa6585654dd43233b2c48d42c1f455926

SHA256
3bd63a54a8f570869fa970e6792c8ed91e3da7a846f7b3cf6d326565207cc7b2

SHA512
469edca50cef9a751b2290fe677baf8ba4186ee16ffeb5b0f65a6cc140a5291422a56383eca831e5822f29ffadb17c1e87dd4f57b96467f47b647c990604723d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f03ba21fa80bef74f1cf31b7f7cd2f16

SHA1
335e089946ebcad43d9548ed1ea6aaff8865f824

SHA256
2479367bed8d404d1fbcb7724e1d02dfc99a2ded4b20354714e9fc948e8ff2c6

SHA512
0e37356ad1a9aacb5a601928ad1f4908de193b0465d737a382a0b0f4cf7007324e3a7825a94552685447eab22a98eb6fc77c59fb2c7d602c4a66bf4a4b31df88

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
55d7ccd16a44eeab7bfffb8eff59c77b

SHA1
d7193a14d938dbbd606c100419b4a8c7328357fb

SHA256
d9241e0300e9bc5348b0b1ce98332e769aaa0f81cc49de20614c478115446f67

SHA512
d44b1fa30a6699331e19044a8ab40ecf66e081ea95fde18734480c202828014320caa313447e6fe1ffa1e6da6bcb54db993e25f8746971fe1e4611f3a8b343d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6bbf734e584bb6c6c40371110b6e6b1d

SHA1
a6310d0a64c1a2ffbc7ad4f71737b93bb0d16eb1

SHA256
4ff07ccb03d26698beb89ef64d788720d709398faa8d13d05f48f184f837d0bd

SHA512
60ca8f67c53a85492a8d0309ca980cc7ca5e70691e3833c2d12f68ebc28320b67d9342e06bdbabbcb207e2cdf9a9fed0d4c577daa676b09981e840ec0fc08b28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b811d477c8afe393092b21da49bbf5d6

SHA1
691a47a9a85929bd176f8b139cef8a8e697bc56b

SHA256
c12c7f3b35f5e550c709fdf4361eeebcb7ab88387e7d8c2c5cd2e8b63357abcd

SHA512
6e32e2208071b57f0eced167bc1854049c81676251665a1942a6de8a463d093c9d9e1fa5c0dde50009c790595347bb42b26609cdf367194caff9575c5e752d9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f2e4d89e77fe99f5712d83331493997c

SHA1
30d91ab2f82fb7e215e1f0fab6a43b9787b5de4e

SHA256
ebe08ffe7a022bb3b602a92f191616dde4b55fed03cd9e5a62c34e999fffc080

SHA512
a945af220d6ad52596c24baf61c671947cbc31e531adbd5179e646ba43e238cbf65b6635719518820ef59250436f16c52bbe1673b63b7c35fa61453aee1a5b74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a7ec0521b77262679b6e8f0aa5c3bb4e

SHA1
c5fece55b59a6c9a1186ff621bbf1b8681c7a672

SHA256
059cdb9097edb21e43c8fc828851a6267da1b1ba8b23a5ec3eca083bccea9345

SHA512
e207a464ca4dcdb8415144cf64d48a58cb8442aeb1f435e89d00663644b14993df0e431f4ba46cde55de34ea4f6aeff9ce82e4e2abeff238080e825cac4129de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b119740fe27cdc69f6143c8650327839

SHA1
f94afb1db92e6402d9d771df00c7446f0b6fecd1

SHA256
15d555105f4f2ca0db5e0720f6f3eb99ef07b89f063da8bc293a674b4fd2f732

SHA512
f7f2adbc1204e54669ab56b610740cfdadd3655a154358abd1151d995734d81b08a4cad29b6feb776a23ba20f0f70b51058255ae9873994fcfd7c86bd232bc27

Download Submit
memory/1552-4-0x00000000011B0000-0x00000000027F2000-memory.dmp

Filesize
22.3MB

Download
memory/1552-0-0x00000000011B0000-0x00000000027F2000-memory.dmp

Filesize
22.3MB

Download
memory/1552-2-0x00000000011B4000-0x00000000022B6000-memory.dmp

Filesize
17.0MB

Download
memory/1552-269-0x00000000011B0000-0x00000000027F2000-memory.dmp

Filesize
22.3MB

Download
memory/1552-270-0x00000000011B4000-0x00000000022B6000-memory.dmp

Filesize
17.0MB

Download
memory/3020-14-0x00000000011B0000-0x00000000027F2000-memory.dmp

Filesize
22.3MB

Download
memory/3020-271-0x00000000011B0000-0x00000000027F2000-memory.dmp

Filesize
22.3MB

Download
memory/3024-16-0x00000000011B0000-0x00000000027F2000-memory.dmp

Filesize
22.3MB

Download
memory/3024-272-0x00000000011B0000-0x00000000027F2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads