fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
25s
max time network
29s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
10-02-2025 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4392	AnyDesk.exe
3132	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4392	AnyDesk.exe
4392	AnyDesk.exe
4392	AnyDesk.exe
4392	AnyDesk.exe
4392	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4392	AnyDesk.exe
4392	AnyDesk.exe
4392	AnyDesk.exe
4392	AnyDesk.exe
4392	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 3132	904	AnyDesk.exe	83
PID 904 wrote to memory of 3132	904	AnyDesk.exe	83
PID 904 wrote to memory of 3132	904	AnyDesk.exe	83
PID 904 wrote to memory of 4392	904	AnyDesk.exe	84
PID 904 wrote to memory of 4392	904	AnyDesk.exe	84
PID 904 wrote to memory of 4392	904	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3132
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
443cc34998cbc43c924fb90a6062faaa

SHA1
c100cc34ac2d9c83c3058d45763681d41b601e4c

SHA256
bfe4da01c6bcdcfdff64a27a464a82d1d172b5f938da5e0202096901c4afe109

SHA512
74019e2c6c5a8fa2db084888541e9b631165b2edabe8715faf8905ef484f419ffb2cce311652184b73951b2fd41cfc5ce7be3decf980171f04c13c3548e84803

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
87ec3e036d79c44bbd74d3e5070f04b6

SHA1
c1de2204fb1d5c6bcb4211038651c3f26b2f0406

SHA256
933cfc419ca0f941df054db5d4556183183044b255f4b20e65ebabded8b8ff69

SHA512
c51a085d784d0a89f730532bb5d0a9987784ce3c56e28687c7c0232d58c19d971e3bee7eabd2366e0b95e9e7006678c50b0be282e4ed3589bb29962e65631565

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c0204428691586b722d95cde1d593c17

SHA1
4017716e21f83ae2ba1f7fc09abd9c54b4dbdf70

SHA256
cbf9af901957f58db79724a015bc0c016dd6a49da3c297223508596122df39fa

SHA512
3af9aca08dd5713426527f0a3e9283d84a32321c2ad98f65df09753bd719ed27a32f7406375727d859731f6b0ed741360cc51ff0690dff70d25bdd6d6eeeef01

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
505355249857b003564186d58e4b93ce

SHA1
85b028c426911aea56fe5877df66bcc6632481df

SHA256
0ee9e90360e18ae269b0f937f74b7a9f77a9e720cea3235811ed70ca9c607d09

SHA512
b3f63388d6632d3f440cda27ea5f2e6bba90844b246fc4da0235a393935517dbdb49a62cd1e8c9776d1488424c4641b60cda09de04c0305a4ab82a3e6771968e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
5fe3a1f525a5e7e4fb769d9273e0162f

SHA1
c12c27a568665f44b9a16318592b80cd8ea5b1c3

SHA256
543895c978e9ee41b619820ae047ddb0403a384d05f7936cc18cf16759ff7680

SHA512
01d8f5f03c303441aaf57cb684c22252fb8f913bd24a2a608cf49ec053a14c41f9eccc29b249aeb1c6d97dbf810b2da8e6b8963a32d0596743c8a9f0d6294ccd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
272ff075120ce0f645b0d74f242d6c85

SHA1
3041e628898e65068446a20554c0ead3537b3d5a

SHA256
a356982c9fee4af3d8fef063d78454f4e126db8ba25f1e9961eab7b8f2df9aab

SHA512
dc4b9c026926d386008123f5f0b0aad03bca79572bb8902e5f170d03e00feadcd30196ef3929eeb4909ff085ac0b287ccb65f272eddd12c0fdec03d5f48fdea2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
d39185217ebfe90f0d853fd7ea0a5208

SHA1
c8c1e06d44e883e722398f5fce9ccd2a8f42591a

SHA256
0710645ebb6f0614a974e1a80bf3c154b1f980053e3e1ab50d094c2206033f08

SHA512
aa35e104d8e7087c2dd0afeb84ffda7763333bb4a01767cbf9696e56f9b0a11c3f936ecc125bf2b6ed505ed0fa33dc3bef7b6f3afb2744a98f39649b36e876c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
50e8ef1dcf01e7683aa6e9c1da58137c

SHA1
840e19f559e6e43132cdb8815b1d33b51a77d3ee

SHA256
ecd7f5e1652a386bff04d9e0d51f5d4af27e118d700ebb9bbd43c82f890b01ce

SHA512
a50f632e60cf1a0bb1888deb77be48cd18b3c8dd6d0eada5e23f97114ed02a2956b8cc1efeede03e977c2f3959559670871d3d149b6ed377312c47273b1c40b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
18ef42374b3cc3ffd0dcab086056704a

SHA1
6f5e430bb79422e4ca010b50e4b0af64844466ef

SHA256
e64f59adbf0c2e5921bcdc24ff8420c8f8143b7ecb8ce79106834885869a80fc

SHA512
4ab4dd9745e7d672bc6a61c176a5e2fc18f4517015f5d5c6a4eedf3a6b722f87d1f39fff5bbd664342b28a4a3c6b7c8702e619db86de54efb2b7cc7c6c014370

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c322b34e23d27d7f4e5cf6b0f1504cca

SHA1
8dedfdda0f8edf0d30ced23e0444b827f53f6b19

SHA256
72e1121b317c32058b104e148419b4c0dfc4dc2e29c1239b2ee6eb5e8e353657

SHA512
65e4f862a6ad8ca36f5df1fea4ba03d9e9ad1102421e92349221f5d0223363282d293c6773de7ff41d10e549ad0d734abccf436033cc5a6013642ba13466f866

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6382952bf28690620ca5ff4a5214eaf3

SHA1
6300163e39847ecd2579c6bc84458171e83ca17e

SHA256
116da17931577bf438ce0c26eeb68e3b820735646132d92f4be96b15c91b4879

SHA512
b9cf3351a81801e34c61601d53a297fe975c778937f4f0bf7db0d06b6e38c17e03ecbf1bb4582b5b066c1a0635f3ca5491837be75555595dbb18ea5c08c62a5b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c5f0cddf2c1cfdc63be92d316bbf1177

SHA1
76cbaee055175aa642b26d189eece751fdc65a8a

SHA256
4a3b47c058c5dbd97f6c0cbb1203163d3db2735e7a4caed1b656393daef3dae5

SHA512
7438fb6614cb36a8818d55a728114028bba79808c13f6be0b147847f46f2389867390162bbc46f85b28cfa9a1b012d971583442c346bd07d9071ed91b73e4f33

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
99b1b89d70c71f633cf3e44a101038aa

SHA1
58fa8846f5af24b86eafca086b000d624d84831c

SHA256
edbded1c7ec3bffb3aa8bf889dd80d51f3fada49d6de5d8820a0b8bddf7a213b

SHA512
e022de31f671ccb2bdeb904013bcae2a23528fd50ee8a4aacff2eceb1e368dae0725222f776d50d6e8e0fad9677de1f68da45d58a3aed7842e519bfd93da55ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
05a811b7a62f4bc479801a2e0e643ec9

SHA1
ec8b2174eaa0d88957178654c1c0f77e98802db1

SHA256
10ae9907420ba72469ce9b322169612b8f467b92a2bc9eb043d203210a6ef727

SHA512
bdf38463d6a85013291fcee89e9b66e1c65050c628d0ba9c6b0332cd33f63be3f20babe8d4ceafc317cdb9c1a66cb6a00aeffb995515b5ee645c25b4cff8ef81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
55373b7829cf39e8e47d6dbb791b2b75

SHA1
857983819adcf9f31b7f21fecebbd72945d10e26

SHA256
fe2c6302d73f9f809aa90b6aee5673083989cf8170b9bf143387d47f0edff9f9

SHA512
f3cf2fa96d95a9cddc4073f4f9081df858eb0b7df5867b56d908748ec03384db9ebf526799ef321b0ed56edd4233222b7cccc7539c8552e20a3d5cf0deef38fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
06007dabd6d3e6951d65eebb198614df

SHA1
8fe408aeb0b41f0f36bde1f874e3fa4c390af949

SHA256
b1ef4818469d067e109c85164382b0871bff42e5239cd97084f92f2141b9ab32

SHA512
bc983babfd044b96a470adfb4a8ec92d64b99361588c70d4d0ad5e3ede7fc8e971f3d59cfadf97092f332af006396917760c09a0403b186707a07ea72b2f0f02

Download Submit
memory/904-0-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download
memory/904-7-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download
memory/904-2-0x0000000000E14000-0x0000000001F16000-memory.dmp

Filesize
17.0MB

Download
memory/904-176-0x0000000000E14000-0x0000000001F16000-memory.dmp

Filesize
17.0MB

Download
memory/904-178-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download
memory/3132-42-0x0000000006070000-0x000000000608B000-memory.dmp

Filesize
108KB

Download
memory/3132-11-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download
memory/3132-39-0x0000000006070000-0x000000000608B000-memory.dmp

Filesize
108KB

Download
memory/3132-43-0x0000000006070000-0x000000000608B000-memory.dmp

Filesize
108KB

Download
memory/3132-14-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download
memory/3132-179-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download
memory/4392-10-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download
memory/4392-180-0x0000000000E10000-0x0000000002452000-memory.dmp

Filesize
22.3MB

Download