fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Resubmissions

27-01-2023 20:15

230127-y1p1esed41 8

27-01-2023 20:11

230127-yyfc7sda53 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exe

pid	Process
4604	AnyDesk.exe
1972	AnyDesk.exe
3172	AnyDesk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 27 IoCs

Processes:

DrvInst.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B8C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B8C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B8B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B9E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\AnyDeskPrintDriver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B8B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B9D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B9F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6BA0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\anydeskprintdriver.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B9E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B9F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6BA0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\SET6B9D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\anydeskprintdriver.inf	DrvInst.exe

Drops file in Program Files directory 2 IoCs

Processes:

AnyDesk.exe

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

Drops file in Windows directory 7 IoCs

Processes:

DrvInst.exeexpand.exerundll32.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDrvInst.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exeAnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

DrvInst.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 17 IoCs

Processes:

AnyDesk.exemsedge.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

AnyDesk.exemsedge.exemsedge.exeAnyDesk.exeAnyDesk.exe

pid	Process
2556	AnyDesk.exe
2556	AnyDesk.exe
4412	msedge.exe
4412	msedge.exe
2308	msedge.exe
2308	msedge.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
2208	AnyDesk.exe
4604	AnyDesk.exe
4604	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid	Process
2308	msedge.exe
2308	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description	pid	Process
Token: SeAuditPrivilege	536	svchost.exe
Token: SeSecurityPrivilege	536	svchost.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

AnyDesk.exemsedge.exeAnyDesk.exe

pid	Process
4008	AnyDesk.exe
4008	AnyDesk.exe
4008	AnyDesk.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
1972	AnyDesk.exe
1972	AnyDesk.exe
1972	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid	Process
4008	AnyDesk.exe
4008	AnyDesk.exe
4008	AnyDesk.exe
1972	AnyDesk.exe
1972	AnyDesk.exe
1972	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnyDesk.exemsedge.exe

description	pid	Process	procid_target
PID 4652 wrote to memory of 2556	4652	AnyDesk.exe	78
PID 4652 wrote to memory of 2556	4652	AnyDesk.exe	78
PID 4652 wrote to memory of 2556	4652	AnyDesk.exe	78
PID 4652 wrote to memory of 4008	4652	AnyDesk.exe	79
PID 4652 wrote to memory of 4008	4652	AnyDesk.exe	79
PID 4652 wrote to memory of 4008	4652	AnyDesk.exe	79
PID 4652 wrote to memory of 2308	4652	AnyDesk.exe	87
PID 4652 wrote to memory of 2308	4652	AnyDesk.exe	87
PID 2308 wrote to memory of 1408	2308	msedge.exe	89
PID 2308 wrote to memory of 1408	2308	msedge.exe	89
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 3152	2308	msedge.exe	92
PID 2308 wrote to memory of 4412	2308	msedge.exe	93
PID 2308 wrote to memory of 4412	2308	msedge.exe	93
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94
PID 2308 wrote to memory of 2988	2308	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://help.anydesk.com/en/share?utm_medium=app&utm_source=adwin
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe092446f8,0x7ffe09244708,0x7ffe09244718
    3⤵
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17400674218412138370,8538851896711445108,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17400674218412138370,8538851896711445108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17400674218412138370,8538851896711445108,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
    3⤵
    PID:2988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17400674218412138370,8538851896711445108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17400674218412138370,8538851896711445108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,17400674218412138370,8538851896711445108,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 /prefetch:8
    3⤵
    PID:4004
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    PID:4900
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    - Modifies system certificate store
    PID:2480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:536
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a2f895bb-f8c9-9a45-a52b-b799120f7b4b}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4496
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{16c4873d-e5e1-a643-b30f-d08ca724135e} Global\{0c4b92a6-fa41-3b49-9479-5540d113b06c} C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\AnyDeskPrintDriver.cat
    3⤵
    PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
758b5242041174e2de76577e85326875

SHA1
2d3cf87763b05c348e7e877655fd4a16cb6e1fb2

SHA256
4e4870fe202fa1d34570c305787989f3a5a1284798bf1a8fdb776509b22b6d18

SHA512
884fc05c378643e59f829882091779c681fcae1d6c9d1378daf333dd3d8bd7fa187870532be46728cdcd3f4783a950a916b42e97971d6c2b9936832cf18db37e

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
655B

MD5
bc32394317dea525ebafa9e01db51ff5

SHA1
0c5b6e8804d86d4d572cfa6af32314f336b496ce

SHA256
a975861e23faad1d77b549dd4057fb3cf8a743ba84912f806e7b755656077fc8

SHA512
da6ed4de8f3950771b00c930fa1779fd4bb961a9d190e04b66975f7b4b9f25c0102ffc608421315143403ba014138f76fb02f9f3251638b7b932694926e775c2

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
655B

MD5
8b1fef1912f32aae489a417ad942b397

SHA1
f55456b35c49424c3755d97faf5a19fef92c9845

SHA256
0f10189a4ecad96abcad2ab4f910791106a13924eafb486aed449fadab0503ae

SHA512
efdae5a1029f69ddc42aa02648b905cbe94915a85fd87f3889b53b8291ce1866af3074f685c753ff07b50f50bb5b37aa00548b2ee5c0b5a850209049da7019f2

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
655B

MD5
8b1fef1912f32aae489a417ad942b397

SHA1
f55456b35c49424c3755d97faf5a19fef92c9845

SHA256
0f10189a4ecad96abcad2ab4f910791106a13924eafb486aed449fadab0503ae

SHA512
efdae5a1029f69ddc42aa02648b905cbe94915a85fd87f3889b53b8291ce1866af3074f685c753ff07b50f50bb5b37aa00548b2ee5c0b5a850209049da7019f2

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
655B

MD5
8b1fef1912f32aae489a417ad942b397

SHA1
f55456b35c49424c3755d97faf5a19fef92c9845

SHA256
0f10189a4ecad96abcad2ab4f910791106a13924eafb486aed449fadab0503ae

SHA512
efdae5a1029f69ddc42aa02648b905cbe94915a85fd87f3889b53b8291ce1866af3074f685c753ff07b50f50bb5b37aa00548b2ee5c0b5a850209049da7019f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A2F89~1\AnyDeskPrintDriver-manifest.ini

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A2F89~1\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A2F89~1\AnyDeskPrintDriver.gpd

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A2F89~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A2F89~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{a2f895bb-f8c9-9a45-a52b-b799120f7b4b}\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
8f55765dcc60515e137bee4b079343ff

SHA1
1505d69021af6053de17157570fcb3b6e96ed755

SHA256
fb90cce83c3617f4652f7287cb058d12895312a29a2ce96a930effd5a21efc8f

SHA512
3d4f25d392bca84880f8bb4210ab95a806217de1f238bcb143cd8a0ac7d94b24c13f344dfcef8e879876388650ffe821f88774ffdf1b7f07c17138e9eb8b9979

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
d79f2d1f98b1921776cbdd39333e8230

SHA1
e9c3b23adc11891370795abf836422e83020b379

SHA256
5bfae54e7c9dce712d5e90fd0c3d9900c140608880fe5ac280110f4067aa54ec

SHA512
1af71cd2961490b6e34a3aa634dd1fbdeee03855831f91e3abd342c9a7a438fe1efa2cfde9172bae42c4fe20e8c0d65993307ca83c07fee2aae91de4df15e4ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
30KB

MD5
3b050b3b9a4dbc3514221569c275dc00

SHA1
4ee07d339ffae3a304748edd7c6212704643eca2

SHA256
1b795bc4ec20ed909f07fa264910104d0d09424815e86556fb4040d56cd2a746

SHA512
481335d10194d3f783fcfedf2d1e3d46827ae6bb1e3556eeeb374e353bf16a23e1c52416b89a745cfa08308426917600bd5347748e0249c54e036777531f2125

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
36KB

MD5
7952179a2cc5d0b762ac71d7ca00ce1a

SHA1
b4c6fb04a10eed6a813e64bfc0a9b6ea2e546346

SHA256
e41d151f21070acc4b0fb57644bda5dcd97d777a324ddbc1dd6c3c4919019d2b

SHA512
be1ff6d2c7edaa595cb659ba859ca0aae1a06ca84df0369762751d5be5d642c0b4cdee2d462d57b75bfd59d9f7d4f2dd5d4c7d2d57597403e63772b4a25c258a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
40KB

MD5
d1234dd82aa28a6776097f03d48cea28

SHA1
b1f1e27de9757c6dbde6e4022da4db5095de3fca

SHA256
0012528ed8adfc7c2dcacd90ec402fc34e7b64835b9aa1e364a043ae2c69c4a5

SHA512
7e3f1cdcf848caaaa754e15fcf606d66cf00094f3ecdb9ee7532ce148a9c8f839291eea76ca187bb342babf64a8dd74a504060d41df918dd192af7cdad15066a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
758b5242041174e2de76577e85326875

SHA1
2d3cf87763b05c348e7e877655fd4a16cb6e1fb2

SHA256
4e4870fe202fa1d34570c305787989f3a5a1284798bf1a8fdb776509b22b6d18

SHA512
884fc05c378643e59f829882091779c681fcae1d6c9d1378daf333dd3d8bd7fa187870532be46728cdcd3f4783a950a916b42e97971d6c2b9936832cf18db37e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0c1650a795046eedec07bce0becdb757

SHA1
b8166318cea73514d691618f4bf0632508d7e920

SHA256
75b4de4ab011b92b3fb16943f106a8673f6025015bc8b8ec5411a3931a793a23

SHA512
8e19c5c28e2569b7c61656282d10e6f79c72f0707f9924cbaa79e5112cfb1cb183b60f95332008e55566b0c2b40cf0cdd06370b0cbd9ad756b628d6e9f1cc2ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
03bc1010233b6c6d26c7c5728a114f6e

SHA1
47680587fc68e30ca351cffb138c6bc4f3d110b8

SHA256
dc1605e4d57b39e006ce81018133307a2290ee4d0c7fcda75b06ada43e7539ab

SHA512
b5f12198f95a3d98b99598e275714b892e5070f045f38664b59d380da15e272c45886b127fa56b56d66fc914dc053697e30221a680e5c2204f4a6d7cf887d12f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0c1650a795046eedec07bce0becdb757

SHA1
b8166318cea73514d691618f4bf0632508d7e920

SHA256
75b4de4ab011b92b3fb16943f106a8673f6025015bc8b8ec5411a3931a793a23

SHA512
8e19c5c28e2569b7c61656282d10e6f79c72f0707f9924cbaa79e5112cfb1cb183b60f95332008e55566b0c2b40cf0cdd06370b0cbd9ad756b628d6e9f1cc2ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0c1650a795046eedec07bce0becdb757

SHA1
b8166318cea73514d691618f4bf0632508d7e920

SHA256
75b4de4ab011b92b3fb16943f106a8673f6025015bc8b8ec5411a3931a793a23

SHA512
8e19c5c28e2569b7c61656282d10e6f79c72f0707f9924cbaa79e5112cfb1cb183b60f95332008e55566b0c2b40cf0cdd06370b0cbd9ad756b628d6e9f1cc2ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
03bc1010233b6c6d26c7c5728a114f6e

SHA1
47680587fc68e30ca351cffb138c6bc4f3d110b8

SHA256
dc1605e4d57b39e006ce81018133307a2290ee4d0c7fcda75b06ada43e7539ab

SHA512
b5f12198f95a3d98b99598e275714b892e5070f045f38664b59d380da15e272c45886b127fa56b56d66fc914dc053697e30221a680e5c2204f4a6d7cf887d12f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
539B

MD5
c58b13d0678a554861ae4251179695ca

SHA1
5ac27fb588d44460db19f94e04ddb15a8b13ff8b

SHA256
f7435f00dffc94395761f077bc6a17cffcbabf00933dbae38f5d455f88a926e1

SHA512
bfe548b0c081c69802359d969638a6d465354b9be84d7b8612a831a758a9e7beb4327848fcc4b481b24f119772deb92033d8082b6b17c8a3b89288fbf647cf3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
539B

MD5
13548d4132977839aca8be4eff732934

SHA1
974443b14aa8028d147e94cbd0c382e8c0feb804

SHA256
1fbe9ba02d18197f20bd8057b4aece996bae3fd147efb2b68dfde9f61c2fe22a

SHA512
6e38417b0971aecf5ab5c098f035be3832e5e2161afe21af32e229c5e4d1a83f273106e70691479613c6d839e5f5a27b5a6ccafc5bb8e903986b6318f1f7ab9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
539B

MD5
13548d4132977839aca8be4eff732934

SHA1
974443b14aa8028d147e94cbd0c382e8c0feb804

SHA256
1fbe9ba02d18197f20bd8057b4aece996bae3fd147efb2b68dfde9f61c2fe22a

SHA512
6e38417b0971aecf5ab5c098f035be3832e5e2161afe21af32e229c5e4d1a83f273106e70691479613c6d839e5f5a27b5a6ccafc5bb8e903986b6318f1f7ab9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
539B

MD5
c58b13d0678a554861ae4251179695ca

SHA1
5ac27fb588d44460db19f94e04ddb15a8b13ff8b

SHA256
f7435f00dffc94395761f077bc6a17cffcbabf00933dbae38f5d455f88a926e1

SHA512
bfe548b0c081c69802359d969638a6d465354b9be84d7b8612a831a758a9e7beb4327848fcc4b481b24f119772deb92033d8082b6b17c8a3b89288fbf647cf3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
597B

MD5
72c95ddb86201c32e820a6b9f4fa35d5

SHA1
46c8c31d74cc754e73018498df5283bce0a7bef7

SHA256
7695e8c996ca6c9345bddc5f9edd10f7aef077d484f6e673564cc55ba2cb1561

SHA512
d91e2526f52eec7693d095bbcff6c08d9336e145a074ca223d06485b91d51eeaf44d64a83af027fb10cfefe4b17200e8592d9328e73f75e9d1de519f4cf39938

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
597B

MD5
72c95ddb86201c32e820a6b9f4fa35d5

SHA1
46c8c31d74cc754e73018498df5283bce0a7bef7

SHA256
7695e8c996ca6c9345bddc5f9edd10f7aef077d484f6e673564cc55ba2cb1561

SHA512
d91e2526f52eec7693d095bbcff6c08d9336e145a074ca223d06485b91d51eeaf44d64a83af027fb10cfefe4b17200e8592d9328e73f75e9d1de519f4cf39938

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
597B

MD5
72c95ddb86201c32e820a6b9f4fa35d5

SHA1
46c8c31d74cc754e73018498df5283bce0a7bef7

SHA256
7695e8c996ca6c9345bddc5f9edd10f7aef077d484f6e673564cc55ba2cb1561

SHA512
d91e2526f52eec7693d095bbcff6c08d9336e145a074ca223d06485b91d51eeaf44d64a83af027fb10cfefe4b17200e8592d9328e73f75e9d1de519f4cf39938

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
babd82433bb698d1f25c6e7c8500b324

SHA1
3e4e0c55a42b72e89354fedc1e0d4406ed6576eb

SHA256
9497b359572de050a482479a232e2ead82d00cb5511ac55292bc14a8c8b1f21c

SHA512
368802f5e2627cee2dbd563a47755fb830db3a6e88a7c19ea9e0ccccfad7a7de19f6d6c108a1bb57f7caeaad530ac0657b296050927db34ab7db8d3ae27c1c4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e889e3cd2827e0bc6377c6b84a79cc63

SHA1
78fba1542388ee83291eaddc64fa5baec1a34cc2

SHA256
4c45f81631b540e926318b98c19bbe982fe5dbfd65f94935266a22610719da1e

SHA512
b20918c96825ff2870bdb1271a24f68a451a55cc317f7b01fc3603fa5287d9cc302fce5a4bc822391566d00612991fb7ee67d512344b06bfc1215e7195512c2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e889e3cd2827e0bc6377c6b84a79cc63

SHA1
78fba1542388ee83291eaddc64fa5baec1a34cc2

SHA256
4c45f81631b540e926318b98c19bbe982fe5dbfd65f94935266a22610719da1e

SHA512
b20918c96825ff2870bdb1271a24f68a451a55cc317f7b01fc3603fa5287d9cc302fce5a4bc822391566d00612991fb7ee67d512344b06bfc1215e7195512c2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
af43a256c98e4fb3b25473e75718efae

SHA1
e562cfbcd23a63b25a891a9f5efcb559d29c3946

SHA256
378a8c6fb61e7ac8b68a34f370616f8a9147049bdc77821f906bd13c2f0fa4f0

SHA512
bb3e21c69c73f0fe98bc6505662c0dfccac72ae1a192d2a08ca2ffc2c02d79cf3138ab4fe1b6ac521daa99250292b9c8871c0520654445cff253840ff32a43df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
449e4a6845a5e3aa03a2ffaffc9d45a2

SHA1
b9ddb92fd96c1e21302b44104f7e02906b97ebdb

SHA256
2dead8d772ea60b302c5206d6a85c0ec7a1f30fcd72d01fc6d09bcc2b6e5fbe0

SHA512
c7b62e3c55ec145c4d5842bab9b6a8eb1c5265eacbc2d045129e678a565154c035f2f1fa3d5c07bacd05afeaf73241c571e317006140f534780ea94dbc8109e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7bdfbe43682dc306c965aeb67f297c94

SHA1
a225da9150b15ff8b6b87fc7f4e2cdea790b2329

SHA256
cf6d76243932bf4f790508574c9f881db74b75cc426a878ace4b41ea5574c269

SHA512
e04a06dcde8cf7c501bbf30ec25ffa551d65bb9bd7c8b723a84cf01350b89f7ccbb6cd68db7e5955d547ac46035b0611f9e59cadae65b5428d594b176b25f8a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
af7f5b95ea848cf971152871a71e547e

SHA1
7f7dac4a6892020ef8b5705360b6f7d5e1a938e7

SHA256
dee67d5277ad666f4f39aeb0b7d7cabaf707b197c35b5238a1f54e269dc9fc5c

SHA512
e2817976fb58f86dbca84194f239b7fdc1f4411ae45ed22d2b33cf1e5d6c4fcdce113ea1b0795ba315d0dd4cf5d47db4ed34af0ab5d65d368559a139cbb0a991

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a7b2f785f939da6b6422d991178b9c02

SHA1
54460af3a34bd55724fcc643197109226fe44e2d

SHA256
56ebec9f384261763bcc1cca5038189803787835741f12ce426dce13dd214f05

SHA512
d4cb3ee09c52d5fc2d35f82da5cc3e61a38de7e50514e989aff0ec2d3816ca27d6276d85e859c3966ee675d5de647da29c5f7c5d79555f872a19b1719e5db8c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
99b05ab6710ca5cc238c26b55ebca2ed

SHA1
d030782b19552a876fbc462fda06763e78975230

SHA256
25a6852a70751c642fcf0291463a74d55bf638347283774eeec330e3f5f3dc9b

SHA512
281ab1272bd1336bf7b72bf3ec502aba2c8eb7a159cad18a7c02bd61049c444611cf6a4280c2f492182c3f1eab9af3a77ba2586edf85415213112dfde4dc1904

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1a8c966d5386b64d6b5c0d342a5a1dfb

SHA1
43f135b4ef817eb965950b3662cf05ee33c556f7

SHA256
574c5ea0a1a755e9d4628d08c291817a02540d496890e87011f9191d3f61ddf2

SHA512
a02bd0fc1d70ee8da602b8f0d72040b16587c2e9264aec39026f607d7fe5c08c06f6dd3b30b786535ee1775fda51ec2ca9122735e981d045365617d214f305c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
257ea0ec66df2da5e739b7b13b0c3574

SHA1
6151b262ebf0eefeb053527d2f9fd69734483dfc

SHA256
8fb7f42e81b1c4023e8171604ec0d7f8c2c476f9b906104a65f862e3105fa5f0

SHA512
7ba67187110f507f5f4eec5bd942ef22924c3ede2df014c214ec55e3a6cd9e31d6b5c4ab6fd5ad0cae81c9b4da516362842daf0af259dfb157120e66941a7c84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
aa6e44015a65d0781439d36e172cc210

SHA1
b4cb757b86023405dcb941e166c5d3c5cde9096c

SHA256
af31b7cecf14ee2ad4f8d8d12ecf4031bd1c2de43d86cebacddbc654ea5fdc94

SHA512
eb79153a8731325649c99dd34f9450ee550975a239094a00b8f7b1b053a4d79179b0bf9c46a614e040869e8aee56a68a55a346c2e5fad4f1e149fa9a84c9da13

Download Submit
C:\Windows\System32\DriverStore\Temp\{f6402ebf-de49-2b45-a70e-93f90e2914dc}\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver-manifest.ini

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver.gpd

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
127KB

MD5
5a4f0869298454215cccf8b3230467b3

SHA1
924d99c6bf1351d83b97df87924b482b6711e095

SHA256
5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a

SHA512
0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee

Download Submit
\??\pipe\LOCAL\crashpad_2308_LJEKGSJGYSUBMFLF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1172-225-0x0000000000000000-mapping.dmp

Download
memory/1408-159-0x0000000000000000-mapping.dmp

Download
memory/1496-169-0x0000000000000000-mapping.dmp

Download
memory/1972-209-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/1972-233-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/1972-200-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/2208-183-0x0000000000000000-mapping.dmp

Download
memory/2208-187-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2208-208-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2208-184-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2308-158-0x0000000000000000-mapping.dmp

Download
memory/2480-201-0x0000000000000000-mapping.dmp

Download
memory/2556-134-0x0000000000000000-mapping.dmp

Download
memory/2556-189-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2556-136-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2556-156-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2988-165-0x0000000000000000-mapping.dmp

Download
memory/3152-161-0x0000000000000000-mapping.dmp

Download
memory/3172-231-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/3172-216-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/3172-234-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/4004-171-0x0000000000000000-mapping.dmp

Download
memory/4008-137-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4008-157-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4008-144-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4008-135-0x0000000000000000-mapping.dmp

Download
memory/4412-162-0x0000000000000000-mapping.dmp

Download
memory/4496-217-0x0000000000000000-mapping.dmp

Download
memory/4604-232-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/4604-192-0x0000000000E50000-0x0000000001ECE000-memory.dmp

Filesize
16.5MB

Download
memory/4632-167-0x0000000000000000-mapping.dmp

Download
memory/4652-154-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4652-132-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4652-188-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4900-198-0x0000000000000000-mapping.dmp

Download