fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
71s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 3 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exe

pid	Process
2812	AnyDesk.exe
1352	AnyDesk.exe
4784	AnyDesk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 27 IoCs

Processes:

DrvInst.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42E9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\anydeskprintdriver.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42D7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42D8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42B6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42B6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42EA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42C7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42D7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42C7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42EA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42E9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\SET42D8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe

Drops file in Program Files directory 2 IoCs

Processes:

AnyDesk.exe

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

Drops file in Windows directory 7 IoCs

Processes:

svchost.exeDrvInst.exeexpand.exerundll32.exe

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DrvInst.exesvchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exeAnyDesk.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

DrvInst.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 17 IoCs

Processes:

AnyDesk.exemsedge.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

AnyDesk.exemsedge.exemsedge.exeAnyDesk.exeAnyDesk.exe

pid	Process
4052	AnyDesk.exe
4052	AnyDesk.exe
4924	msedge.exe
4924	msedge.exe
1248	msedge.exe
1248	msedge.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe
2812	AnyDesk.exe
2812	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid	Process
1248	msedge.exe
1248	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description	pid	Process
Token: SeAuditPrivilege	460	svchost.exe
Token: SeSecurityPrivilege	460	svchost.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

AnyDesk.exemsedge.exeAnyDesk.exe

pid	Process
4628	AnyDesk.exe
4628	AnyDesk.exe
4628	AnyDesk.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1352	AnyDesk.exe
1352	AnyDesk.exe
1352	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid	Process
4628	AnyDesk.exe
4628	AnyDesk.exe
4628	AnyDesk.exe
1352	AnyDesk.exe
1352	AnyDesk.exe
1352	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnyDesk.exemsedge.exe

description	pid	Process	procid_target
PID 1868 wrote to memory of 4052	1868	AnyDesk.exe	81
PID 1868 wrote to memory of 4052	1868	AnyDesk.exe	81
PID 1868 wrote to memory of 4052	1868	AnyDesk.exe	81
PID 1868 wrote to memory of 4628	1868	AnyDesk.exe	82
PID 1868 wrote to memory of 4628	1868	AnyDesk.exe	82
PID 1868 wrote to memory of 4628	1868	AnyDesk.exe	82
PID 1868 wrote to memory of 1248	1868	AnyDesk.exe	90
PID 1868 wrote to memory of 1248	1868	AnyDesk.exe	90
PID 1248 wrote to memory of 3504	1248	msedge.exe	92
PID 1248 wrote to memory of 3504	1248	msedge.exe	92
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 5016	1248	msedge.exe	96
PID 1248 wrote to memory of 4924	1248	msedge.exe	97
PID 1248 wrote to memory of 4924	1248	msedge.exe	97
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99
PID 1248 wrote to memory of 4744	1248	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://help.anydesk.com/en/error-messages?utm_medium=app&utm_source=adwin
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbbd1a46f8,0x7ffbbd1a4708,0x7ffbbd1a4718
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6501035707433284642,13337763445919662270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6501035707433284642,13337763445919662270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6501035707433284642,13337763445919662270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3320 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6501035707433284642,13337763445919662270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
    3⤵
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6501035707433284642,13337763445919662270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,6501035707433284642,13337763445919662270,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5248 /prefetch:8
    3⤵
    PID:884
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    PID:3148
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    - Modifies system certificate store
    PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1352

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:460
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f107e7cd-cada-1a4e-9d04-24b1185057c6}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4924
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{adc043f5-c65c-644f-84a6-ef2c81c3e2d2} Global\{fdd3d30f-b4d8-6b40-94e0-ad2728a18d73} C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\AnyDeskPrintDriver.cat
    3⤵
    PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
8d81a22d953bf8b842c8aa194bd7d994

SHA1
49986b0f83aab51c4c360d6c36b688d7ec0110cf

SHA256
bbd9e1b87cff49377290d481b0e65c4b5ea515d4a045ec5ab8396988bb05f8a2

SHA512
1289c5c6b8c99e19192ec8239712a02b597692caa15ccaed60d4fd7dce7d57143679c76eaf8b4c24e90a358b70cb66aa01ff829339f280a3dc0be8b0b839cca3

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
8d81a22d953bf8b842c8aa194bd7d994

SHA1
49986b0f83aab51c4c360d6c36b688d7ec0110cf

SHA256
bbd9e1b87cff49377290d481b0e65c4b5ea515d4a045ec5ab8396988bb05f8a2

SHA512
1289c5c6b8c99e19192ec8239712a02b597692caa15ccaed60d4fd7dce7d57143679c76eaf8b4c24e90a358b70cb66aa01ff829339f280a3dc0be8b0b839cca3

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
50315f59df2c6747a6de0bf161e77d1a

SHA1
d61218e5e7b4a9f27f9a06dd8fc75c23d497d652

SHA256
0d2695c6bfcfbfb224a6a8a5b0b2e42d3cd3578f7d09dda1a6a59fa5b19acde6

SHA512
526416da0772b3fef1dd7f96182caa1862670d36911c17cb3a24073c5aca294828a894acd8c0a2457f6d535848783ed2cbfadd6a85803e537ebb095379cd0ec9

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
122dbd81393b06e317afd9da2fb73eac

SHA1
f73f68b59aff37b5a1f29267d8b74eeaa8a757f4

SHA256
8a6c05c6a7bc63c3f8ff8f456e28fef7dbcd2aac00b7746a81bf3eac3554fe0e

SHA512
8ae3b7df90d04b31e55dbcc6b7dcba943b9e63166ee35a06f9258b32229e799a2332f15bc8e88b3729e56871c0ef73e3ba8af0f2d54dd969d7f4cc34e122a3c0

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
122dbd81393b06e317afd9da2fb73eac

SHA1
f73f68b59aff37b5a1f29267d8b74eeaa8a757f4

SHA256
8a6c05c6a7bc63c3f8ff8f456e28fef7dbcd2aac00b7746a81bf3eac3554fe0e

SHA512
8ae3b7df90d04b31e55dbcc6b7dcba943b9e63166ee35a06f9258b32229e799a2332f15bc8e88b3729e56871c0ef73e3ba8af0f2d54dd969d7f4cc34e122a3c0

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
122dbd81393b06e317afd9da2fb73eac

SHA1
f73f68b59aff37b5a1f29267d8b74eeaa8a757f4

SHA256
8a6c05c6a7bc63c3f8ff8f456e28fef7dbcd2aac00b7746a81bf3eac3554fe0e

SHA512
8ae3b7df90d04b31e55dbcc6b7dcba943b9e63166ee35a06f9258b32229e799a2332f15bc8e88b3729e56871c0ef73e3ba8af0f2d54dd969d7f4cc34e122a3c0

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
50315f59df2c6747a6de0bf161e77d1a

SHA1
d61218e5e7b4a9f27f9a06dd8fc75c23d497d652

SHA256
0d2695c6bfcfbfb224a6a8a5b0b2e42d3cd3578f7d09dda1a6a59fa5b19acde6

SHA512
526416da0772b3fef1dd7f96182caa1862670d36911c17cb3a24073c5aca294828a894acd8c0a2457f6d535848783ed2cbfadd6a85803e537ebb095379cd0ec9

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
122dbd81393b06e317afd9da2fb73eac

SHA1
f73f68b59aff37b5a1f29267d8b74eeaa8a757f4

SHA256
8a6c05c6a7bc63c3f8ff8f456e28fef7dbcd2aac00b7746a81bf3eac3554fe0e

SHA512
8ae3b7df90d04b31e55dbcc6b7dcba943b9e63166ee35a06f9258b32229e799a2332f15bc8e88b3729e56871c0ef73e3ba8af0f2d54dd969d7f4cc34e122a3c0

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
50315f59df2c6747a6de0bf161e77d1a

SHA1
d61218e5e7b4a9f27f9a06dd8fc75c23d497d652

SHA256
0d2695c6bfcfbfb224a6a8a5b0b2e42d3cd3578f7d09dda1a6a59fa5b19acde6

SHA512
526416da0772b3fef1dd7f96182caa1862670d36911c17cb3a24073c5aca294828a894acd8c0a2457f6d535848783ed2cbfadd6a85803e537ebb095379cd0ec9

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
122dbd81393b06e317afd9da2fb73eac

SHA1
f73f68b59aff37b5a1f29267d8b74eeaa8a757f4

SHA256
8a6c05c6a7bc63c3f8ff8f456e28fef7dbcd2aac00b7746a81bf3eac3554fe0e

SHA512
8ae3b7df90d04b31e55dbcc6b7dcba943b9e63166ee35a06f9258b32229e799a2332f15bc8e88b3729e56871c0ef73e3ba8af0f2d54dd969d7f4cc34e122a3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F107E~1\AnyDeskPrintDriver-manifest.ini

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F107E~1\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F107E~1\AnyDeskPrintDriver.gpd

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F107E~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F107E~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f107e7cd-cada-1a4e-9d04-24b1185057c6}\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
18da32ed8fc159188236baaf2605253c

SHA1
07328b66ee582538514340ad74b4f9c342c5476c

SHA256
7f58b95b4e07c509976915baf144524496a6905511c9c26b5383cbb016e251d4

SHA512
f473128e068b34c46c6217b1b23f958bf8d4ddfb798040dd0845e5a4656c7a5ad968c640bec8305e18f0e70b9aeb4184f804f0e8d6c927d74a2c1d246e57cca9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
18KB

MD5
18edbbcc191cd8ecdc5375500c7e5c13

SHA1
79fb55af44c1871e1e465470aa61f43fc78efa6b

SHA256
f84fc480d8b2df411666a4964691d9be23b2d9f5fe70adf26c5f9126bf6d51eb

SHA512
3cfc332adcc7743d8cae3d180975790fe42ec38143416dab4b7520bc20a98c79d6d68783aec86c2e52eb794dfd6f28c3f8a6a1a61a2028e2b8fcf5a37a01cc37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
26KB

MD5
b1eaf82e038fd0b826183cec72bddbc8

SHA1
8905da4d7e209d7174819da249f3838cd87418b9

SHA256
739e87ff5fcf76da81f39ba8b533f0eedbd8763d465e2cb6500f9917da766e8f

SHA512
fde9caba59f36727b2ca840b14252fd91c973f15cf0c226b0b98c43d299323ee4efdf35af4a027359e840a95f68b2535c97b7bb688f49a9731c110de0b588d94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
32KB

MD5
90268d8983c6fd259776d5fbcb84b391

SHA1
2bc6ae84a2150a071038eb3494d4da620b3cca12

SHA256
5db0e4bf61b93558c8b3ce64446fa18644325ceedfdca8cdf6fb2e2ebe23d5c1

SHA512
ccdf53f8c542eaa73469a28420f57c202bc8ab27a79284690403417c7aaa3f49fdce425d048f0129e852b4ffb3fbe064867ae7be039a004052a363ac1067a181

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
35KB

MD5
e2942c1fd95bb00f972b0c682d3cc437

SHA1
ee669f094fb03abf154c521ccc62919d13200ddf

SHA256
e01f3f3195e7542d863b829176387bdf579e5c5cedaa54670a921adf5bfe81ba

SHA512
f5c8370f3a1694da309476a144ac2f88f6b654b456b8e5ddf02716e93d97d4912b236ede0cc58e20fd8b6012893e7a62434acbf6661f4813647a178759c670cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8d81a22d953bf8b842c8aa194bd7d994

SHA1
49986b0f83aab51c4c360d6c36b688d7ec0110cf

SHA256
bbd9e1b87cff49377290d481b0e65c4b5ea515d4a045ec5ab8396988bb05f8a2

SHA512
1289c5c6b8c99e19192ec8239712a02b597692caa15ccaed60d4fd7dce7d57143679c76eaf8b4c24e90a358b70cb66aa01ff829339f280a3dc0be8b0b839cca3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4caafe7d1a1bc6cd1b571be67239cd9c

SHA1
cd2938da3ef4dc6df6d6fe3bcbc2d1baa916171e

SHA256
2c98e06251af3437aef09ce33cd6b4ab64fcb3c9a4115d17542f069366dacbdd

SHA512
efd6dfb357775c9849095f513169907c747c23d3ccc5babb71de5e0e43dd4c4a636110d1f47e3fafd9b3f640c63016544620dbf4f94f94ec744662da0f343428

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4caafe7d1a1bc6cd1b571be67239cd9c

SHA1
cd2938da3ef4dc6df6d6fe3bcbc2d1baa916171e

SHA256
2c98e06251af3437aef09ce33cd6b4ab64fcb3c9a4115d17542f069366dacbdd

SHA512
efd6dfb357775c9849095f513169907c747c23d3ccc5babb71de5e0e43dd4c4a636110d1f47e3fafd9b3f640c63016544620dbf4f94f94ec744662da0f343428

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7e9ae305682762a2f2bef1f1d1b6d0f6

SHA1
30fb97827d95b68049a5d685b002504b4d8627b6

SHA256
90613606e9b9cdfa4d6781e4224f90acfff25bd5cc5b2e6ca1e44eb2799c8be4

SHA512
743f200eb91197b4e7e2d90fabf0a2e8837bb7bedca57a4d90d77b469675a16e783d87909f2ce1e72a6673ee55df5dd311f0a0d0ccfa75ce2dc49deb96a360a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4caafe7d1a1bc6cd1b571be67239cd9c

SHA1
cd2938da3ef4dc6df6d6fe3bcbc2d1baa916171e

SHA256
2c98e06251af3437aef09ce33cd6b4ab64fcb3c9a4115d17542f069366dacbdd

SHA512
efd6dfb357775c9849095f513169907c747c23d3ccc5babb71de5e0e43dd4c4a636110d1f47e3fafd9b3f640c63016544620dbf4f94f94ec744662da0f343428

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4caafe7d1a1bc6cd1b571be67239cd9c

SHA1
cd2938da3ef4dc6df6d6fe3bcbc2d1baa916171e

SHA256
2c98e06251af3437aef09ce33cd6b4ab64fcb3c9a4115d17542f069366dacbdd

SHA512
efd6dfb357775c9849095f513169907c747c23d3ccc5babb71de5e0e43dd4c4a636110d1f47e3fafd9b3f640c63016544620dbf4f94f94ec744662da0f343428

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7e9ae305682762a2f2bef1f1d1b6d0f6

SHA1
30fb97827d95b68049a5d685b002504b4d8627b6

SHA256
90613606e9b9cdfa4d6781e4224f90acfff25bd5cc5b2e6ca1e44eb2799c8be4

SHA512
743f200eb91197b4e7e2d90fabf0a2e8837bb7bedca57a4d90d77b469675a16e783d87909f2ce1e72a6673ee55df5dd311f0a0d0ccfa75ce2dc49deb96a360a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7e9ae305682762a2f2bef1f1d1b6d0f6

SHA1
30fb97827d95b68049a5d685b002504b4d8627b6

SHA256
90613606e9b9cdfa4d6781e4224f90acfff25bd5cc5b2e6ca1e44eb2799c8be4

SHA512
743f200eb91197b4e7e2d90fabf0a2e8837bb7bedca57a4d90d77b469675a16e783d87909f2ce1e72a6673ee55df5dd311f0a0d0ccfa75ce2dc49deb96a360a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6978fcf0d2bde1296b46c754da1e8051

SHA1
fd74a716392f0d315c5c419400a964e9e295473f

SHA256
4663b58b34cf456e0b04ee6e728a8e75d63620696a91f9d30a27d4f1acaddd2d

SHA512
b3df9a1db367be64e80c6ca3684a12c9ecf6db52f054288fd104fad8678495f5c706c12f5508acb53fff98a1ed7d2fda9c724e4ea6c1342ab5774911767429ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
70ce921001937af352dc2e5dd5044b5e

SHA1
c1c045eff901581691dead81149554fa508816ba

SHA256
5fdd1e1fbb303eac61e0c3d54588d0c74501f25fd349f4d8fc4f2a0f8edf2763

SHA512
1feb0440a6ba62c0d2b8504fb565cddb841f69b445b56b944993f58f701efd9b93f86d822bb5952406c54f777128ef7b0dda51cef3389883b6db27dcf73c765e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
70ce921001937af352dc2e5dd5044b5e

SHA1
c1c045eff901581691dead81149554fa508816ba

SHA256
5fdd1e1fbb303eac61e0c3d54588d0c74501f25fd349f4d8fc4f2a0f8edf2763

SHA512
1feb0440a6ba62c0d2b8504fb565cddb841f69b445b56b944993f58f701efd9b93f86d822bb5952406c54f777128ef7b0dda51cef3389883b6db27dcf73c765e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
70ce921001937af352dc2e5dd5044b5e

SHA1
c1c045eff901581691dead81149554fa508816ba

SHA256
5fdd1e1fbb303eac61e0c3d54588d0c74501f25fd349f4d8fc4f2a0f8edf2763

SHA512
1feb0440a6ba62c0d2b8504fb565cddb841f69b445b56b944993f58f701efd9b93f86d822bb5952406c54f777128ef7b0dda51cef3389883b6db27dcf73c765e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3daf6693c96808bbcac0ac902ddf54a0

SHA1
7910bb512dbac87c1dc7e0eefb78a4bd98384aec

SHA256
a6a54453340893def3a79885ab11d68db36a97e34b5b1715a8d96d755518e775

SHA512
70410b77c3c20313bbe9f9bcaee44bb07056d341ad27fc49a24d811da8648670decfc1461fe5e22cb3b2aa353f209a8b9d9c6539ea8cf707355f4368695b2034

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cd2c2190d9a1765df99404c94c48e52b

SHA1
739bfd4267c9fdbfd30108c990505f07f482ed12

SHA256
1144f8c438150dea5e5087e02ebdfb90c088d964782ad9690d12355a65e48101

SHA512
eea6af0f802f8d45cf40ca39d82f9a33d0bdfbd35c79f3d94abc08476e34bd3f4070048fbd2efacfd37dec4e756a893e6cd600ae0a05f47042e3915c0e61e483

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ab005a68ade8badde188f61610b3d380

SHA1
c9191a25f90ad981c56bd489fc47783b519d9e55

SHA256
a34cafd78ffecb12b42debc9590f5ae311ef909d39f59acfb85e16b1e07ad685

SHA512
fb7be93691f1d308f8741823992f8b565b101ebf5aace5031ed55e5cbd9880e4e064b0ce94e80a6a14783611d2842d12c3c197b08edf17491bae69bcb61b34f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ab005a68ade8badde188f61610b3d380

SHA1
c9191a25f90ad981c56bd489fc47783b519d9e55

SHA256
a34cafd78ffecb12b42debc9590f5ae311ef909d39f59acfb85e16b1e07ad685

SHA512
fb7be93691f1d308f8741823992f8b565b101ebf5aace5031ed55e5cbd9880e4e064b0ce94e80a6a14783611d2842d12c3c197b08edf17491bae69bcb61b34f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ab005a68ade8badde188f61610b3d380

SHA1
c9191a25f90ad981c56bd489fc47783b519d9e55

SHA256
a34cafd78ffecb12b42debc9590f5ae311ef909d39f59acfb85e16b1e07ad685

SHA512
fb7be93691f1d308f8741823992f8b565b101ebf5aace5031ed55e5cbd9880e4e064b0ce94e80a6a14783611d2842d12c3c197b08edf17491bae69bcb61b34f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ab005a68ade8badde188f61610b3d380

SHA1
c9191a25f90ad981c56bd489fc47783b519d9e55

SHA256
a34cafd78ffecb12b42debc9590f5ae311ef909d39f59acfb85e16b1e07ad685

SHA512
fb7be93691f1d308f8741823992f8b565b101ebf5aace5031ed55e5cbd9880e4e064b0ce94e80a6a14783611d2842d12c3c197b08edf17491bae69bcb61b34f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ab005a68ade8badde188f61610b3d380

SHA1
c9191a25f90ad981c56bd489fc47783b519d9e55

SHA256
a34cafd78ffecb12b42debc9590f5ae311ef909d39f59acfb85e16b1e07ad685

SHA512
fb7be93691f1d308f8741823992f8b565b101ebf5aace5031ed55e5cbd9880e4e064b0ce94e80a6a14783611d2842d12c3c197b08edf17491bae69bcb61b34f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf6f78d208399d338cf0079a27519b41

SHA1
ffa9fb2ae1d22097d1a5f55e0ba0fa27e84a6a50

SHA256
cfe3a0a843583b6638717706d581d2a0e0ec1c4c3a09c73dc352dbb157f1e5f6

SHA512
5edcfd04a43c4569df10f0a0652e2262d3da39f4744d3b68b3c620aba035dae23a1dd7580f181afcca468efa1216f559b83537ecfd1953122c08bb47f159674d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf6f78d208399d338cf0079a27519b41

SHA1
ffa9fb2ae1d22097d1a5f55e0ba0fa27e84a6a50

SHA256
cfe3a0a843583b6638717706d581d2a0e0ec1c4c3a09c73dc352dbb157f1e5f6

SHA512
5edcfd04a43c4569df10f0a0652e2262d3da39f4744d3b68b3c620aba035dae23a1dd7580f181afcca468efa1216f559b83537ecfd1953122c08bb47f159674d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
c3a53b65cf03d3f36c66c7663a48207e

SHA1
4d2974869ed3c9c3f2a175bd01972a26b5142b69

SHA256
6dc32622793e3874fbdf8267329cd18fd2b83e74ba693bf3a37f164a7d8068ff

SHA512
0a2d5bc8c965f0f056c522cdf1aaa2bfbfb6af055e0aa562865dcb513b2fd334014238e5c1a01060725dca48a00f72de32119c76334c3821069f621922fb3d0b

Download Submit
C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
C:\Windows\System32\DriverStore\Temp\{70884aa0-db0b-7a41-84ce-b9eb84edde37}\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver-manifest.ini

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver.gpd

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
127KB

MD5
5a4f0869298454215cccf8b3230467b3

SHA1
924d99c6bf1351d83b97df87924b482b6711e095

SHA256
5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a

SHA512
0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee

Download Submit
\??\pipe\LOCAL\crashpad_1248_ROSEZGPUANVDPOGJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/884-173-0x0000000000000000-mapping.dmp

Download
memory/1248-159-0x0000000000000000-mapping.dmp

Download
memory/1352-205-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/1352-237-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/1352-194-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/1776-168-0x0000000000000000-mapping.dmp

Download
memory/1868-134-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/1868-156-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/1868-180-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/1868-132-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/2092-171-0x0000000000000000-mapping.dmp

Download
memory/2308-193-0x0000000000000000-mapping.dmp

Download
memory/2812-235-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2812-185-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/2812-184-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/3148-191-0x0000000000000000-mapping.dmp

Download
memory/3504-160-0x0000000000000000-mapping.dmp

Download
memory/3868-220-0x0000000000000000-mapping.dmp

Download
memory/4052-181-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4052-142-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4052-135-0x0000000000000000-mapping.dmp

Download
memory/4052-157-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4052-137-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4628-158-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4628-138-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4628-145-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4628-136-0x0000000000000000-mapping.dmp

Download
memory/4744-166-0x0000000000000000-mapping.dmp

Download
memory/4752-179-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4752-175-0x0000000000000000-mapping.dmp

Download
memory/4752-176-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4752-199-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/4784-230-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4784-209-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4784-238-0x0000000000E30000-0x0000000001EAE000-memory.dmp

Filesize
16.5MB

Download
memory/4924-163-0x0000000000000000-mapping.dmp

Download
memory/4924-208-0x0000000000000000-mapping.dmp

Download
memory/5016-162-0x0000000000000000-mapping.dmp

Download