fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
137s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03/04/2023, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 3 IoCs

pid	Process
1792	AnyDesk.exe
4612	AnyDesk.exe
5020	AnyDesk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET980F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET980D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET980D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET980E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET97FC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET97FB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\AnyDeskPrintDriver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET980E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET980F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET97EA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET97EA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET97FB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\SET97FC.tmp	DrvInst.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = c7407ea65a45d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 1073a12b7866d901	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{7FD957BE-A55F-4A68-8A45-3D2190403C37}"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\anydesk.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = b65a191d7866d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\AA549154B737EF29C = 030000000100000014000000aa549154b737ef29c55000081fdf1f8b3ebb40910400000001000000100000001e9b655c2563f0f8b7cf2fa979f89a920f00000001000000200000001c169fb8bea23cbb597a7d0330f5f2c6fb82969934da9d676058363ca94854c614000000010000001400000039c8e33fb6d4c223863e8a9838ee2fcbbe567a13190000000100000010000000baa9030082855b9e52cb543799fa36f35c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000e7050000308205e3308203cba003020102021333000001d92cb2c0c2c9e054b40000000001d9300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3232303630373138323634325a170d3233303930373138323634325a3081a5310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3123302106092a864886f70d0109011614777362657870406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d345fb3624263a3b1856614f76c90c184e75fc1ab123f51b38c31a32311a70bbec8667c0831a74b00255149eac86eb0b2e4bc21010346a0bfaed29bbba29ab5e69a8b707f955c12eeb575a70cfeccd7ca8de3de7c883dd7bb79e85c8062128750eba60d9bcb6e0a21a4e97deef8cdff249e7d7ed312b8ed769c00c80629fc31ffe942f792d67b8e360f084858065ca7c0114a231072d7380b9ee828b1e717bc81938d5c58b75f12f457d4320f90a11d1d326e0b24c69dcbb185054bf8ab0c136f8f38264911aca2edaa93754a9685eb0878b62800020838f656e4d7d3aa53a0cc07d76cfbc7d77f570346cd2bba3836d24428c2723dd6e39afd107c0f7889bdd0203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e0416041439c8e33fb6d4c223863e8a9838ee2fcbbe567a13301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c36cdc2a65c64372b6118a63a5c7ed1ecfa5b939531465ca9af136bd76d942a74ad37481be984496cd20deca7b469dc4f2e439db9e2e0eafd2b4dcab7c7b0d131a98a88e9c34787d209fe84fd1bf1031c31a63a794d8448654d9f6e1267ca9513f6d9bb17be844f225a15133665568503b50bdd2b74e1199b3afbb822dc3d9b07147f374427991b7d04234dfb77c7b4518a554b65b69b318ff2be7e541762de2726789d01f2f866523861aea19ff8ccbfaafc7d78fc242aca7f74d6ba335b4c3d7c7b5b1f5b8dbb6b3104f24dbb8f95b39ecfbdc1a4469ab254263371e8f231c32c68c574290c81c388c3148200344d9b9b3fa8bb6394ac2536f66803302873f3f857bbdbe279d9bf7d2df3422c9bf927ef7b8eb92e872fdfac7cd1fd185847555b4239740734d043b167098ede21a83d5b35431fbd4768905a474218801cf320084043f608133bc8c26752c6b15210859dad17f3cdb1f8546c8cde2b5ccb6634681aaf88339eeab1ad92b8e4babf96333a99e6ff7ada19433913a8101d63b36fcccade21ec6a41cdb44d3abad7c4065368e51eb46b5c237c37bbf04c89871e2e0da20d2e569eaf67b19787ed46c2038faf181bd00cd1d5ff1fee0ad70b457528415fce74f37c22e3bfb1b17d57e59200625989090a2bb1e3b238cb348768a98126537198be58282f64856420280d5858fc0575182dbc6d1fb4f7611b339babc	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000dbb260a533b217d815d0cad93c2299c20b2827cc9722827a000f9289c4b56f5c827d5eb838f2ea680d306b04e5a28bfb58c755036ae569011ae714f4e9ccc4965f59ee2f40ff8bcbf32816cba2248fcf1ba9d6fae4f31a48e24c	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\anydesk.com\NumberOfSubdo = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\support.anydesk.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "386721502"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = c7407ea65a45d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4144	AnyDesk.exe
4144	AnyDesk.exe
4256	AnyDesk.exe
4256	AnyDesk.exe
2112	AnyDesk.exe
2112	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1888	AnyDesk.exe
1792	AnyDesk.exe
1792	AnyDesk.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4496	MicrosoftEdgeCP.exe
4496	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	MicrosoftEdge.exe
Token: SeDebugPrivilege	1228	MicrosoftEdge.exe
Token: SeDebugPrivilege	1228	MicrosoftEdge.exe
Token: SeDebugPrivilege	1228	MicrosoftEdge.exe
Token: SeDebugPrivilege	1376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4452	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4452	MicrosoftEdgeCP.exe
Token: SeAuditPrivilege	4932	svchost.exe
Token: SeSecurityPrivilege	4932	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2112	AnyDesk.exe
2112	AnyDesk.exe
2112	AnyDesk.exe
4612	AnyDesk.exe
4612	AnyDesk.exe
4612	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2112	AnyDesk.exe
2112	AnyDesk.exe
2112	AnyDesk.exe
4612	AnyDesk.exe
4612	AnyDesk.exe
4612	AnyDesk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1228	MicrosoftEdge.exe
4496	MicrosoftEdgeCP.exe
4496	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 4144	4256	AnyDesk.exe	66
PID 4256 wrote to memory of 4144	4256	AnyDesk.exe	66
PID 4256 wrote to memory of 4144	4256	AnyDesk.exe	66
PID 4256 wrote to memory of 2112	4256	AnyDesk.exe	67
PID 4256 wrote to memory of 2112	4256	AnyDesk.exe	67
PID 4256 wrote to memory of 2112	4256	AnyDesk.exe	67
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4496 wrote to memory of 1376	4496	MicrosoftEdgeCP.exe	73
PID 4256 wrote to memory of 1888	4256	AnyDesk.exe	80
PID 4256 wrote to memory of 1888	4256	AnyDesk.exe	80
PID 4256 wrote to memory of 1888	4256	AnyDesk.exe	80
PID 1888 wrote to memory of 5064	1888	AnyDesk.exe	85
PID 1888 wrote to memory of 5064	1888	AnyDesk.exe	85
PID 1888 wrote to memory of 5064	1888	AnyDesk.exe	85
PID 1888 wrote to memory of 5060	1888	AnyDesk.exe	87
PID 1888 wrote to memory of 5060	1888	AnyDesk.exe	87
PID 1888 wrote to memory of 5060	1888	AnyDesk.exe	87
PID 4932 wrote to memory of 408	4932	svchost.exe	90
PID 4932 wrote to memory of 408	4932	svchost.exe	90
PID 408 wrote to memory of 1972	408	DrvInst.exe	91
PID 408 wrote to memory of 1972	408	DrvInst.exe	91

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    PID:5064
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    - Modifies system certificate store
    PID:5060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4592

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5020

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000164" "WinSta0\Default" "0000000000000170" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{ebf31ecc-489c-9b45-b25c-5300232b97d3} Global\{5ec600cd-1b8b-114d-97f0-5531b70f2452} C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\AnyDeskPrintDriver.cat
    3⤵
    PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.8MB

MD5
e546506082b374a0869bdd97b313fe5d

SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc

SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
f46ef115992c6dc9574d2ee68da5d758

SHA1
0ea7879d60b2229c82aab0d97a350d88c2e0cf86

SHA256
e7f06fec0a402f2250ba86803fb6b07268f1218a6c83411356e9b966caf7ace9

SHA512
3592549f23d7aea6a836422c5177888f8eff27c3c3991b52ad9df86a07cdb79570dc931e7f6064fb36ce2969782931fc52c2ccb673e509fe6b98c67e5f2b79b3

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
f46ef115992c6dc9574d2ee68da5d758

SHA1
0ea7879d60b2229c82aab0d97a350d88c2e0cf86

SHA256
e7f06fec0a402f2250ba86803fb6b07268f1218a6c83411356e9b966caf7ace9

SHA512
3592549f23d7aea6a836422c5177888f8eff27c3c3991b52ad9df86a07cdb79570dc931e7f6064fb36ce2969782931fc52c2ccb673e509fe6b98c67e5f2b79b3

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
e5b7a879748709e5db7b65604cf2219b

SHA1
0c3a333170f1de2a632259279c1341bac96cf055

SHA256
a57d216164b30f85149fc00d46affa6db8d62d2c0d1756955f61519ef341ff2f

SHA512
d94c755a9d1bd20deb99871dd9e038fffbc545f947f4337040f19861537d629d192a491b83cced37e186f7672822fb9f50abee66956446e2135701ca541c8a94

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
f1fc6ab8364ffa452818b0eb7dd22e0a

SHA1
2bc8a36319792723d6c23cb9a8ff26e96fd19c38

SHA256
4caeccfab4aba3fd4999aa6dadf88c6d0cab61cede4b8d3b6d2be3611044e9e2

SHA512
13c1e6f1773cdeeb9139da7267de7b6ab36a08d8bc4cf261f530327d4e72d079ea663c37219c1acf48cd4876aeef17d3d2ed364ecd48d4aec4ca2078b07c8d2b

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
e5b7a879748709e5db7b65604cf2219b

SHA1
0c3a333170f1de2a632259279c1341bac96cf055

SHA256
a57d216164b30f85149fc00d46affa6db8d62d2c0d1756955f61519ef341ff2f

SHA512
d94c755a9d1bd20deb99871dd9e038fffbc545f947f4337040f19861537d629d192a491b83cced37e186f7672822fb9f50abee66956446e2135701ca541c8a94

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
e5b7a879748709e5db7b65604cf2219b

SHA1
0c3a333170f1de2a632259279c1341bac96cf055

SHA256
a57d216164b30f85149fc00d46affa6db8d62d2c0d1756955f61519ef341ff2f

SHA512
d94c755a9d1bd20deb99871dd9e038fffbc545f947f4337040f19861537d629d192a491b83cced37e186f7672822fb9f50abee66956446e2135701ca541c8a94

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
f1fc6ab8364ffa452818b0eb7dd22e0a

SHA1
2bc8a36319792723d6c23cb9a8ff26e96fd19c38

SHA256
4caeccfab4aba3fd4999aa6dadf88c6d0cab61cede4b8d3b6d2be3611044e9e2

SHA512
13c1e6f1773cdeeb9139da7267de7b6ab36a08d8bc4cf261f530327d4e72d079ea663c37219c1acf48cd4876aeef17d3d2ed364ecd48d4aec4ca2078b07c8d2b

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
e5b7a879748709e5db7b65604cf2219b

SHA1
0c3a333170f1de2a632259279c1341bac96cf055

SHA256
a57d216164b30f85149fc00d46affa6db8d62d2c0d1756955f61519ef341ff2f

SHA512
d94c755a9d1bd20deb99871dd9e038fffbc545f947f4337040f19861537d629d192a491b83cced37e186f7672822fb9f50abee66956446e2135701ca541c8a94

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
e5b7a879748709e5db7b65604cf2219b

SHA1
0c3a333170f1de2a632259279c1341bac96cf055

SHA256
a57d216164b30f85149fc00d46affa6db8d62d2c0d1756955f61519ef341ff2f

SHA512
d94c755a9d1bd20deb99871dd9e038fffbc545f947f4337040f19861537d629d192a491b83cced37e186f7672822fb9f50abee66956446e2135701ca541c8a94

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
e5b7a879748709e5db7b65604cf2219b

SHA1
0c3a333170f1de2a632259279c1341bac96cf055

SHA256
a57d216164b30f85149fc00d46affa6db8d62d2c0d1756955f61519ef341ff2f

SHA512
d94c755a9d1bd20deb99871dd9e038fffbc545f947f4337040f19861537d629d192a491b83cced37e186f7672822fb9f50abee66956446e2135701ca541c8a94

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
f1fc6ab8364ffa452818b0eb7dd22e0a

SHA1
2bc8a36319792723d6c23cb9a8ff26e96fd19c38

SHA256
4caeccfab4aba3fd4999aa6dadf88c6d0cab61cede4b8d3b6d2be3611044e9e2

SHA512
13c1e6f1773cdeeb9139da7267de7b6ab36a08d8bc4cf261f530327d4e72d079ea663c37219c1acf48cd4876aeef17d3d2ed364ecd48d4aec4ca2078b07c8d2b

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
f1fc6ab8364ffa452818b0eb7dd22e0a

SHA1
2bc8a36319792723d6c23cb9a8ff26e96fd19c38

SHA256
4caeccfab4aba3fd4999aa6dadf88c6d0cab61cede4b8d3b6d2be3611044e9e2

SHA512
13c1e6f1773cdeeb9139da7267de7b6ab36a08d8bc4cf261f530327d4e72d079ea663c37219c1acf48cd4876aeef17d3d2ed364ecd48d4aec4ca2078b07c8d2b

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
f1fc6ab8364ffa452818b0eb7dd22e0a

SHA1
2bc8a36319792723d6c23cb9a8ff26e96fd19c38

SHA256
4caeccfab4aba3fd4999aa6dadf88c6d0cab61cede4b8d3b6d2be3611044e9e2

SHA512
13c1e6f1773cdeeb9139da7267de7b6ab36a08d8bc4cf261f530327d4e72d079ea663c37219c1acf48cd4876aeef17d3d2ed364ecd48d4aec4ca2078b07c8d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RIZDY293\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8I227ZIL\js[1].js

Filesize
131KB

MD5
0e47440a17cd7f8f7499d707262235c8

SHA1
4c2fe5d5d0238b6d85356cd7480bca1318ed6538

SHA256
16df6184b2f74ff6a3b4e5584441107fadf1f308859473045f756341d63b50c7

SHA512
6e0bf0e98e0470040d46deb34e3a60c95f22aff848851240a67303651cf67b7179970d2e500fa5f4cb19873f4741d27569af63d42ab4e73cdfa440f22259ab11

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\GTQBLYXV\7940397[2].js

Filesize
1KB

MD5
f6e38cde8a5c5aaf7d5a46bd38be8e91

SHA1
08df66e74dcaa45b2f5f072e0e20851a5d7bd596

SHA256
9831f82424eb5e2ea2ac7c92a05f267bc63f7b6cd25c374fb89c9b0b49bd070d

SHA512
c1bbdb4619c20fc77eb48c39911865f3a79a0d91164ed4c4708a97db89536adccdc32ac46bd902814388553a59cb3d582091a4a069a12378144c737494dcb9a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJ6NQ95C\analytics[1].js

Filesize
49KB

MD5
54e51056211dda674100cc5b323a58ad

SHA1
26dc5034cb6c7f3bbe061edd37c7fc6006cb835b

SHA256
5971b095cff574a66d35ada016d4c077c86e2dea62e9c0f14cf7c94b258619de

SHA512
e305d190287c28ca0cc2e45b909a304194175bb08351ad3f22825b1d632b1a217fb4b90dfd395637932307a8e0cc01da2f47831fa4eda91a18e49efe6685b74b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\6VFXJ94K\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WAWCO1W9\favicon[1].ico

Filesize
14KB

MD5
6d32924222a9e32b59faa727125f596a

SHA1
1785a0b1b473d28ce97e018810aee6d551db1744

SHA256
1baee4b9ea0dbd5e19c64995e56b52338f7403076ff98d665f0e0dbaebb95e87

SHA512
1a50147db96cc4d11560a27b2f515137a6eebdccce06a9fe2965a92e6735e821c154dde4ba13ca82d59bbede871bcb5c1d6c6f47a124dc26544724a2dbf9fe10

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A44C~1\AnyDeskPrintDriver-manifest.ini

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A44C~1\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A44C~1\AnyDeskPrintDriver.gpd

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A44C~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A44C~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\SET9635.tmp

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\SET9646.tmp

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\SET9666.tmp

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\SET9667.tmp

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\SET9668.tmp

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\SET9669.tmp

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2a44c920-1cd3-aa47-b8df-f21a6c36fb2f}\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
92e92c76d44f7403cb493754f72b1ddb

SHA1
82f9cf2f02a0d51e4ecfb974b2d9ff5ea9d6c040

SHA256
6e84cfad621b05d8543471142328300e0b44141e874ff6b57603bcde2f31e124

SHA512
313b1a2fcd60d07eb0b5a88171ccb1e4ca57e67cdebaf74e1306f5e2ad8703691fc3ad8f92850b43f8113e61589e9a309a010a4dfe60e88490bb63466aceae87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
2990413ae2537cbccc5b23eaf3aed376

SHA1
d5bf543593ae90067646f2b3e1759498b2849672

SHA256
494aadba7fd4bc3675417b00eef8e72e7e8ba2adcd837f110bfe924bf3d9cf68

SHA512
dbc06e0d7a933c3f15f7a5eb53610cac8f4e2ff0d012fc28114353681b80aec5dcc09b8b9aef3fc4dfce479e0fc5706458daee924a89eab649f37cb5e6e29f19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
31KB

MD5
7affc83d4c2bad9283d89990efe9164c

SHA1
b8f9f0e9399732812749bd474227476e2422c6b6

SHA256
4021223620cef33491f82616a530487fb5ada20c859482ffe72c576ca15b7eb9

SHA512
0c0093021118f484dc1f542d75db3e7ebc75ecac2805819e8d7237802e14ee470b7c6e61e2bb4a36e3d517c71fec31cc2ae5576ec63edfd16830d99de3c199ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
40KB

MD5
508f85ec5c3e035bdad0d39b663e1d90

SHA1
924023fb9f2c3c87910a81d02f5f1fb785740311

SHA256
a6fe13232057b23b74270acf1c18b873a04d509fe3d81c7af4133fcff41c98d7

SHA512
0ec8a5295913301c370791322ea3accb7891af3b39f012c014f0c22342364da87eebc44fdc0f40137165bb5c68cae6105109d86789eae2de2645d6b276dbb8e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
43KB

MD5
85e0426b61b5c2c0d58756178f48b2e5

SHA1
2d4a7bde99a7445d983bc1b6a79da78f9e5b8d26

SHA256
2dd757c4c1a4f4f55308c5da193c994bfa0cf6fa803d0fe0afc64ad9bdb55e00

SHA512
f37dc88eb84a45ffb107cde26be19e48c4ac4903adc4114aa9ae60b1b19f15425b1d812a01375331ac3ab792ebc006bba4581ca8347766499d0ef4166f26fa81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f46ef115992c6dc9574d2ee68da5d758

SHA1
0ea7879d60b2229c82aab0d97a350d88c2e0cf86

SHA256
e7f06fec0a402f2250ba86803fb6b07268f1218a6c83411356e9b966caf7ace9

SHA512
3592549f23d7aea6a836422c5177888f8eff27c3c3991b52ad9df86a07cdb79570dc931e7f6064fb36ce2969782931fc52c2ccb673e509fe6b98c67e5f2b79b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f46ef115992c6dc9574d2ee68da5d758

SHA1
0ea7879d60b2229c82aab0d97a350d88c2e0cf86

SHA256
e7f06fec0a402f2250ba86803fb6b07268f1218a6c83411356e9b966caf7ace9

SHA512
3592549f23d7aea6a836422c5177888f8eff27c3c3991b52ad9df86a07cdb79570dc931e7f6064fb36ce2969782931fc52c2ccb673e509fe6b98c67e5f2b79b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f46ef115992c6dc9574d2ee68da5d758

SHA1
0ea7879d60b2229c82aab0d97a350d88c2e0cf86

SHA256
e7f06fec0a402f2250ba86803fb6b07268f1218a6c83411356e9b966caf7ace9

SHA512
3592549f23d7aea6a836422c5177888f8eff27c3c3991b52ad9df86a07cdb79570dc931e7f6064fb36ce2969782931fc52c2ccb673e509fe6b98c67e5f2b79b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89b5a87338566831919716bf8508892a

SHA1
3c121f734963622e0131ce5a2747ead061eafd29

SHA256
e230098d9bf4b338abc3352328f8b8c3a24e58a24de7cd0286a352fc8cff7518

SHA512
74d0e226bdfed0423fa76676510a9d2f354e6c24d5c7b2ae3182d9393a0e0ef52cac9de92f3df2d41163fb1010a48b911e2b11bb4a73e3b745ef57b8d270ca8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89b5a87338566831919716bf8508892a

SHA1
3c121f734963622e0131ce5a2747ead061eafd29

SHA256
e230098d9bf4b338abc3352328f8b8c3a24e58a24de7cd0286a352fc8cff7518

SHA512
74d0e226bdfed0423fa76676510a9d2f354e6c24d5c7b2ae3182d9393a0e0ef52cac9de92f3df2d41163fb1010a48b911e2b11bb4a73e3b745ef57b8d270ca8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
18cd9bb55e2755f62606f754eb7ed981

SHA1
256298b8b03a5f7935d71098cecff1dd45c420b9

SHA256
f7ba7b4664a8a67edc8a5deb74624a756345c5fd6eab12e5aa6b5360f906c419

SHA512
1487aeb218c5dfa1dc43bb2ecd88bfefa261c0f3815cbf8cea148877506d008f276156f92e1f803e6f950966f09b20ccf61072125895fa05bfdbef5565bd11de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
18cd9bb55e2755f62606f754eb7ed981

SHA1
256298b8b03a5f7935d71098cecff1dd45c420b9

SHA256
f7ba7b4664a8a67edc8a5deb74624a756345c5fd6eab12e5aa6b5360f906c419

SHA512
1487aeb218c5dfa1dc43bb2ecd88bfefa261c0f3815cbf8cea148877506d008f276156f92e1f803e6f950966f09b20ccf61072125895fa05bfdbef5565bd11de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89b5a87338566831919716bf8508892a

SHA1
3c121f734963622e0131ce5a2747ead061eafd29

SHA256
e230098d9bf4b338abc3352328f8b8c3a24e58a24de7cd0286a352fc8cff7518

SHA512
74d0e226bdfed0423fa76676510a9d2f354e6c24d5c7b2ae3182d9393a0e0ef52cac9de92f3df2d41163fb1010a48b911e2b11bb4a73e3b745ef57b8d270ca8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
18cd9bb55e2755f62606f754eb7ed981

SHA1
256298b8b03a5f7935d71098cecff1dd45c420b9

SHA256
f7ba7b4664a8a67edc8a5deb74624a756345c5fd6eab12e5aa6b5360f906c419

SHA512
1487aeb218c5dfa1dc43bb2ecd88bfefa261c0f3815cbf8cea148877506d008f276156f92e1f803e6f950966f09b20ccf61072125895fa05bfdbef5565bd11de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
18cd9bb55e2755f62606f754eb7ed981

SHA1
256298b8b03a5f7935d71098cecff1dd45c420b9

SHA256
f7ba7b4664a8a67edc8a5deb74624a756345c5fd6eab12e5aa6b5360f906c419

SHA512
1487aeb218c5dfa1dc43bb2ecd88bfefa261c0f3815cbf8cea148877506d008f276156f92e1f803e6f950966f09b20ccf61072125895fa05bfdbef5565bd11de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89b5a87338566831919716bf8508892a

SHA1
3c121f734963622e0131ce5a2747ead061eafd29

SHA256
e230098d9bf4b338abc3352328f8b8c3a24e58a24de7cd0286a352fc8cff7518

SHA512
74d0e226bdfed0423fa76676510a9d2f354e6c24d5c7b2ae3182d9393a0e0ef52cac9de92f3df2d41163fb1010a48b911e2b11bb4a73e3b745ef57b8d270ca8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89b5a87338566831919716bf8508892a

SHA1
3c121f734963622e0131ce5a2747ead061eafd29

SHA256
e230098d9bf4b338abc3352328f8b8c3a24e58a24de7cd0286a352fc8cff7518

SHA512
74d0e226bdfed0423fa76676510a9d2f354e6c24d5c7b2ae3182d9393a0e0ef52cac9de92f3df2d41163fb1010a48b911e2b11bb4a73e3b745ef57b8d270ca8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
18cd9bb55e2755f62606f754eb7ed981

SHA1
256298b8b03a5f7935d71098cecff1dd45c420b9

SHA256
f7ba7b4664a8a67edc8a5deb74624a756345c5fd6eab12e5aa6b5360f906c419

SHA512
1487aeb218c5dfa1dc43bb2ecd88bfefa261c0f3815cbf8cea148877506d008f276156f92e1f803e6f950966f09b20ccf61072125895fa05bfdbef5565bd11de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89b5a87338566831919716bf8508892a

SHA1
3c121f734963622e0131ce5a2747ead061eafd29

SHA256
e230098d9bf4b338abc3352328f8b8c3a24e58a24de7cd0286a352fc8cff7518

SHA512
74d0e226bdfed0423fa76676510a9d2f354e6c24d5c7b2ae3182d9393a0e0ef52cac9de92f3df2d41163fb1010a48b911e2b11bb4a73e3b745ef57b8d270ca8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89b5a87338566831919716bf8508892a

SHA1
3c121f734963622e0131ce5a2747ead061eafd29

SHA256
e230098d9bf4b338abc3352328f8b8c3a24e58a24de7cd0286a352fc8cff7518

SHA512
74d0e226bdfed0423fa76676510a9d2f354e6c24d5c7b2ae3182d9393a0e0ef52cac9de92f3df2d41163fb1010a48b911e2b11bb4a73e3b745ef57b8d270ca8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
354239021275bf57d0092ec81a248d86

SHA1
ec18cd9dca63e85f0b22909f2d7eb37f1a895545

SHA256
e8a4ddc58b272cc70a62644faf9231fcf89f8a292e772bf684d93e9d1801cd47

SHA512
d46f45a7b15441019dab5a135ae066a3307c37f358c5668551d59e85e4192e6410fc0d032820f1ac5be2c5ae7b6b376e03a869aec8e3e7d1b9f44fd8f8627a4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
354239021275bf57d0092ec81a248d86

SHA1
ec18cd9dca63e85f0b22909f2d7eb37f1a895545

SHA256
e8a4ddc58b272cc70a62644faf9231fcf89f8a292e772bf684d93e9d1801cd47

SHA512
d46f45a7b15441019dab5a135ae066a3307c37f358c5668551d59e85e4192e6410fc0d032820f1ac5be2c5ae7b6b376e03a869aec8e3e7d1b9f44fd8f8627a4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
354239021275bf57d0092ec81a248d86

SHA1
ec18cd9dca63e85f0b22909f2d7eb37f1a895545

SHA256
e8a4ddc58b272cc70a62644faf9231fcf89f8a292e772bf684d93e9d1801cd47

SHA512
d46f45a7b15441019dab5a135ae066a3307c37f358c5668551d59e85e4192e6410fc0d032820f1ac5be2c5ae7b6b376e03a869aec8e3e7d1b9f44fd8f8627a4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b444979e51eea9980386e792aba91f70

SHA1
a4d89000bf69f90ab5e923e7f6d6ecfad7a72e18

SHA256
a80fabdb9ca620a07f26e63110b5860808f891c17d1bb223c777e58eb81f14ca

SHA512
479f055682b8ba8d19ea58040d92405d34abb645e6c10b11ac7dbc7d19ea7fadd84d9acf453db826b9780708ae5cc2ab829d9c655fed56b1679e2b7e9b9c0f68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b444979e51eea9980386e792aba91f70

SHA1
a4d89000bf69f90ab5e923e7f6d6ecfad7a72e18

SHA256
a80fabdb9ca620a07f26e63110b5860808f891c17d1bb223c777e58eb81f14ca

SHA512
479f055682b8ba8d19ea58040d92405d34abb645e6c10b11ac7dbc7d19ea7fadd84d9acf453db826b9780708ae5cc2ab829d9c655fed56b1679e2b7e9b9c0f68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1012e1db9a97b9dab3f73ee8c169e48d

SHA1
98577be801f82c44ef3bb5fa5ad7799ba6482597

SHA256
340ccc60ab0dec775d38a6dcb9565314dc6814eda65ff538e7e9f96a4003dc7e

SHA512
e65b26a0f2f78beeae812766544737cf940fc692e3b7a650cbdd2abdde56eb80f4645c3fcd7828edba911467579746339a0d84bbb4f55c93b23d4411261c9d83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2a747315ab4805875233c70eb2499b0e

SHA1
1310c306869017df148fb21302429d3a74a54cad

SHA256
d148a379ab0b508881e3f0763c63586c6712e2a99f5f427d3f1ff607878f8f27

SHA512
b9eba72d094c3c33761d04207697f96b0b75a4ee39baee8c939ba45c8f3eae476c70f4b41e6e94fc73fa62be888d45d364fc172063644a8bcd3e041e7990d8a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2a747315ab4805875233c70eb2499b0e

SHA1
1310c306869017df148fb21302429d3a74a54cad

SHA256
d148a379ab0b508881e3f0763c63586c6712e2a99f5f427d3f1ff607878f8f27

SHA512
b9eba72d094c3c33761d04207697f96b0b75a4ee39baee8c939ba45c8f3eae476c70f4b41e6e94fc73fa62be888d45d364fc172063644a8bcd3e041e7990d8a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9587d3f774069a0d61d4c3a7c69ea55d

SHA1
e53a0e92e66d9afb72ba4b42fbd02d48e578488e

SHA256
e90d892eb519144a3e3ce84cc2f23707cd8317c6f95283689ba6da4555e900db

SHA512
f92ab7d7ee209829ecd132b4fad835ef84ad036a8aaec4b388a2ef33c744d2472d83b4f136a76df7af7e817f979938a684b87fe313adab233f017af4b449f32a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9587d3f774069a0d61d4c3a7c69ea55d

SHA1
e53a0e92e66d9afb72ba4b42fbd02d48e578488e

SHA256
e90d892eb519144a3e3ce84cc2f23707cd8317c6f95283689ba6da4555e900db

SHA512
f92ab7d7ee209829ecd132b4fad835ef84ad036a8aaec4b388a2ef33c744d2472d83b4f136a76df7af7e817f979938a684b87fe313adab233f017af4b449f32a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9587d3f774069a0d61d4c3a7c69ea55d

SHA1
e53a0e92e66d9afb72ba4b42fbd02d48e578488e

SHA256
e90d892eb519144a3e3ce84cc2f23707cd8317c6f95283689ba6da4555e900db

SHA512
f92ab7d7ee209829ecd132b4fad835ef84ad036a8aaec4b388a2ef33c744d2472d83b4f136a76df7af7e817f979938a684b87fe313adab233f017af4b449f32a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce26c97f6c69dcd71871adab95b66aef

SHA1
3e803830cafa5242edc8b3e01c7f19092c82eb4c

SHA256
d741bac7858a9ae9a358c3d111030d37194004aa7a1ce9e0507e5f522e1be8c5

SHA512
12943e52c466e954a90ce5124d7e7cd30e73e8a666f9f77e8d4c71f0c31d31f3d1adeb7a7adc7639acf21cdef6dd3732b178e0b1b02f27421875c35cac159187

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce26c97f6c69dcd71871adab95b66aef

SHA1
3e803830cafa5242edc8b3e01c7f19092c82eb4c

SHA256
d741bac7858a9ae9a358c3d111030d37194004aa7a1ce9e0507e5f522e1be8c5

SHA512
12943e52c466e954a90ce5124d7e7cd30e73e8a666f9f77e8d4c71f0c31d31f3d1adeb7a7adc7639acf21cdef6dd3732b178e0b1b02f27421875c35cac159187

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce26c97f6c69dcd71871adab95b66aef

SHA1
3e803830cafa5242edc8b3e01c7f19092c82eb4c

SHA256
d741bac7858a9ae9a358c3d111030d37194004aa7a1ce9e0507e5f522e1be8c5

SHA512
12943e52c466e954a90ce5124d7e7cd30e73e8a666f9f77e8d4c71f0c31d31f3d1adeb7a7adc7639acf21cdef6dd3732b178e0b1b02f27421875c35cac159187

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce26c97f6c69dcd71871adab95b66aef

SHA1
3e803830cafa5242edc8b3e01c7f19092c82eb4c

SHA256
d741bac7858a9ae9a358c3d111030d37194004aa7a1ce9e0507e5f522e1be8c5

SHA512
12943e52c466e954a90ce5124d7e7cd30e73e8a666f9f77e8d4c71f0c31d31f3d1adeb7a7adc7639acf21cdef6dd3732b178e0b1b02f27421875c35cac159187

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
163ed6937490bb9152e46b920d7b8194

SHA1
a4eb28d0133bd00eb57c8b3abbf90bbc9464bd22

SHA256
6cea5cf780c70c420127f2d71a9b7b51aceea19d25fa331c1c5001e2ac40773e

SHA512
a6441311f081cb6c5712dad9c617f56965fb4a0e614dd35b517f878f62adeef22fe9be81a2a0ca8a8c7760a783b97bb9acd5a51b689159f56b8b3cf702a13c17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6cc7595bbb099a89e4636d1002878429

SHA1
3e8ba265c035f531b8791d9f7363e744f279ad70

SHA256
b7880aa56946ef76fed445ec2d1b0b07552c2141c98bfe338d5d892845a9068c

SHA512
77c2639fcefa42ddb686301761d8865be642b340cf9519961c933e28676521e78ca8609e24efb20f4394e82d30a20e250058078e28c6b2be549ac3957ebf90ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c1d8ca561508cc72710e277ce2d3fa76

SHA1
32e52c155efc410986c04bf9521bcf7f8a68b243

SHA256
2a4883f149798806b488d60ec23da92ec6dc3a6cd9ec1a55dcb17cda7a325c5d

SHA512
af8d4c3ea4e5e79652ba61b3cd6eb7e784728980510c33a6b3e0a044390cd7b7661ca9b8959fb31587ca29be61875dfa65bf2df464955b0fd0078ec70b8cbda9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
0b8ecc67623d22ca8148e4541612cb7e

SHA1
def31aea93e54ab0d84680f13af80368718dcde5

SHA256
84d915c3ae41b28274351b37082f2ac2011dd52926fec018615233565ccc2379

SHA512
c241750977dd3b4e41a15be0d908785d0ac05a812cccd5b10ecd2fa8450932af611210f0691903174e1fc9d086cf10ac89c211159813171d9f38aa21827ff99e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
58069c914815522c36d7a005fad38133

SHA1
e4864a388e5222fdcc7072e4719eea13cf63eb8d

SHA256
683626ca240b600e584163f1085fb2c1e867acb617a9838fbcea2bc77ad12c47

SHA512
813a1b7117e82265746ec32000e31403ac04ebb8eb8e8ee88b8b8cc2b232d9172b0a8977145ce198bea7d8e1e319a8b4faac035bb6c645605ec06edf70dbf572

Download Submit
C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
C:\Windows\System32\DriverStore\Temp\{de78d6b7-4e6e-2a42-8923-0a11bed77fc5}\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver-manifest.ini

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver.gpd

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
127KB

MD5
5a4f0869298454215cccf8b3230467b3

SHA1
924d99c6bf1351d83b97df87924b482b6711e095

SHA256
5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a

SHA512
0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee

Download Submit
memory/1228-379-0x000001ADCF820000-0x000001ADCF830000-memory.dmp

Filesize
64KB

Download
memory/1228-418-0x000001ADCF9E0000-0x000001ADCF9E2000-memory.dmp

Filesize
8KB

Download
memory/1228-420-0x000001ADD4400000-0x000001ADD4402000-memory.dmp

Filesize
8KB

Download
memory/1228-416-0x000001ADCF9A0000-0x000001ADCF9A1000-memory.dmp

Filesize
4KB

Download
memory/1228-421-0x000001ADD4460000-0x000001ADD4462000-memory.dmp

Filesize
8KB

Download
memory/1228-395-0x000001ADD0000000-0x000001ADD0010000-memory.dmp

Filesize
64KB

Download
memory/1376-524-0x000001CD40830000-0x000001CD40832000-memory.dmp

Filesize
8KB

Download
memory/1376-522-0x000001CD407F0000-0x000001CD407F2000-memory.dmp

Filesize
8KB

Download
memory/1376-457-0x000001CD3ECB0000-0x000001CD3ECB2000-memory.dmp

Filesize
8KB

Download
memory/1376-515-0x000001CD40880000-0x000001CD40882000-memory.dmp

Filesize
8KB

Download
memory/1376-455-0x000001CD3EC90000-0x000001CD3EC92000-memory.dmp

Filesize
8KB

Download
memory/1376-530-0x000001CD40FC0000-0x000001CD40FC2000-memory.dmp

Filesize
8KB

Download
memory/1376-452-0x000001CD3EC60000-0x000001CD3EC62000-memory.dmp

Filesize
8KB

Download
memory/1376-527-0x000001CD40850000-0x000001CD40852000-memory.dmp

Filesize
8KB

Download
memory/2112-280-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/2112-130-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/2112-149-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4144-300-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4144-365-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4144-279-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4144-128-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4256-143-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4256-141-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4256-424-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4256-120-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4256-358-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4256-231-0x0000000000E40000-0x0000000001EBE000-memory.dmp

Filesize
16.5MB

Download
memory/4256-125-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/4612-966-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/5020-1070-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5020-1071-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/5020-985-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download