55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
557s
max time network
557s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

8^/10

discovery

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8F2DE7E770A8B1E412C2DE131064D7A52DA62287\Blob = 0300000001000000140000008f2de7e770a8b1e412c2de131064d7a52da62287190000000100000010000000aa6fd6bd7df2864341e10de037f41dc6040000000100000010000000a7c9563a13f15ee0e171ef6aa4c7a7870f0000000100000020000000dcb8261fa22c834b1ffb69470c0cc7baff034b5c656a6c297259addfbf73f1e320000000010000002c0500003082052830820410a003020102021003e9eb4dff67d4f9a554a422d5ed86f3300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3138313032343030303030305a170d3232303130353132303030305a3065310b300906035504061302444531123010060355040713095374757474676172743120301e060355040a13177068696c616e64726f20536f66747761726520476d62483120301e060355040313177068696c616e64726f20536f66747761726520476d624830820122300d06092a864886f70d01010105000382010f003082010a0282010100c670a0d7fd91b6a5a0608435029365d11e529a2d43df54680357ad83dfb4ee6cbf54d74c4bc9205fbbca3b436d0fe3370b3200d8c655e242c92b4b2a2fa6040c81e530fcc1a60d849d52886bf3e29c50b52413e2a321f756b314f3bcbc47e550ea4b6ecf895132ae6f99a947ea9ad00982b86ebce0cd6a198bc65f1cc1bb6a1638931cb630c26ca343eb7f2bb394f36cb302bec93f3828dcf165700e7a00712cc914ce5f4b6c6945f201d769ca2fffe1268b6cf57965bd8d5c4177a2d176f32c9c9e60a7a96c3f775e64b84734394983790f56701d1b8f9614028ca180e7d03ffafa30bb51149059ae4d93d8b696c1160319e9945a760a640dd6bd134ce6db270203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e0416041437566615f0b266ff2f5295d1ae83c4e065330e43300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010081f8e7b945d68610bab4057f23259843f454fd9c7aac4180dec936794e4a664dda255b30644288538121e30a69d4447dbc04c2da21e44f5c4ba41e706c9de0cb51c67931e31207ba3ac11791f9e551deb1aa3feee2a6e199a4d10b0cd71c05143f4466d6c84747d9bc3127e47102d90a2487440ea1b9a8e7317ddeeee3a0f42c296bf03314fa6e86f3743b9a4a6e756a54e67b0513c343e9e9f7c730af9f00acb32a27f707d3d04f22d58cbbb588c2fc72d5a37c4acaaab650c9533e96aa7a0bf53a60d86fb6ee8c982ec49b49130956b064d62e010da8a75e786a4445cff7b506eac4a40ab672d91dd23a272c7e28fb670cb502ff0f5572d88d8706580c5caf	DrvInst.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2612.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2611.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2612.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET25FE.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET25FF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2610.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2611.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2613.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET25FE.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2610.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET2613.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\SET25FF.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
5072	AnyDesk.exe
628	AnyDesk.exe
4972	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
628	AnyDesk.exe
5072	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2140	AnyDesk.exe
2140	AnyDesk.exe
1804	AnyDesk.exe
1804	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
5072	AnyDesk.exe
5072	AnyDesk.exe
4972	AnyDesk.exe
4972	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	1216	svchost.exe
Token: SeSecurityPrivilege	1216	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
628	AnyDesk.exe
628	AnyDesk.exe
628	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2092	AnyDesk.exe
2092	AnyDesk.exe
2092	AnyDesk.exe
628	AnyDesk.exe
628	AnyDesk.exe
628	AnyDesk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1804	AnyDesk.exe
1804	AnyDesk.exe
1804	AnyDesk.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2140	1804	AnyDesk.exe	88
PID 1804 wrote to memory of 2140	1804	AnyDesk.exe	88
PID 1804 wrote to memory of 2140	1804	AnyDesk.exe	88
PID 1804 wrote to memory of 2092	1804	AnyDesk.exe	89
PID 1804 wrote to memory of 2092	1804	AnyDesk.exe	89
PID 1804 wrote to memory of 2092	1804	AnyDesk.exe	89
PID 1804 wrote to memory of 3912	1804	AnyDesk.exe	101
PID 1804 wrote to memory of 3912	1804	AnyDesk.exe	101
PID 1804 wrote to memory of 3912	1804	AnyDesk.exe	101
PID 3912 wrote to memory of 740	3912	AnyDesk.exe	106
PID 3912 wrote to memory of 740	3912	AnyDesk.exe	106
PID 3912 wrote to memory of 740	3912	AnyDesk.exe	106
PID 3912 wrote to memory of 4252	3912	AnyDesk.exe	108
PID 3912 wrote to memory of 4252	3912	AnyDesk.exe	108
PID 3912 wrote to memory of 4252	3912	AnyDesk.exe	108
PID 1216 wrote to memory of 1312	1216	svchost.exe	111
PID 1216 wrote to memory of 1312	1216	svchost.exe	111
PID 1312 wrote to memory of 3592	1312	DrvInst.exe	112
PID 1312 wrote to memory of 3592	1312	DrvInst.exe	112

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    PID:740
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    PID:4252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4080

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{88ed9ee6-5f7a-c648-9208-392623d8eff1}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{0539d7ac-b878-9349-9734-943c8be6dc1f} Global\{dc97baaf-93ae-9a41-96c2-38611a1469df} C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{e13205ef-b436-884c-aa35-ba46bb3dce7f}\AnyDeskPrintDriver.cat
    3⤵
    PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
5.0MB

MD5
a21768190f3b9feae33aaef660cb7a83

SHA1
24780657328783ef50ae0964b23288e68841a421

SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
860B

MD5
bc00484c79a0d27009e8ed23a4f8dc27

SHA1
66c2d1a8a3c5ec3b0971dc6e00b83fbd408ab1d4

SHA256
540e9322265df351849d4c8e64ca94e0abeeda3500a10c4b7ed4bc2852aebec2

SHA512
18650a2414c3f4944e8e8a9d933bb7d7ed7cb365b6c8b7e5a5b716b4d877b8a2acae70e473925ca648dfe9ebfe120b68d2c5a6f81a29ffe957e30fb774e39190

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
07d55b0372c26fec3cdb6db8ed88c237

SHA1
05a3f072cbeffb686854517484e8453d57253c49

SHA256
f5eb643ae70f780b293940752205fba9fb2b98cecb41b33b880a8417712b77d4

SHA512
6d8cd0f8142cde57481ab547c5bad11ca7f850cb21543018420f236b7497f9ca99acc4e373c8dd18fdf73d458b8df7209a5a3249637ec58e2da749cf490ba5a2

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
9b9af23494001864d44601dd1ba838f6

SHA1
26db5ae97f78f475fa37180cd301c70a4711422c

SHA256
d9f66cdaa8f0717129193bdc3e90b41560f3718530f891716e54eac5b991c7e3

SHA512
bd3ccaa8736eee767845d67920eed7121f5dcf434913f1d3ca268610a02190aa3f084873cb956d6ecf2faeffca0434a1ee3c3a68ade36650cfb4ba253b5e29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88ed9ee6-5f7a-c648-9208-392623d8eff1}\SET24A7.tmp

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88ed9ee6-5f7a-c648-9208-392623d8eff1}\SET24B8.tmp

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88ed9ee6-5f7a-c648-9208-392623d8eff1}\SET24BA.tmp

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
dcfe5a95be1e7ad6b60de803ef01d0e8

SHA1
88a3424420c99ce9347a7aaadf5a78f65efb13db

SHA256
cc936b4c920cc895426ec07ed4c46b13c9255a1dd189461d6d5259e5764a3e26

SHA512
f3305091a72dfd573fb65349689b16e2aac9fce6b808766f4206263ea4555e9eebc6015b4c67b611a7dc62ab75b848ae51b783d0c7dbaed1206423a9f11be8f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
0143dd3fdeafbeffe055629712549a2c

SHA1
1c10f88f11104fa24b78616f5c6703838c0f280a

SHA256
eafd2e351798e158ba87f98502f351dfd718ccaef2db6279aa6a295256add726

SHA512
e599f0f79fcdd419f8765ce713f2f4b945e7225530c8b7d083420ea1aba0f2c17ce7039c63aca19b30660ac304f6f4605000da5dab1a696badbdcc5d53986e4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
84KB

MD5
6f3c88600284a4d48a8d79e7833a4f7f

SHA1
ffd6928e362797d9b5d89d618557a13ccfcfa1cb

SHA256
0b321f35ac10286e518dff969daf1b34de58243b34e8f325991319b09c55bbba

SHA512
fab62f1dab216a3197949a1f23f9701aa08b97872ea3c16ca6580fe78cf8cee6760b880ba1a1c58fac61a7703e4c0916da736a822905dc8a8b10bbd830762cea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
95KB

MD5
06fb07a5af9d160403d257b6a7c38c77

SHA1
be6387ade848e56906a1ac0ecb9a71403e629c9d

SHA256
d3f1b5c31aa16beab4d727fbbf9c29367b9b497c24a110435178c9ee880a8e94

SHA512
2ac8e48def866f534ad9e1d69bf1e2e39a69adc4203cb5f7809b443e44c0311feaad12fe4a7d501b35e6ceefcd21780e36c4f91eede0a6064c38dcf8c7568ce4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a6cbc501abbc472b1413d6a94936b087

SHA1
b950307cb5b4636da494d4ecfc5616e68db5a019

SHA256
30ae593d705b9136452e5d409228955dda728d93fadc516acae8302454ec0b2c

SHA512
c4003e1ea49627f9d14fa4110bdeed0aea621d12c9a7d80e0589dca52fed8469d46ad8ab906d67cf8bb1054181e79bc8c5ccaa13280bc32d965f97ab7eab87d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0c80368790d59a14599a9ea32c2a2823

SHA1
146556303d13c5ba759682b7c88c7d8285ca2ffd

SHA256
e4bc7eb804a69daa0c8c7a058ef2277841c082d88c599d2da653a10622bf30ca

SHA512
3f1799c4eb0f1f86b517cd030beb5993c61d73db55d655ef18d791284b1781ca59537bae2247ff3827d03fcff1c363759978b5936bca48f0e9383e8dcf54b329

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
9642ace2459d036a9875952b4d1f83c3

SHA1
628244e75293d445290eb0e8ceef30d29ae6e280

SHA256
6052cbc822cd2e0ca13431881238a0b1a1eee212d9e2046a3f5c1cd9234d6ce6

SHA512
7ce065d47420fa3c4c7be5fe8ef37724e92b9ffde0584daba59bf7b2c965fa526a65d1341e66f1a5f7d61afbf383af428576e404afa430680283cc76479dc202

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
69cee53e9aa628dec3727f4f717a75f6

SHA1
b708e98052e6ae0885cdaac155c48b957856f9ff

SHA256
0b9724d545d055892f6778b59f6a28664a6595912e955accb5ccd3233f09ddc1

SHA512
88a12121ba7aff74a49cc7d9ba28fe79121928afb5692e7927df7a9aabc223e2fd14f25765cea4df372bd74d7be851aaa0db135a0111535c4419f4d935735050

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bd245c2ee0d7b02e6ce63fcbb42a6f89

SHA1
fdb36e1f21db82d4176de41b9ba87c3981ac91bc

SHA256
c8af32c55ea2acaf184a9758999b2e7908d9897ac7d43156be742ca99d960e63

SHA512
6eab6a93e6e0a0d6ac17f0a9192072c545610f098762a4a4b5f0580de2893431bd3fcdf2c3a244374e0ae47e28772e970b0660347ce8c8b3df038c8bb8b5dd0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f509fb96ea04693b9005100b35bdde8a

SHA1
5c603d7aa96b945a4a8a5607ffda031bc1799a0b

SHA256
84b3f6b912289e8823eda070702ebe4f53ee4b715ab9656d939d49763bbe5016

SHA512
ebe392b977a94ccf64a3c68a750de1a27419edf116df83476baa4bde8556646ef1afa7f31e4304e3a291557945fa6808d4e2e9421463fa7ff9284d22a7a071cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7c054cbda162767119634e1500defef7

SHA1
56186789a0ad13a3cd5796dde3a206411f286c47

SHA256
0e42ac429cd92e5ac6715085f271dabdf51656b75867f4f4b436b497035b1333

SHA512
cd06824b1335152e45853b12ea1d73da4f372fbbc7c1e793959e1d5c4f6bbd7e8c92833f7309cfc542a0b24e1414e05de13e0ad474cf6bcbd6fbf64be9c6bbaa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4c08ee9df886ceb741e78e529e6b0bfd

SHA1
e825fc28707db3b33cdeb4439ff04fa1affc6160

SHA256
5d3383b9429e2db1e41a6a14edf05302a5d57e03e37b3bf911fccb291d7a2c2b

SHA512
706e262d80c3bfa204d4009ca64d9f214e189981937d323bf8b2aa43545e29f372ae6be67b708c9029c6e383657722394aad2dd1173dc8004cf1e3657094b408

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2f50e676f78a7ed8010292c6dff8440f

SHA1
d7811978f3268e7ed7819b2aacc7e4bb86fe087b

SHA256
d133b6c006e056f32eb5e2a382d9696648225cc22d61690bfc5127df4fe9c8ac

SHA512
e68bfa2e6e9e776fa3d460ec5bc61de9c96b11251dd667f3b56616c2f4160279dee94870dabc3a386c6256d641714e9d12965654634efef506325507ac4fdb9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
25618aa2922e7067001aa76ef25f9fb5

SHA1
87955173b102a0c070ab5068d004e46738427284

SHA256
5bae4d113e88b2c0548c22e2d232b5bf416447058c231d10c0a4340e74179571

SHA512
58466a1f83a7ce65f234e12b8118ce5e66e838d5b9b9b61e1a82d2d665393cf243f17717720f183d7a5644eea5428da63e568df16bf2df230397167971cb49ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
38962ead88a745c30ee2db85a455ee84

SHA1
02d6ab2f5855d002b0e0741bdd2a5fc1826967c2

SHA256
211b9741ea51eaf95a0ee0e340396dfb1a9d6a348b6e1120d08e81280b91f0ef

SHA512
978d2e04e206c4039676d9f2bedfd9ce7192ce282f99dab0a05479b4fb477447445498e787b0c9bf94fc0f2b1d73a5c92c7e7a81d6eb397566871ee2136725e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
221525b5225747179926e1398689703a

SHA1
051eb7218514be44c66055c099a1fd7f68248bec

SHA256
003e6dc851c455b2d3b719585011d7fe4ba6407ebf4968fb85db0d624661a05c

SHA512
c86b9e28bc6aa664d9601d144f16b50ca1d7d82cbc33da67f71a2fe9c951820261d54026d9df89e6bfd972fd98455b08048e6c485b5f208be1e1354c129fe765

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
270ad21f59c78b44a34733b0b9fd1851

SHA1
3bbb89ddf3013bddf39a8c03d96b9bb290b54c2e

SHA256
7f37d87b721c04ed46f23d52f28d547c2531d3468e60b9d9eb7c3c7baccfa370

SHA512
3002bd172077e4250e2687b0e831ef4bd7d84ff8db06bc2559fcf4ea40ed547aa56f23a2c50585f3d148c6dcf41d638c6a74193f1f44424515d6c9c8ec0bc22d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
7cf6dbd784c4eef4a24259ad508fc2ec

SHA1
36f5a5143be140a6a85cea1098af93a6e98a673f

SHA256
4ab45f60b1d64316c229c5b0280228f578f87d6d71351669780cfd39fc037e7c

SHA512
e784a5d5e1a7e62581527a7106a522f5115f819c93dce313c1222fa1741562f36d74b2d1be846fbdb84e009d0a2e68b4aa7c100980e09895290edfad5c080d1f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a510b65a08dbadac33e252c5d9f015a9

SHA1
31ae4ec912b7ad91175d8226cc50c2cb681d0dd7

SHA256
2e6d80446f21884ca3634f5c011d43a8b337976674b182e0cf067a9c49e9dc84

SHA512
367dc94114a873ff42cf2ee4a0b31139ec3f0939173cf893ee8997961219564e6e5f1865c14208e917aa36e593036ffb3e4f12710d0a5c5363e6ef6407e55a70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
10d8e138a944a0e1a35e40805c99f39f

SHA1
dadae7188d806f9fbbd2023b8044d70c0297fd86

SHA256
4263812efc61045e956468806290444ba0df6c17afc13f6e22e5901332bdc1ba

SHA512
7731d0e425e329eb26812d5bd98cb94679cf0fc786488ac23234d201a11c6c80fa0c1e42ef3a8a912e0cd6c11ebc1febbecdc6a27d61f85512c632299c65f77d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
2c5eb4faa7ef19e47395d5ca56dbd530

SHA1
45b589d5b479dea7e21c0657d32539a5dc9135dc

SHA256
b191bbc8bd1b6bc64171fccf73f207e2f1e929038400b4d2522aea111cc53cb2

SHA512
116716ed967c111b1f975fa39bb51f70c9b8ac80746ce6658b0246665baacfbc8df59e07dd2818267c64e053240e017f962a2f9b1e779bed5280e53f27addc27

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
56f2a183da19c15164b842223d26216a

SHA1
83391e7ac16cd2a61820353c49156184fc62e04b

SHA256
a67683a12a58e49ce9d59f7ec0d9f1929e5708078548052f97074c7260b9e363

SHA512
f6428cfdeef60a79076fbdaef36017125fc2a4661d761534844ba3e224e4b0b416c110955a959e3388205912fa4a38d53ff76d76707e5e794ec95fe65663ed20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
74360247a27495cdbf958381f11e0790

SHA1
1c491e3d379ef9d92616e01d15246b9c2ec618c6

SHA256
093e9d27ec9e2163bc85ce6b5f3ef205fda3bc085059502d2a1fcf34b6191b4a

SHA512
8bbef8a17b3786c4e5c8ace873932cf60ae1732f82d9e7728a07a4f307de8e06c4673d9037af022e46924f1fa404f402dd1a790a9593c2e81cce1b77fb2de484

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b82006673cc25eccec3e0e4689c2d08b

SHA1
50943a7d36dd3667e1b17e22e98693f3a4a95362

SHA256
f3685fd989800bba3e6c47813fcdf6fc4e4d34430a23f8cdab94091b654c53a5

SHA512
df1c9751cfafea5d24597dc1524d33b87aabaefac81c79306e1d7feba897cb2c2b97450a12b4cba39b3fe468477cea0ac36c8f8c06f26ae8bb2ee2b48a864845

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2fdd3df9044d0d237a714ba7224eaf7b

SHA1
a325e714a52d3512f3c0b1013a468b4bfbbc6cce

SHA256
d1d327e85c4eff60e934febfcde553865761257df0a7f42d91a0742550105e4e

SHA512
0c239d8b8075abdb1659e7b5f329c3937fef638ebe8d1bffafbee6476a81ea5ffb91e4dd4f43c4b3f05500b0d2cdf6e19fe88fa7efa8f18aae3950ece71e694f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
5KB

MD5
8afc01d573900ca008a35af3594bca4b

SHA1
84ce72ce83fe224ff22811bf58e9555be1acc2c8

SHA256
eb4d1fd8a65921a1bc0b2fd865a64ff69ef58a348e19ee0696c378d27b2a8fd2

SHA512
c857f93d81bf45064b83958f0c17cb89ad604c2e0b5ca3ec9e776a8d992cb9018307129b9df8f8b0e43350eaa02886719b3d45a7f5ee175fcdf2715b478242ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
5KB

MD5
4779a289f3835647936ede0ffbee2908

SHA1
0c84a25ef76b1c5270f3497f83a4808ace38ea9b

SHA256
504309de32ab109a998b72d29a771860cfb3b766528780b74a74d3142bdd6b6e

SHA512
73ad2f39238d48f28396944cda60e4505154140cfdc42fa70e627b41d9034bcab3100bd59dccd3bf35a0278c0c3174ba17a99a73b5e6882932f1f4272ea2254c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
65e0b3a3be0731c8dc9d86082affa58e

SHA1
29371aa6fca55e5de9ce76c301c13805268da0d1

SHA256
0931563171ff09d7da8de6ede517a93d3ae93d0bac4f985e7e44302e4814aaac

SHA512
02f96fa5568393c653c8831190f8cff16fd61aebab288b57174986d5312a6a89d91823c179b4fb07cd8fc3b5c9465c75e019a3c74f0ea0110511a83ba7a21c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
bb46e8eed1c6bb8b0f4eb9249d7dc33e

SHA1
dd306ce2fbbe97fc8cc7a3dbf21c6fc8d385c9ad

SHA256
e69ce397c5ded35498a2145f56e68e7321edb493f09f28d4f64230d89cd829ee

SHA512
7db9dbbbfbd49f2349fea281d11163cc871444885b06e5186952264cf64c03675b301f8e96c219c93c0bae4cb3ab0cdae29ef737e970d63c2e6e7518779ac1e3

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
127KB

MD5
5a4f0869298454215cccf8b3230467b3

SHA1
924d99c6bf1351d83b97df87924b482b6711e095

SHA256
5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a

SHA512
0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee

Download Submit
memory/628-593-0x00000000004B0000-0x0000000001BE7000-memory.dmp

Filesize
23.2MB

Download
memory/628-596-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/628-739-0x00000000004B0000-0x0000000001BE7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-362-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/1804-272-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/1804-249-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/1804-264-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/1804-306-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/1804-307-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/1804-308-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/1804-309-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/1804-310-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/1804-311-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/1804-312-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/1804-313-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/1804-314-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-0-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-317-0x00000000086D0000-0x00000000086D1000-memory.dmp

Filesize
4KB

Download
memory/1804-318-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/1804-319-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/1804-321-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/1804-320-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/1804-322-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-4-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1804-325-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/1804-326-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/1804-85-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/1804-339-0x0000000001990000-0x0000000001991000-memory.dmp

Filesize
4KB

Download
memory/1804-340-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/1804-341-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/1804-345-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-265-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/1804-358-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-266-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-260-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-361-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/1804-363-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/1804-369-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-88-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1804-387-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-273-0x00000000086D0000-0x00000000086D1000-memory.dmp

Filesize
4KB

Download
memory/1804-274-0x00000000086E0000-0x00000000086E1000-memory.dmp

Filesize
4KB

Download
memory/1804-399-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-275-0x0000000008710000-0x0000000008711000-memory.dmp

Filesize
4KB

Download
memory/1804-22-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/1804-277-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-276-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/1804-1-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/1804-25-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/1804-474-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2092-29-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2092-263-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2092-12-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2092-389-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-346-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-315-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-409-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-400-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-11-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-262-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-476-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-388-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-373-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-359-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-32-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/2140-13-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-323-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-295-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/3912-627-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/3912-470-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3912-468-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/4972-675-0x00000000004B0000-0x0000000001BE7000-memory.dmp

Filesize
23.2MB

Download
memory/4972-677-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4972-692-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/4972-693-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/4972-702-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/4972-734-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/4972-753-0x00000000004B0000-0x0000000001BE7000-memory.dmp

Filesize
23.2MB

Download
memory/5072-499-0x00000000004B0000-0x0000000001BE7000-memory.dmp

Filesize
23.2MB

Download
memory/5072-735-0x00000000004B0000-0x0000000001BE7000-memory.dmp

Filesize
23.2MB

Download