55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
294s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF845.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF833.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF844.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF844.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF846.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF831.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF846.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF833.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF845.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF832.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF831.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\SETF832.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
876	AnyDesk.exe
4576	AnyDesk.exe
972	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4576	AnyDesk.exe
876	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	quickassist.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	quickassist.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4240	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4880	AnyDesk.exe
4880	AnyDesk.exe
4880	AnyDesk.exe
4880	AnyDesk.exe
4880	AnyDesk.exe
4880	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
876	AnyDesk.exe
876	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	AnyDesk.exe
Token: 33	2816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2816	AUDIODG.EXE
Token: SeAuditPrivilege	4160	svchost.exe
Token: SeSecurityPrivilege	4160	svchost.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
812	AnyDesk.exe
3672	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
812	AnyDesk.exe
812	AnyDesk.exe
4180	quickassist.exe
4180	quickassist.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4880	3672	AnyDesk.exe	88
PID 3672 wrote to memory of 4880	3672	AnyDesk.exe	88
PID 3672 wrote to memory of 4880	3672	AnyDesk.exe	88
PID 3672 wrote to memory of 4240	3672	AnyDesk.exe	89
PID 3672 wrote to memory of 4240	3672	AnyDesk.exe	89
PID 3672 wrote to memory of 4240	3672	AnyDesk.exe	89
PID 3672 wrote to memory of 372	3672	AnyDesk.exe	105
PID 3672 wrote to memory of 372	3672	AnyDesk.exe	105
PID 3672 wrote to memory of 372	3672	AnyDesk.exe	105
PID 372 wrote to memory of 2108	372	AnyDesk.exe	110
PID 372 wrote to memory of 2108	372	AnyDesk.exe	110
PID 372 wrote to memory of 2108	372	AnyDesk.exe	110
PID 372 wrote to memory of 4968	372	AnyDesk.exe	112
PID 372 wrote to memory of 4968	372	AnyDesk.exe	112
PID 372 wrote to memory of 4968	372	AnyDesk.exe	112
PID 4160 wrote to memory of 1908	4160	svchost.exe	115
PID 4160 wrote to memory of 1908	4160	svchost.exe	115
PID 1908 wrote to memory of 60	1908	DrvInst.exe	116
PID 1908 wrote to memory of 60	1908	DrvInst.exe	116

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:812
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    PID:2108
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    PID:4968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x4c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\quickassist.exe
"C:\Windows\system32\quickassist.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4576

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e6177b98-9626-4746-8764-251d1df0c6c0}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1d6034e3-e310-4748-a41f-ab10182776c4} Global\{d7d96b85-9c48-9b45-a88b-4c9af92ae770} C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{2becef49-3692-c940-9491-c2014350ee83}\AnyDeskPrintDriver.cat
    3⤵
    PID:60

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\39950886f48b4e7fad3bb050a01a9d3b /t 3596 /p 4180
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
5.0MB

MD5
a21768190f3b9feae33aaef660cb7a83

SHA1
24780657328783ef50ae0964b23288e68841a421

SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
025d0fa2aa7ea6d75548e925ffd45b30

SHA1
dade8f9fdd5f2db7eb6f97f0e51d391a17e7db91

SHA256
d7b537abb75a2c1d91514396143262eee47e2be2b92cacd2db76130aa6983852

SHA512
9bddb75660b6da4606f17bbe942ae181e496c539afb190ed5f2e39c90daf704ca9100c7aec5160cf52d730f4f93920b90f0f3013d54381e1613af95882ba8942

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
3fc60fabda3aafca428b97843c6a94cf

SHA1
0b5a5605b9ad3a28a12e7040f74c48c4dc297c8a

SHA256
0123319fcbc3572ac323ab77eec225fc87095b091aed18e2f97962a5038717b4

SHA512
5c4fed47af95164b662c09658ea9420a17676c5496b6e2008b3d85c27829a62d9bf3be2574e1061ce19274cbbde43f82bdbe67287edb474c7134e32d538ec087

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
d129081cfb1043a8dad58731878e882a

SHA1
e205924288e60073899f031f13b619d5b2890cdf

SHA256
08961aefa7363805c4c54907647346463ad4f86d3a95540349a321f9468bd4ff

SHA512
8b4c5910d2b31211554a3ebbf18d2e2472bb744e4565e1a936962796015b850d53752dab025569c288e904b3f36c85d61b9217efd6259473d61041be0126aea2

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
993B

MD5
9ac8cd93eea051936d8d4183b834127b

SHA1
ecbcb5ba0d3cc112e36740311b70e1639998e54e

SHA256
a3d6ded85f67d0902a0678388d229d1b98179ff0eb3b87a76a1db08d27a54deb

SHA512
8bcf50e9d4d78b7b2b65179f8d8839635706cd048076a5165c40b957576912bb7a2b65624afa360deed3d68b30d955769b5d8c9d4459994ef78f1c350a1cc7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6177b98-9626-4746-8764-251d1df0c6c0}\SETF38E.tmp

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6177b98-9626-4746-8764-251d1df0c6c0}\SETF38F.tmp

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6177b98-9626-4746-8764-251d1df0c6c0}\SETF39F.tmp

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6177b98-9626-4746-8764-251d1df0c6c0}\SETF3A1.tmp

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0fc49327cc1cb360c9bfaa28b59c3e40

SHA1
9eb52aa0907ab0defdf3554a29f901c7c4df14aa

SHA256
8d5c2458bef289287101976e410d0951df6e5d68337671b9ea7be1a54d9ab89f

SHA512
ffe866c699556b5d8760a94a7921c3b6a87f9bbd7ea4f0995f7b29dacd8f87a3ccc559075668c35433a5c3bcf005aff6fa21921c1438eafd3c0aab665b8e7864

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
37KB

MD5
0d573814c3c3ad1cd2ef2c2f013c07d0

SHA1
93bdeb7a2f1bcfd1b988f11eec9990512d4f7b80

SHA256
727ac223a9cc3728a4501ce3ec80234b3513fff22d4ecbd8dc2d6552bb02d33b

SHA512
810cb526afc2ae8f74acb6d33095578426d94696a40e172cfc52921635133fb88cd810908d074ac6f7652c9725d1a290e1082e4173576420ca47188721ac1bac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
17a80207257816f375924e7097e94124

SHA1
858415d43be9b153cdd7956b9ef4de567141a2a3

SHA256
7107d78bb588760fdf9932d8dc71483f89fa1a488b6fcba58d9e1874e8a6fd40

SHA512
73f23cf8d62d7497802a514e8c0253a4d3796295e6a760c15ca7612d71980832839a8fecd235acb76b511180f4f1c5518b53748d917958b686dbf3c4685abf7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
71KB

MD5
9f70b775e4b96bb4c1d3942210355750

SHA1
24e6a9e83516380b651f536be8840ae5f9115f5b

SHA256
dd6b76004f3196a618ad97aa8471954d405cf98dff0e51d6ef1ce2153aa27ffa

SHA512
868d25f13b597e2036aa8e063bef3c142b30adb3b332c6796582a73acc4e73e44a1f9243ad03dbd645d090357e5c157c774032c60aa25187801fe42ab841a7e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
82KB

MD5
3edab27477e83025080e5ac9dcbd1469

SHA1
c908229779f92d1c3024fa8cefe3ae9de8ff21c6

SHA256
d256d650dc5ad33670fc72b39d4c41d7a24b6881200e5e2d92aee0a8a2e83023

SHA512
676bcf55451bf3eaa2b1260b253afe6edadc8dca4ca52ea0ebfecd0b37287beb537f49535f22a20739b05c4998f90c6852fcd80a361e7c38d83d9d92e567caff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
86KB

MD5
9b4e9a8c52d0b48cde5658ab788353ef

SHA1
8eea01311929fa356e3a2feb9c607adf4ac30b6f

SHA256
b69b4c2087449c2dc83b4e0eef46699deb56fd1b87d35e9cea11c7e38a273fd9

SHA512
ad6d0731d5d9bb4cb11cd87ee64571d0acb8dbcf3ad0c73e71e73f6452c0ba40f676f34c46fb920bba8a0624ef54517afb5139dbc4c4887957ee01334a8064c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c94799eccb17f9cc3fa458858ff8e537

SHA1
aa1b173b0636e94db55216fb1e7f1c3fac9599c2

SHA256
453b29e3a883a48885f5c73d74860badaa1a7d4e13169ed4650fb5f51f6c1aa0

SHA512
4ad70f89e29dcd2a4b8050bb8194e6a0a21c952a58cec8f397e447bd5770a008936942aa38a38ab4fdb5130c2823b9feb99aa2cdb627cffe16fe221fe1b5754f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c9a5937a0b61ca01fa5df02075a39d08

SHA1
244ec3ea6cbab064f0c85547ff929079175d92b4

SHA256
fd51e8f80fd80611bb7eb07bbaf8b6d96905f99cbfe4639866e870e5d1d9dbf8

SHA512
d30eec50db0d6f94053828f9dbbc098eea907fe49f8b80fddef522b6061c322ac7a0f8dad8533b8d5f965bd61a8e9c98be3c30c9ad9efb650cdda9baab13369e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
84dbc09e3261e5707d43ecc0138a9415

SHA1
cc7c18a89e623371ee212557216991468e16b557

SHA256
68a616dfcfade0171784a6cacdd103df06401d1698bba7ce28ef9e4ab36706f1

SHA512
9a494c9d850a5ff1d2392f9246e05b17d8e34ed01cf9e25072300730e40d556ff662a3ad2355214b1cf6793cb4ed819242fb42c442171394d8aa3ec1e387ad36

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
ca3feaf2e7685f022492a492618a8d00

SHA1
c72779c623190d65436472759230f6688a725549

SHA256
f0567d4d94e82cbedf3b980e2cfd5a7b186727510e13b34f815dbe9b5b10a5d1

SHA512
f8e1e9d2076db02922ed56a26b4694f7f49fcd47e0d916f8d778609b7a0f6647e5e2da15403bf7c30fdccc00033d9146c39dcedf74016fb1ea174ad8947e61c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
935B

MD5
ce97b101204a61d8cd8d59ee9201888a

SHA1
db8375db86dbe6b9d359dce62200ece7a84a3976

SHA256
d140f44aab8c1550fc39a3e11492dac097a72191e98d2113d9b7d17605b4a81d

SHA512
375a5a27e3aa5c6645147167a8f3362229a239b36d32c52b200739ea0bb7fae4713e14ce014340d8d569d3007bda5f79313a5a476f4cebc1456e8a585f76be22

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cab4ce89f8e46933288efcf8fc104b1a

SHA1
5a7ac63f72554330c2d74729d88db75de2810483

SHA256
dcf17f69ac3e69566125f24a98eaf0e704924951e8583ac5b172cabe0559ff0c

SHA512
269bd1630258760509adc899842008e332e73d73c5a9c2d6ee3ddc6c8d3173bbf0c31d734f89511f1705d34912f2d3e3f82786f101da2b7e2449281a38078345

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0af7a519e2096d7929f1169a920dfa00

SHA1
693461338c4aebb909ebb977b350f1e3dc085263

SHA256
013552acbef2302e3b952026bd24ef0a05123bd264ee9d3d399ba3e72ed8cca5

SHA512
4b93b7db0053c5e0d7e210b2ef6dc167d779203877583c0606050bc49e5495398340950f325364a14eefd3a157f747ee80358c13466b8689305e2a307054820d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
20b94d8c48c1ec2b1c0a99e4a8c59e38

SHA1
d0454e4e013a781ce4f73b152b98c110e0c77647

SHA256
2d5f27bdb912c0203fe25c8427f19aeac5f77033346e1fd50e71597281a446bb

SHA512
19c2d8ed39cef590c32daeb444d28e988f4408f87eef85af5d1b9ffbced8217425c259268ae74057b11dea31e6c8000a6f73baa5dde07b3c16628bf9c57fa9a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f144fd102ec23c76789d62c329f6b08e

SHA1
7500003a2aeffc1859ca50f6f5d5f7e732e93053

SHA256
dc7736d09578dd03b9980ad4460a7feea0631dc947c739b355673f27b75efc6a

SHA512
a2d5d130ddcfac142cdef5b3d2bc7b4a91ed0fc826d8ed1e7f401ed391b432567ab3b001dcaac9064ffe04f5122f7ea46d0876b66213c982d1edbb09a084e7fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9bfa7f9c7142b981b2a20aa6b540c790

SHA1
9f3587859b7beb9d0f06ede8b4542bc66725052d

SHA256
1650f82d0d80e72a692eb3bd05924d22f7b9099a0ae3aab56b088cc39de0b73e

SHA512
cf32baa8596de84e02828701ed13551fcae68f8f0f15a5afd84c36da744773f7cf5bcea63ad7d8bbbed0f97791a5abe45007988772d193bae57be0689357077d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
16840245f8700c861805fd56f71cb6c4

SHA1
327127f035b0e2f3d171431003fe8bb55b2a9f1b

SHA256
d3db080931f1a8879553ca7dda5447f368f327b4f4909cdde2f8ab08c582e971

SHA512
fd4c0983d6d2a38168e4549f9f433f03c470b6828824f475379298d07e44b3997962a64898443c6467757340608272a4fc94c177fe8e0027338cd049e5c97395

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
472ae2f606f43b7ccb97bec803592c95

SHA1
fd55fad1838bfdbc2cb3db58fcb08e9b48485b48

SHA256
c735897a69827ef30e2e9f21430e4a2c4de84d568926ac8d663e6c8c13af0f12

SHA512
da0f0a9177b54bdae109f2568d835103a835e03a216809ee5c114730b3d66135cde17ab2aad8939a7ee3811526b3d06cf43f1f8cc1f5a29af575f20147a36f45

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
84296d4630a54b24bcc332a96d8bb2db

SHA1
2e1f49cc0b83c96f22627fe5e6d51df98ca48c1d

SHA256
d96ca0d1f85f968aee86a3e20f0dd6b825ae8403c31a13fe436a78aee2d49c9b

SHA512
8f27f6e55f8f64df96f98594f7d30430b07e33b64e33e2efeeb45b73709985043fcf0bdff9aa3df7e184e9517c816aa4a0f63c996bd58a69595c1ea5def24e3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d6d1ecec2b0103745e681f975a87c7c9

SHA1
984fb09af662d74f70d421252fe1b49506ea9101

SHA256
db740166ad06ddc9b6bc105425173b5eb397bafe6d1945271a37fb319fc264c4

SHA512
3dc24c6bc3b6d92729971ddf53e844345278cac46e1c394c0f9969bd199a2f5523d2b8cedf8a08c8d945dfa5e559d91369a7a3447f71275dd9917dd5b9f65f84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
0af1000c93f22307889aff398e0af537

SHA1
715d5e317281f814c763076b65f71f41d8b40960

SHA256
9b1d3e26b69a802bc6f381c54b33605ab73d836932365bd60868278fdb2d2e3b

SHA512
b8a4c0036838f8ddd2cf882f62cf4259b041dbbdc2d9efe86e96ed75b9c280e67cd16325542ef56ae6da08380c4d70e62501c00f00d64a6d8f32064c837ac829

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d4fd5bc4202115325ddb9e8af4e58e5d

SHA1
85aa1466acfd78c71ccbccc83ffb1b90c267cd7f

SHA256
aa466d94622622875ff0ba29bb8c879229d95b699033c7a21339610afa15e2f6

SHA512
e998df9e92e4ef94117178e2400ff208d951120865f915216e457fc09d06758e2dd4898476d9d3cb0b250e89e50219f05a584f31f936a7e13581b2a0218b34f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ad7324fce3a741af93240e571a64e8c7

SHA1
d92ac57b07cd6101f38cd4caf5f69494d5e491d4

SHA256
95b5d331f0eafe979427f648b8d96f3130c54fc27bdb7292b328b54a87939327

SHA512
6fa556c4d66bfe04fa09578284f07a231bafe84185ef1246da4ec737c97dc4777d1c140707c82fb16ccd492938949a069dbec10af9d4a0f4bd550c88686f1613

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b05f6c7926b54c2a301326628e006872

SHA1
3515a39ada810f8372f661c30cb9409e113a7e6e

SHA256
30b22edfaa309dcdab11143ffa6b92ba253fed7bd054973d6a53fe2a7fa3665b

SHA512
c0140e5e36fb4e8d020c78ba5cc020cc060f387f842a1b8181f940926f3a85815398bdbfefb0de2d1ee24da6eec28cbecbbf6ed45cf88a9d63a9d32598d93a38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ff6c04e160247b18f6d4f363e990efc4

SHA1
f0a258550accc85cf375457c16626d91f9f8acd4

SHA256
59085e935677787a2416346041c62222f91a091b671f1198ef90e553cdd3ae83

SHA512
587527a1afdc797e2451d43526853b73d36a88f68bf900036d39b7ca8d0224704251388429dda94b0175e20c6d1012bcd111cd2765363ef39827ac799f9a45c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
c60745e55760a738fd27bdfa49aede8e

SHA1
a95bcb1d45000385ad3045bf421e64a1387f2c38

SHA256
503e1d7e5e115b4d0351fb4b2c34cb4ecc42768239964eed39833a4e1075c104

SHA512
979fbfec26b39d177bb500da708bc9afce5037abb5675aed3c3fd11befd7926f4956ee8fa00d8977d8d61f353a0ef34053fb4397f992dea6cf8f96757d0d07ff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
80a03e9fec04744da8c914d39615226b

SHA1
93e03c1f65b0ed6fe0cb85746cf6dc6d4c0886b2

SHA256
5a98f0a9ee02f9b9c83c52fd9ed4d6078314e4b97bc4f02192e81c4d87499365

SHA512
0a1b2355ee232dc77a5d46094eb434eef035aa8b996562e072bff24ec1d21a962f8560624f432da1bbc30c691dd2d644cf6ae34c1dc28bd44d2b14236d89628d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
e381e6de9bf5c0f0589a03155ea213bf

SHA1
7971d54048daf5fcc027a1426d4a6d83e0e2cc42

SHA256
82e13ae28edc8ee7fe7380d462d2246a7534728596090b15a7313ad56c9b5a54

SHA512
1cff84358aecf89c4ac55e7231cb1e056a60a3963c56243586d971a68e82f3512d8a5a98152e608241da1955fc6b881427de5e6af46bbc7eb634cad9b2ff56a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d095fb9e081a97ed4d8cf5053d8eaf8e

SHA1
85e8f3de5fa57656e3da53be445e48bd786ad6eb

SHA256
544ed8730a2fee39dbd77c1290ab0c1708f98e87c9908961eb5db9db39625472

SHA512
f0a3163d6822b6b0304891a26636aad298a621d443b2dd4748bfd5551ad5ce62949bbb31716d7a3c838fa27c0d2ef3ef10ba380f986a5c6c9187f3a8c14dfafc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
351220b0ba5b1a7b816ab09e9d6b4cd6

SHA1
56b77d2e9e27f24b43475f30024a1ed78493b95c

SHA256
b81a9c8621dbce8c619649e5a3c145475a2e313df86b5950a249ebe27d6e5deb

SHA512
e1d0ae58e5925e1302992a8bd9eb578570aa4acce0387b4f8b56ebc70891c40b6e1d3245941cd9033856d615730c3139e750e7241b660248b03c6a413efdcf84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
b6838c30ec5a7f6eb928c8caec48f2a8

SHA1
d6dd682b515a96da802716e9bb2e3addec9ac832

SHA256
5783aa8e66985a86d822572f0f8cd125117bdf8669d11a0258e70708381a714b

SHA512
cf87437f50e7405e0f6f10bd6ae3812791fb593659ce480d6b1245df6737d1fe766e356dc995fc83d3985fcd51f86a9ee3b8dafaaac0d024f518689af1219165

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
2f9881609e20a873fc8ce37b79b8fd6a

SHA1
70846570fc2a662fc3eec7185b610f4d37be474f

SHA256
3272882a7280dafd01214f8175f18b56709f9c91fb6be493026fc38a690b043a

SHA512
89b785abb09059c0bad4fc45a9ee167400344bbb202428dd563a957c9d2a964a86cf35dc69b081f208daf9c9e32616d4be8eccadac090069cc8be86420f77402

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
127KB

MD5
5a4f0869298454215cccf8b3230467b3

SHA1
924d99c6bf1351d83b97df87924b482b6711e095

SHA256
5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a

SHA512
0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee

Download Submit
memory/372-549-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/372-411-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/372-408-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-267-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/812-278-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-257-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/812-258-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/812-259-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download
memory/812-260-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/812-261-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/812-262-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/812-263-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/812-265-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/812-264-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/812-251-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/812-266-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/812-252-0x0000000005F20000-0x0000000005F21000-memory.dmp

Filesize
4KB

Download
memory/812-271-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/812-244-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/812-233-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-250-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/812-312-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-253-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/812-234-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-353-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-357-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-256-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/812-365-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-254-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/812-238-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/812-248-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/812-249-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/812-245-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/812-247-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

Filesize
4KB

Download
memory/812-419-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/812-255-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/812-246-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/876-442-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/876-666-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/972-554-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/972-648-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/972-670-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/972-644-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/972-645-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/972-647-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/972-551-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/972-646-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/972-643-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/3672-227-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/3672-389-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/3672-0-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/3672-4-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/3672-388-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3672-216-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/3672-87-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3672-1-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/3672-84-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download
memory/3672-390-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3672-413-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/3672-391-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3672-32-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/3672-393-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/3672-392-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3672-30-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/4240-33-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4240-14-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/4240-229-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/4240-274-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/4576-596-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/4576-547-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/4576-669-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/4880-31-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/4880-12-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/4880-273-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/4880-228-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/4880-351-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download
memory/4880-415-0x0000000000AF0000-0x0000000002227000-memory.dmp

Filesize
23.2MB

Download