55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
708s
max time network
1021s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
360	camo.githubusercontent.com
377	raw.githubusercontent.com
378	raw.githubusercontent.com

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe

Executes dropped EXE 8 IoCs

pid	Process
1704	AnyDesk.exe
3752	AnyDesk.exe
748	AnyDesk.exe
5024	AnyDesk.exe
1704	AnyDesk.exe
3752	AnyDesk.exe
748	AnyDesk.exe
5024	AnyDesk.exe

Loads dropped DLL 4 IoCs

pid	Process
3752	AnyDesk.exe
1704	AnyDesk.exe
3752	AnyDesk.exe
1704	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	quickassist.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	quickassist.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "151"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000d1f7737abd68da01254e1b1fc668da015203cf1b7f85da0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{742BB00A-2FCF-4447-85D3-B4AB8F71718D}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3752	AnyDesk.exe
3752	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	AnyDesk.exe
3672	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
3672	msedge.exe
3672	msedge.exe
5096	msedge.exe
5096	msedge.exe
408	identity_helper.exe
408	identity_helper.exe
2904	msedge.exe
2904	msedge.exe
4256	msedge.exe
4256	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
748	AnyDesk.exe
748	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
1704	AnyDesk.exe
3672	AnyDesk.exe
3672	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe
2836	AnyDesk.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5024	AnyDesk.exe
916	mmc.exe
5024	AnyDesk.exe
916	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	AnyDesk.exe
Token: SeDebugPrivilege	1704	AnyDesk.exe
Token: SeDebugPrivilege	1704	AnyDesk.exe
Token: SeAssignPrimaryTokenPrivilege	1704	AnyDesk.exe
Token: 33	2656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2656	AUDIODG.EXE
Token: SeShutdownPrivilege	1668	LogonUI.exe
Token: SeCreatePagefilePrivilege	1668	LogonUI.exe
Token: 33	916	mmc.exe
Token: SeIncBasePriorityPrivilege	916	mmc.exe
Token: 33	916	mmc.exe
Token: SeIncBasePriorityPrivilege	916	mmc.exe
Token: SeDebugPrivilege	1704	AnyDesk.exe
Token: SeDebugPrivilege	1704	AnyDesk.exe
Token: SeDebugPrivilege	1704	AnyDesk.exe
Token: SeAssignPrimaryTokenPrivilege	1704	AnyDesk.exe
Token: 33	2656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2656	AUDIODG.EXE
Token: SeShutdownPrivilege	1668	LogonUI.exe
Token: SeCreatePagefilePrivilege	1668	LogonUI.exe
Token: 33	916	mmc.exe
Token: SeIncBasePriorityPrivilege	916	mmc.exe
Token: 33	916	mmc.exe
Token: SeIncBasePriorityPrivilege	916	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4564	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4564	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
3752	AnyDesk.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
3752	AnyDesk.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2904	msedge.exe
5024	AnyDesk.exe
5024	AnyDesk.exe
1668	LogonUI.exe
496	quickassist.exe
496	quickassist.exe
916	mmc.exe
916	mmc.exe
916	mmc.exe
2904	msedge.exe
5024	AnyDesk.exe
5024	AnyDesk.exe
1668	LogonUI.exe
496	quickassist.exe
496	quickassist.exe
916	mmc.exe
916	mmc.exe
916	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3672	4404	AnyDesk.exe	88
PID 4404 wrote to memory of 3672	4404	AnyDesk.exe	88
PID 4404 wrote to memory of 3672	4404	AnyDesk.exe	88
PID 4404 wrote to memory of 4564	4404	AnyDesk.exe	89
PID 4404 wrote to memory of 4564	4404	AnyDesk.exe	89
PID 4404 wrote to memory of 4564	4404	AnyDesk.exe	89
PID 4404 wrote to memory of 2836	4404	AnyDesk.exe	98
PID 4404 wrote to memory of 2836	4404	AnyDesk.exe	98
PID 4404 wrote to memory of 2836	4404	AnyDesk.exe	98
PID 748 wrote to memory of 5096	748	AnyDesk.exe	106
PID 748 wrote to memory of 5096	748	AnyDesk.exe	106
PID 5096 wrote to memory of 4700	5096	msedge.exe	107
PID 5096 wrote to memory of 4700	5096	msedge.exe	107
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 5036	5096	msedge.exe	108
PID 5096 wrote to memory of 3672	5096	msedge.exe	109
PID 5096 wrote to memory of 3672	5096	msedge.exe	109
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110
PID 5096 wrote to memory of 1568	5096	msedge.exe	110

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1704
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5024

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3752

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://my.anydesk.com/v2
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4c1546f8,0x7fff4c154708,0x7fff4c154718
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
    3⤵
    PID:1568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:3680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
    3⤵
    PID:2656
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    PID:1340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
    3⤵
    PID:1604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
    3⤵
    PID:3492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
    3⤵
    PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:3964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
    3⤵
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5996 /prefetch:8
    3⤵
    PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3376 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
    3⤵
    PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5856 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
    3⤵
    PID:3696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13452431039406308161,5781692202648120890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
    3⤵
    PID:3940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b6055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\system32\quickassist.exe
"C:\Windows\system32\quickassist.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:496

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3fccfaf8a1284f95835ae3c1f9e474e5 /t 1604 /p 496
1⤵
PID:1304

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe"
1⤵
PID:2928

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe" /applySettings
1⤵
PID:692

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe"
1⤵
PID:1364

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe" /applySettings
1⤵
PID:3100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4136

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
5.0MB

MD5
a21768190f3b9feae33aaef660cb7a83

SHA1
24780657328783ef50ae0964b23288e68841a421

SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
3KB

MD5
fff5e191cdd7efcc4d2c0f4ddfa6fcf1

SHA1
3f4d4bc5a84ae8a138dc01d7b2d0b80acb89e85e

SHA256
c83fa6e24c7840ec8b5e02cf4b1c90454ee5b58df2086ad969712372c8c79d9b

SHA512
3b28179d25c58021cdd60bc462da9ead4b9fb577557a0a19fe5b0e31c79ec01faf616142c1434e96911b993c9bb18f9d27050f1cacb2011c142d703661c7b055

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
fc6f5b2fd5383ba277108d423bf497f9

SHA1
c9abcbd6dc0816f25da86cf1e8792912d9958ced

SHA256
3c184505983eac4db9b4ce88a9e4633e81a3fbf2956f9f1bd7e8185a5d53d7b1

SHA512
81fe3e93a54ab9c11991d8541e5c86eda31c9771d870031a080ecf9b4f5abd1e1c92111fcb644b66a805c8ba8122de82e543bd52fb19f8b7bacee0cde9eb9ee4

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
e46f6be0d517d6efbe1e6cf15963b1c5

SHA1
e098d30654a5757fb9bdb5cbefabdb6eeba3a533

SHA256
c18192f057b095435fc455df8a42d63cc46c6a2bb8d1d9c91fbef927e029630a

SHA512
690b7cf8e6b96887fff498acdcec32c6f80a9cdb26bc3f56f72746e251fbcfe6ecef78020bbf6c679ed2a9e64feed5df8185f1232e29f1e3ddc1b90f3b3a146d

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
920B

MD5
911ef8b5e366e77716a41cc2882c9f28

SHA1
3d44c4667054a10990210649080e6a89dc7a7aca

SHA256
b70b48c69d14634aea74036eef32ecab5b3879e8cdb128ed1e598055ce254fad

SHA512
9898ad4a846e6553f738630ce7f61b4858c8e2e9f1d2134bea2ab65aa43cf8cdf885d9908b96d24de2cec7495237417ca87ed760be7924c49ca02963e0adca74

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
920B

MD5
e47f4c724d8a9270f156cabb1764954a

SHA1
118ec47f7072b580ad164463bf9801046e238c94

SHA256
62c4c68b70682cf253b0a9b67c236d494af6acb2229315a9f3ef19be9c583b6f

SHA512
40dac508117163406dd83dc3c51883c1c556cd9153b150c4924fff2a4cb456b3463c70125bbd4c71acde481f0dc0c5f39a30761c0a9a879c0a270394f65d2c45

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
920B

MD5
7ed83ee62854579d728a2c6086084b8f

SHA1
29065f3dc95f344380e1d32faa89cc2efece794c

SHA256
5fb9f6d1e543f937bda135d8816fb032ff03d71acf5e12206eabf87a491865a9

SHA512
dfe32d909359524e677769bcdf7ea1dae132378a8af7695f63bcef6338972887ca6d4a47ec6e512cd5bbde78473e18c14fa6558039ca184ace62ddfe4dcbaae9

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
920B

MD5
c902a32cf79d1c9cdf39d79c2fec8a0b

SHA1
80edd0c3a5c4dcbdb58ba6f4a29ade8dbfd86143

SHA256
3e64bb0bef9d8e0e36c691871e67acd71fddcb9e559be8ac1bf308e891bb07fc

SHA512
4ed8bac18264be44c0884cfd57945a065cd31bf47f89b3893be66a9c38221c9aa95a4ca0614a045427c690422f957ddcb8e2e4f2eca32d6bca52328049ee91f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
c772be2a7261a7b3e17e4504e21cb011

SHA1
fd456a8b35b39513187a4d01704feaf111b31b0f

SHA256
1a523755322f8c86276fe01a873b5d5ff4d389b7503b2b960e4e6638f86b2873

SHA512
993be8ae253700068b6612d555d27a504fe594995a1d20aeac6c208a0b971be8dbc24cfb204fb082bab001bc5425ad2e336a1400b2224d5385fc51649fb041e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4f93096be8540739ec21bda51d56643b

SHA1
d446256857ce0557d2d7053ddbf4f8f0a923aba7

SHA256
c521fb7aff17f861c175a95233238c5f0d0736a385ae176aa8355419d8b8433f

SHA512
4ba663a8d16ef9b4cfe3108528215c26559a0fedb84cbf845d75e148f1189d6404e85690aeab0c87356f66d31cfbc62e89c26283ce5ba89f37a31673617e79c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
470B

MD5
67fd2cf01f7f67c2196e701ebc4802ca

SHA1
3e9b35e590f6027731a083037edd9feba60c0b23

SHA256
7c7e3815fc0adb031d8008afb0a71d12fee5f319ebccc5c896a99a8074b90d9b

SHA512
7a9e560b12a6fbdf04d5c46317a208dea5f7d6c2d609aa999966e52900c9b0a33b00c0383003ddb39a537ae78bce49693656bcfb361b7180c319e80cbf19f0ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
3c2cdf4640b6da678aca97e2644c968e

SHA1
aeab6e19f00385e6fd66d5d9707a0ea00b8c7903

SHA256
24cfd797c8e9cb31c4a66d1cb769dea652f6ee6055f63fd1e49c7ddb1626dd93

SHA512
6f2d825dddf9baf775987ff04554e7f2d9534a38180dcf1adcc0269e414a72a70941cb2e076452eeff0593a9b77b8aab9251efce7d826aec3e6f95e2c3e7e385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34828a306af1e6523aabc15b4337071e

SHA1
80861254535646adaac5e04626ef03f413581e0b

SHA256
752329a379a92422bc5d3e55d30f6efa3a59b842f194f2b98419e0d2597980c7

SHA512
b36a4c67b8479600ff5366d71a8300e0c3e69cc49591871cba003ffb042a7498b06b737de52437367c8dd0aa374a4a23c683dfceda620e7023e949b9fbd72775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8db48beff32c71a4b21ed47f89ce9792

SHA1
b146a60d88f1c34fb8232661f86c7bc166c4b32c

SHA256
8bcf265a3f70c1ffbd75124a7a7e742c77b14e9ec5f6cdd5dabe4327ad2c922a

SHA512
a4c3b11a5564991eef666d6fc51495f0bdaf91ab4527e701ac03fe9dc93e47814b454fdfccf66f5bf3f495c4005ff748a3f8ebf3f08c90dca7f53cd93c8031ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d2d1e856b283e3666f06b1dff810347

SHA1
d8d2ecdce909d492eff30047b43c1024e2dbf96e

SHA256
0619bfdfcd90972a0d67beb882682bc49ab7209af1c4efa6376f9d5d038a7627

SHA512
7afcf2d79152dcef67fb01127caf24fa6f37f2b78a894efd40aec1c49fe3ce4431135df82c696d8a4a75b9b5ef8e7bc63d24ff2d84477395c082ef2d536cce37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4a16e52e5e78ec8ca70ceeb1895b3548

SHA1
50a4d5ac239b1dc85c94f480b9aa4fc862ff9a58

SHA256
60651732c03748182e3a981c65f4390919e7d9bed7498c3258d32fe1c0471755

SHA512
68263a9a4719e265bbae97e9c39973d6d7bc68ba3f09a352632c353e825cc825b52822387e2e6b659d44eb302317b26a951235ae6d4eef49b0645518d1d146b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9b6dab05bb9f01627a2bf979c54f98f

SHA1
d20370e4c00fe29a8ee10eaffecf4556871b2572

SHA256
c9855a0c2c421eadd62691f57c59d5ad3a35ee8bb46b472894e333918d60b935

SHA512
9b6a139d22b3a4c6c85df4b37906ac76a03068968e7709613f6c4d2ff6568b7c25beb1b4d7b030df8cfeee3473ae4a769aa6bd9e3674c645bd9453eba396327b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37bace2b2ead3490f0d85599a4829482

SHA1
2ce6bb8469b87b141516e392014f1dc5631d4b6e

SHA256
ea86e9d53a73742ec9dc84b89cb88c5366947e23ea7296bc72c6d0bb80debfcd

SHA512
560b22bf27db4c448df3f49cec66f6b94c63196bd731bc2e52a6575b2f9666c8a14d1d70dff55d6e06529e1988c66422d0f94c579ffad27c869a71edbc35d745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
daac844fbd742d2a41610779688d2814

SHA1
c3f77a96908a42f15546d2f7f35f305ce78c5490

SHA256
d4646a5d61e81bfac4ed2520aa8148c9080efc0dcac347ac1dd926986841d86f

SHA512
962dcd6220a6e899a8c9bf50231638a3788b33ce764f1d4557b1ae06b02e716bd9bd71424f671b439ba2d2fa2be00a278cdb9cbeee171bd7f9811ec2267ede7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
e454d71f066b84644d9f84f36555f10a

SHA1
95a7f6616ddfb262928e5dce8782ac27d78c07d4

SHA256
387121bc01c07332b189f86f5a45b5a2bbc1450b8ad577ee9325c1860cff294b

SHA512
498f815f007f2a4c50cca0e8df8e1f6072af0a183e021b648c95836c8fd53cfe0d98f4b4735b819c67b05f5ebd5efabe79dc8c2b72ddaed8e94bc10d8fd3804c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bb2d2.TMP

Filesize
203B

MD5
e5fb9ce79b25cd61ca8e346ea7d8d50f

SHA1
af09f544244fc2a9672b0a27d481cde775c7c627

SHA256
36165eebbcb7b4ed696dbd989488ec80079f33b6c92f9d4a5c4ee57fa1cda4bf

SHA512
45d134f5c334d93e35f1632ac5e7ab213083aa2ced61202560133ee7f80ea8720f67097e04ffc0072cbb621748828b051c3b6727d45464dc68464fecb7dd1f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2bccc03db9fe6a23c8de063e696115c1

SHA1
0b3af79d843fbf7debe1fc93756c77d2830117ae

SHA256
c6a7aab54d52edd31c9790a0e57d1c6e3715562656c7a19aa4625f64b0135d71

SHA512
909ba25bef69ce3c92c052e47a8de767768c4eea4e0b289b7f2881f48834fdf32978582235fd633d6d3564451af582426bcd68260ad242efeb8e9959a9dc194b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd0e0853760b803a9d7529e96e83d609

SHA1
80792a431c837bcb97532b021c3eebb968b3539f

SHA256
5122d77fae22c05052109f5539f8188ba9415603b6208f1475a1a0eff727f5e1

SHA512
af65099935649ce96fb87e662728c86a2494358c889759993281794c84a7a82fbc268a9136be6e0f5c0efe599d0fcceed973b9731857553765c6f7b73b3718d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
fb0a3cf93238a1f150c8bd7e63096a51

SHA1
88cd360201ae7b3f3f16f6c52a6e395c96f3a9b6

SHA256
81d427d39443481dd6541531efd50f53bc5b0017e0bd047112756d0a671716be

SHA512
2492121e03f0b176a9350493fdf54003dc42f7fffff68ca0f17de8faf8e4e92e229b763890cef4cf3c119e0f1d4e90c0711f87a09d956b9ecc46c41606f15d46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
e269efd4a8633032ac23de846d6b5ecf

SHA1
145791040a7ddc8193ccb82d863b32df04738722

SHA256
1c4cc3c76306bc8857d6bbfd50aa6b5dd17ba2f7a7892077854af6e8213c69b6

SHA512
197fb981d287f560a65de3f93c4a9721ff8e78fc15fa3d13d20bbc097713b7eae0e2cd0327abcd0ae745fcca632816256e460058dcca82021b221a25aef3f7a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
32KB

MD5
276011015d457aac01910b7cc6e65c4f

SHA1
737ba471f8ae58a7999afd074ff35933d2825fe0

SHA256
09597eed2e6c0786554382e018179a3cf7912171afcc6b413d8b2a394221bb9c

SHA512
4cd843a87ecdb065395e2fa8b65a154895e6d96922ed83e1fba39dc7390db2b0db9f11493bdc16c5e06dbdf9058b2d80bd50af5941dfe81ee0e46d157c2e0074

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
38KB

MD5
e72a3040b3370fd4d06a2fd3fd082f5c

SHA1
c8db4c4cdcfad3764d754fce02577b749b5b444b

SHA256
096acf89efc9da3ba07357d59967e26087ab68dd4b735e2d226e3ce50db52210

SHA512
28a234bb514760263ed1c672f6516f876cc9956f05e80403db89641a71e53e2f0f0f2fb4eb3ca226366b4e1ef1a0c70656e8fcfbfcb7db4b774fc5574544db35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
41KB

MD5
2d3c9ed1aa78a8dae08bdf0ee7c357f7

SHA1
6ea10c031b1833268e228dbffc4cc6d78bdb1c7a

SHA256
9bc86a4e2fffec7f76e436accd2bbe17e0377cfffbc5567fcd210a305d5b147f

SHA512
66e2a7fe543bdf8a1b11ef1f2cc49a3968578ff341b46d29d136da779af64c81fc3f1456dede60dc45f14c99597bb743a69536e80f04dd3df57abec0caf81a93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
33958936c85db2546b75a4028aefa845

SHA1
908805649008d99cad934d75978416df1772cf43

SHA256
f9adf43d299a685784f442d12bbcd788ae997ad9a7a243f4c17cbad28f254db9

SHA512
98d3d890f591b6d0fb36651826670eedeca6c74336a896f79602069866e53e4e178a66deed70e94b2fcbb03500be3882cacff94c8b74e42af368ddd0f72a2dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b47cb3fcf0290a01335982ed7878233c

SHA1
dc7a4bbf24fc0bd89d3e08a927a69708e33c41ff

SHA256
b2971b10498f32fa19bf33b0d5ea09dcb6456db5bbbb84a3953c54e9ff4806ea

SHA512
71fbdf50aca7f8e35a0f5d39c2b50f1e5651175d09dc20c82446d6e362b9a513a87bcd4f8bbd0290b38893d963d28c6db7d45421ed9eb4b69292f21ca0a79022

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
ab4c46fdb27be6392f974d99c61034db

SHA1
1a32cf9ceff87a05f710a4283d2754f1401253d0

SHA256
657f52063f90fd8b8f6e87f303c4994d3b38d3efaf19d7c16901f3f4cfea2db0

SHA512
623c112cdeac0fbcad105b71344c38dee0151088f0d406c991e529c9a218c83f8870c7394e8d0181e83d3ba06a6705b9acd0e7a86536246b31adb341137bc26d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
a15d5c51b44bcb0717a542cb57006fe8

SHA1
2495dc4c0afcadfe9e4af5c8bd1056c45e40b8a4

SHA256
76c9c1d606b8ce0fa454ad44d7f4f461c248a60d99566a813d7a82d301d55a92

SHA512
01d840c3741de4a8131b9e0825fcd5e4f60e6f112d940c7310090648f315ba1c2c74fa287be228d6484ea591f526e4c84f1da0e4511124e213966be20099e3a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c068857a310c47aac491e386aa6a3ffa

SHA1
21701d312f0a4393d2433803c1ee383f48ca45a4

SHA256
3a4b478bfd6588ced996f58dcaa68141e8b07525c8e599f20bfe69ee864bcc20

SHA512
e29867b94358687016ce635fa388180414de4dba2039e196df0a35f2729d10246cc0019206c7d53c6348e4bc41ab149323ce9aeed7dad71c38b43eb727624d81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
9KB

MD5
400490c3fbd162b8aad578628221ba8e

SHA1
6c116538d986c9edb4a530a449671ad62f32c76a

SHA256
28a46671026a37912032a00a9f1c7cda967a7e84d663cdfbbbf4cc9600a349ba

SHA512
1b002e7e840efac1498c7824022c7b854e8c1515d1c213c1537549adb03ea9adb08a048dee075a70e346159b95a7bd0103eb5d0116a7f35cca206d6d9814f58a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
78faf22eda5a86373d9ad8ba8bf7004e

SHA1
e4687ca2e038b83d5fcd1149527c5fd79494b076

SHA256
624a12deee65295037f8d0274c885d1a1e270312a4d62972467420ba263ecf52

SHA512
ecc0f6639a3fd252a28375aa80422154b22ad2b8aaebc12f5a8e4b18f5bcfe5269f0984aac93f20b7bcb2efe99e7a973cede23ddd04800639e68911172a5fa51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f5e91d2a2bc7a30950b0b722de0b12ed

SHA1
28ffb446acaf992b2876b3604f67e30411d52d26

SHA256
66ab9656d8bcba3f3d30b6e6adf835ace1463f2f21a82c37c3336d8d63d952dd

SHA512
16046befd6c9409eb33438ea68dbd5a1096d7b84adca30da2dac782cc41b36a37188b5267f8d03513619e29f29328e3e3522f4ae3def736477f57712cedfe27d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4ca121b38a87c97a153f3e2c38f6e061

SHA1
e6dd4ace9d5b1b1a4a5a617b04fb4a3409bec742

SHA256
76cd2de067207dd4192276c78026069a3ed13169db3a134e490ef2726a905efe

SHA512
82f78be79c8196f39a82fa01740095414508d2f769778983cd872264f8207e5b02753520846b4ae0c2bc786319685d8b74b89213914f9f3f5b9b650c0b0610ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
86855dc0987fce0560d169182a980f36

SHA1
7d20f75d6ed599b92ecb025035795875044ddcb1

SHA256
ed083660601dadc5f45682bc93df02814c488f98aad88b966f059aaf8e1820d1

SHA512
343e7e0e975080197f802df9bfb75ac8d7d78eb65d2b9b3604f7aa5f90f107c08fd949a66fc1bdbb760d37f1156582c002d625583dca61226d10fa54e4e544c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c9b0453e12cb541e3615c764565ec047

SHA1
41491057c3809b7b216a808927cc557f33c709ae

SHA256
b645f0ec9777bdf6c85dd7889a5696ae248104666e11e0ed6fd0bb2ed757b3af

SHA512
338bc73ae3bfbb993b37167df12824dcb5e77777933ed8ff6bd4463534800b4829b4bea20ca27562a8ea321beb3d5e6b91ec531fa919a0eb0c3d765bd7dd09f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b7f561a201cc7f96852b2476a1086606

SHA1
be39289674e1ded0b31bafcb6de55c07484479a3

SHA256
8f70a5a1683934185a9fd748de10231ff23aa0682a8a5c7da42dc1b8cc8dff4f

SHA512
84d57c72091406e1280549222e9e83c2888c0ae6e61cb0af12cdeca4014fe84970e32dfdde779b2b4bcb813c05d57063197c0d9c8dbf75cdd6c9bcc0e18ffbee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5ac8efd19e434345bf4e8ccc76918eb1

SHA1
5bcf5d00861d4c507a1c16f68e6b06473456a37f

SHA256
81e1716406bdaf05d0ad75c3933a746a740dd98251250ec86b212bc67838e291

SHA512
4ef9d17ac2c575bacd5a011cf7d4141182c6d7aed6806cfefe14e70f05f76502b4cfe0606819f7ed898b5219a743b0fd94075168acfa0f6339037c53916d62c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e3db5b1be815ce41e290b18ff8b30d46

SHA1
79a72c58dc5fa5d8e50cb406ce4237d51c2cb75d

SHA256
f44b45f67d4e0c4b6055e3274d433c9a1ed19db5bd98d624aa9f64e26173a6fc

SHA512
dd99ec9f14682f119adfb1568e32034f7cec451655dbcbd9abe1f2f5ae401578a2e68f234ecc93b5952f1bf14148fe00988087f87c51c9c33e9e2aa6e3a87a2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
028c2a250b9cf4b68645dd4ee7a8ecf1

SHA1
6552bd318c3631e8ee8c5ec1258b7bc860edfc06

SHA256
44ad2948c9f9c8bfafa92c05df7323e8560e086d5cbb20131cef24add96ded80

SHA512
5e563e634ab3f8c18a1a6bacf36b71195f937851832e86f4f193def92dc81f0e3dab93c41d669075d4cde489959819aac1c64eb2171f43261e7043c31bf49d93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d35b5cd60adb88d1a53164220dd37abe

SHA1
25e51718e819e15fd3248d6f361e5d955f9e5cae

SHA256
72b413edb4955757a8b3c4cf7d4235b827f38b4be3151bcb327c10cba26e4892

SHA512
50e55d3af0dee365ec0f13bd80b283d0c1fd5152a3ba4c14a5bcda5ee7d9df8fb704c8130c4082b78f2488ee57f3a6027b9820d66872dd7e03a39d7efb732cd3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8cc19839dbd490979efa8fb89ea0c49e

SHA1
382d8f7dbd66cf124fab91cf2802bbd9bb2feb66

SHA256
f2ab66710c3bd0d8250df5b8e550e85fb824d2dd24f713eefade0bd44c28dc4a

SHA512
778ccf92439f972df2f4745f7f6f3f42ffd3b75941164163c088de7f3c07fd196c55e64ee43770fbe11840426741a905aada00c9250a70eb24cba1921514d5fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
01b56efd86c0b2edffe57c8f02bc7459

SHA1
a113fdf6a328729d4ff1f750113ec6965d08a53f

SHA256
58f4fe34287946604befac4715e81ef509965252e22b3412f63583b0edbdd0fb

SHA512
708dba15814ae2aeb2b6815c4d060383ce879d76a6ee51965d326f4b422c291438e13737681b6086bc77e1fb22fadf4f71ed38d1c91dac6863226188fed56a78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b5f9906b31a0b2386fba3bcebd74d0e9

SHA1
ffc1dddb0d0b5cb58d2b5def7630e9056dce2a4b

SHA256
3d1584e7f2cbbafcc2712d64cdb6edca48ca6bd2a5e2775485837746f257b075

SHA512
664f40012c240129546786f19eb95404fd13c92d77aa44d4c3f1d835786497e0f6fdd3ff01e8048a269f1f31c4ec38ab6f21cbe217b8e4038eea309ae8d82ba1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8a2764ba4bf334a5f74ff58067992ce8

SHA1
d2624c7e8b8665d53cf189ceea5c4d8aef9aaad2

SHA256
7fb491dd39be52c37384dfc2375a1b727a23a31cd29ffce9dc9fd6800d2e6623

SHA512
79ecfb4e3ee7b16f0eebf9e685dc1002fa101288aacd8cc94f8b278b15d9b8be0ba3b7e9e57838113160ab175cada71df90bff0c4209bb676ef4620d931903da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
9032e795be9a28a621143cbdf4de6822

SHA1
5446e1276dbcdb81fa22f4eb9708881dd510da65

SHA256
ad1857f0bf79169503194189efbd4f8056a3320fccfde6230497b45d19005ac8

SHA512
ab3009fce48875ec8aece148330dab2bb271ff827659a2cb9440718ab5ed63c1f4327cbcbd8b4e768a563cfbdaca7c5771523afa329c6b6c1f1a7929f05f8b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
783a3290188fd0afadf21a944451ffdc

SHA1
ed7eb1222e1ff9cd418f585390a487f8830d17ac

SHA256
ad10751212713b98b81713125199a451c3105eab35561fedee4662fb9db70b12

SHA512
8093f64bf078ea48f9b4eb62f056e49efb5afaf1a59c8e08fa8846b26c63c837d5c73a045f534f12bb3e008bca231a00728ae180954a2950e5d046743de1c191

Download Submit
memory/748-1082-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/748-1081-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/748-1088-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/748-1086-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/748-1087-0x0000000008B60000-0x0000000008B61000-memory.dmp

Filesize
4KB

Download
memory/748-1084-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/748-417-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/748-1085-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/748-1083-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/748-1081-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/748-1082-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/748-441-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/748-442-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/748-1080-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/748-452-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/748-453-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/748-454-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/748-1078-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/748-1079-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/748-467-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/748-1076-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/748-1077-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/748-1075-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/748-1074-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/748-1073-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/748-1072-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/748-1060-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/748-397-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/748-467-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/748-454-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/748-453-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/748-452-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/748-442-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/748-441-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/748-417-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/748-397-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/748-1088-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/748-1086-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/748-1087-0x0000000008B60000-0x0000000008B61000-memory.dmp

Filesize
4KB

Download
memory/748-1084-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/748-1085-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/748-1060-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/748-1072-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/748-1073-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/748-1074-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/748-1075-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/748-1077-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/748-1076-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/748-1079-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/748-1078-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/748-1080-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/748-1083-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1704-468-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/1704-320-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/1704-320-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/1704-451-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/1704-468-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/1704-469-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/1704-469-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/1704-451-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/2836-295-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2836-292-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/2836-291-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/2836-292-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/2836-295-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2836-394-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/2836-394-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/2836-291-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/3672-297-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/3672-297-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/3672-18-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/3672-18-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/3672-33-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/3672-235-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/3672-235-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/3672-33-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/3752-466-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/3752-395-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/3752-401-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3752-396-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/3752-396-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/3752-395-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/3752-401-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3752-466-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/4404-17-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/4404-4-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/4404-276-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/4404-23-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4404-279-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/4404-1-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-83-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4404-88-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/4404-233-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/4404-234-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-0-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-234-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-276-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/4404-280-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/4404-1-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-281-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/4404-282-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-283-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/4404-4-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/4404-280-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/4404-17-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/4404-296-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-296-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-0-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-281-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/4404-23-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4404-279-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/4404-283-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/4404-282-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4404-83-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4404-88-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/4404-233-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/4564-21-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4564-236-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4564-31-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/4564-236-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/4564-31-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/4564-21-0x0000000000040000-0x0000000001777000-memory.dmp

Filesize
23.2MB

Download
memory/5024-1124-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/5024-1108-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/5024-1118-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/5024-1098-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/5024-1116-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/5024-1107-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/5024-1117-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/5024-1121-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/5024-1120-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/5024-1115-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/5024-1114-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/5024-1113-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/5024-1100-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/5024-1122-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/5024-1111-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/5024-1123-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/5024-1112-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/5024-1110-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/5024-1109-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5024-1119-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/5024-1098-0x0000000000A70000-0x00000000021A7000-memory.dmp

Filesize
23.2MB

Download
memory/5024-1100-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/5024-1107-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/5024-1108-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/5024-1109-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/5024-1110-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/5024-1112-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/5024-1111-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/5024-1113-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/5024-1114-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/5024-1116-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/5024-1115-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/5024-1117-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/5024-1119-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/5024-1118-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/5024-1121-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/5024-1120-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/5024-1122-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/5024-1123-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/5024-1124-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download