Analysis Overview
SHA256
04fca867c197ef8afd566d6c650ce8b87c413488df24ab721029806eccb74807
Threat Level: Known bad
The file AnyDesk.exe was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
Manipulates Digital Signatures
Checks computer location settings
Drops file in System32 directory
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 16:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 16:29
Reported
2024-05-09 16:32
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
153s
Command Line
Signatures
PrivateLoader
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8F2DE7E770A8B1E412C2DE131064D7A52DA62287\Blob = 0300000001000000140000008f2de7e770a8b1e412c2de131064d7a52da6228714000000010000001400000037566615f0b266ff2f5295d1ae83c4e065330e43190000000100000010000000aa6fd6bd7df2864341e10de037f41dc6040000000100000010000000a7c9563a13f15ee0e171ef6aa4c7a7870f0000000100000020000000dcb8261fa22c834b1ffb69470c0cc7baff034b5c656a6c297259addfbf73f1e35c000000010000000400000000080000180000000100000010000000021dfb9b16b1303a97b0bf78cda68e464b0000000100000044000000360036004100450033004200460044004600390034004100370033003200420032003600320033003400320041004400320031003500340042003800360045005f00000020000000010000002c0500003082052830820410a003020102021003e9eb4dff67d4f9a554a422d5ed86f3300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3138313032343030303030305a170d3232303130353132303030305a3065310b300906035504061302444531123010060355040713095374757474676172743120301e060355040a13177068696c616e64726f20536f66747761726520476d62483120301e060355040313177068696c616e64726f20536f66747761726520476d624830820122300d06092a864886f70d01010105000382010f003082010a0282010100c670a0d7fd91b6a5a0608435029365d11e529a2d43df54680357ad83dfb4ee6cbf54d74c4bc9205fbbca3b436d0fe3370b3200d8c655e242c92b4b2a2fa6040c81e530fcc1a60d849d52886bf3e29c50b52413e2a321f756b314f3bcbc47e550ea4b6ecf895132ae6f99a947ea9ad00982b86ebce0cd6a198bc65f1cc1bb6a1638931cb630c26ca343eb7f2bb394f36cb302bec93f3828dcf165700e7a00712cc914ce5f4b6c6945f201d769ca2fffe1268b6cf57965bd8d5c4177a2d176f32c9c9e60a7a96c3f775e64b84734394983790f56701d1b8f9614028ca180e7d03ffafa30bb51149059ae4d93d8b696c1160319e9945a760a640dd6bd134ce6db270203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e0416041437566615f0b266ff2f5295d1ae83c4e065330e43300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010081f8e7b945d68610bab4057f23259843f454fd9c7aac4180dec936794e4a664dda255b30644288538121e30a69d4447dbc04c2da21e44f5c4ba41e706c9de0cb51c67931e31207ba3ac11791f9e551deb1aa3feee2a6e199a4d10b0cd71c05143f4466d6c84747d9bc3127e47102d90a2487440ea1b9a8e7317ddeeee3a0f42c296bf03314fa6e86f3743b9a4a6e756a54e67b0513c343e9e9f7c730af9f00acb32a27f707d3d04f22d58cbbb588c2fc72d5a37c4acaaab650c9533e96aa7a0bf53a60d86fb6ee8c982ec49b49130956b064d62e010da8a75e786a4445cff7b506eac4a40ab672d91dd23a272c7e28fb670cb502ff0f5572d88d8706580c5caf | C:\Windows\system32\DrvInst.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC2E0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC2F0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC2F1.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.gpd | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC2F0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\AnyDeskPrintDriver.gpd | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\anydeskprintdriver.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\anydeskprintdriver.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC241.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\AnyDeskPrintDriver.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC2F1.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC302.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC252.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC252.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\AnyDeskPrintDriverRenderFilter.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC2E0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver-manifest.ini | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC241.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\AnyDeskPrintDriver-manifest.ini | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\SETC302.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77} | C:\Windows\system32\DrvInst.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File created | C:\Program Files (x86)\AnyDesk\gcapi.dll | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AnyDesk\gcapi.dll | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\"" | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0" | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\AnyDesk\AnyDesk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-auto --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
C:\Windows\SysWOW64\expand.exe
expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{55b329af-dba4-f043-8a94-ac85561edd2b}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000134" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1c89d8b9-c7bf-4244-9ddd-f054a7b3859e} Global\{f40b2826-304c-fd45-a83e-371392e3d2a9} C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{5c81737b-cf0b-4c4f-aa24-1d516b277a77}\AnyDeskPrintDriver.cat
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| SG | 15.235.218.150:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 150.218.235.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relay-2cf7befd.net.anydesk.com | udp |
| GB | 195.181.165.139:443 | relay-2cf7befd.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.165.181.195.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| GB | 195.181.165.139:443 | relay-2cf7befd.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-0135ac48.net.anydesk.com | udp |
| GB | 57.128.141.165:443 | relay-0135ac48.net.anydesk.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 165.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:2400 | udp | |
| N/A | 239.255.102.18:4321 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:39753 | udp | |
| N/A | 239.255.102.18:46307 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:557 | udp | |
| N/A | 239.255.102.18:48593 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:6797 | udp | |
| N/A | 239.255.102.18:22679 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:10127 | udp | |
| N/A | 239.255.102.18:62844 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:35871 | udp | |
| N/A | 239.255.102.18:52518 | udp | |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| GB | 18.245.187.128:80 | api.playanext.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:7096 | udp | |
| N/A | 239.255.102.18:7894 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:17022 | udp | |
| N/A | 239.255.102.18:23995 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:15677 | udp | |
| N/A | 239.255.102.18:6880 | udp | |
| US | 8.8.8.8:53 | 128.187.245.18.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:20045 | udp | |
| N/A | 239.255.102.18:12154 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:32745 | udp | |
| N/A | 239.255.102.18:25043 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:55689 | udp | |
| N/A | 239.255.102.18:28606 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:46384 | udp | |
| N/A | 239.255.102.18:5196 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:22169 | udp | |
| N/A | 239.255.102.18:18699 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:63219 | udp | |
| N/A | 239.255.102.18:51354 | udp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/4780-0-0x0000000000BB4000-0x00000000017E9000-memory.dmp
memory/4780-1-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/4780-3-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/1784-9-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/1784-13-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 94fd890ba2debacbd1cfd176535283f2 |
| SHA1 | cb9dca4740af65d911ac2be46c36eea788ef7359 |
| SHA256 | 0a33921a33c6f8b88f492392f67e7f861a1f7c81b26bcf19a4149029946b0092 |
| SHA512 | 18950797bd087e5c680488c5269b55673459a1685aaeb05dd19a57ddab82ca4bdc997d2cc94e524358889ff5857d71051e1a8d87ae65a86ffd507d36c2e304e6 |
memory/940-11-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 3d616c6a7b748ad31614b36e1c578530 |
| SHA1 | 1a397527ab845ed7fbd8cd5745ee9cefa811419e |
| SHA256 | 92a89d6d706474f91a9d893d59ee01bb12494935131f559222ede243ba1abac4 |
| SHA512 | 9e2e371ec0d5a8829d761aec505effe42e2681f9621eb999dd7ea2a4f847b4a6888b79a8427f91a175d3b81c6842ef71f0cc0b6ecae186040510544fea907a5b |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 1cca9af571cbc5c6696652ce37714e0b |
| SHA1 | 9afdd976d37424b8e5cac3e56da142d6ee60e732 |
| SHA256 | d0e20cec63ac68def16b7b650f0b0019663d5db37c0aeee659390b75512efb9f |
| SHA512 | 84e1f415cd5d2cb16a78c7f1a08118659476859723ae93aa4ff7d8465b21177913c29b08b4c7191a2762a93ce75665aab82a608a1727170f484866075dcf7a97 |
memory/940-28-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 979412445e04edddb523bbf64f2d9e25 |
| SHA1 | c627de03ba6be7c2e52c4ac0c8494b250f8ea4fb |
| SHA256 | c253a9db55efeb183543baa5965f0d279b0e4ecd7e6211e231e8e8f5c8dfe596 |
| SHA512 | f548475ee4e83bfe01c39444c90502f86cf5245eb51335d3d13186b967df0f7cacaf9ce5125f3ce104e08a1f27c215af08bf185afe771d74ee5c0872aa7f4c3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | b161f4fb3c05bb146fd2b7c47a85ccfb |
| SHA1 | f325753dd6cad6d76047282663022ddaae7dabdb |
| SHA256 | b7b09481d7ce06d34aa839bf4d7c7d8a16ebb723b477e11fe3b6b367d1de4910 |
| SHA512 | e0798a9c89975fee10bf404f10bfbed6a6efcb948eb543396d5605882d0f6c1b81679cd23c47983a70f1fe325d3b3d23c2ef63d276e5d1bde42b0026f742b96a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | 034c5c050e4c7329372c53977bccef16 |
| SHA1 | 4e5e8492dfe36bb879e4238b9d718c80a57a3966 |
| SHA256 | 09a34d872bccfc59baa401c7db3825dd7b9df0df8e113d061385d7af8500c43d |
| SHA512 | c8491c3c17616e5933529bf00d994e60bc5f8ea92b6bd15652d868eda30241baf75d391a489df9d37b0e5eb659715fd49365a4fcf3c8b06ad27a1c0e0d42e7fa |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | b3931dd19d698e7615aea24dcc703ab1 |
| SHA1 | 7f0df2dbd9a2eb84cea9eac91133e0e6f3072060 |
| SHA256 | 3fb7a5f3e4816e34a2121341d05d8839ea8fcd472a4c865b39df0965dcc8af2c |
| SHA512 | 2707a06d1caadded73337b7746dbb831bd5d302819e17f92bb39518f073c9f1bcafcb61e8736117739de3db9a322d2bc73ac2654a7cc8e16a5243adf43616120 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 49ec41bb79314013c9afb5da11c3d944 |
| SHA1 | d26731572315dc8ecab89403239bf899f9a1dbcf |
| SHA256 | 49101630862f5c9baba9ea8c66ac3d939d1c06c2c4939f3f023b51647c13d0aa |
| SHA512 | d5d431067ad242d6855fb344d16476a84f74f737443b123da977b9e63c4d61e4798cb5c0f7f99a3029c08980d8f36eef3554058820df17efe9db7d54677d5aff |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | 18a3877468da52d14d36f80ca8795002 |
| SHA1 | 1aa3f009d672d9610f90ec215f2061d9193ca6e4 |
| SHA256 | 2066f79e692a7555a2c81569671a8011d0561dcff29d8d28691286cf3b15e4f0 |
| SHA512 | 6306ef2961b35f8d63c8656041d30c2e12d4a0e58270f2cb138752bf9bd23553f0354410ba43905f7cbc91afafec317aa18a2a3d1c097e7e2fbdc0943bba92b2 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | c53707ecce12a62087de4b3b1c6f7f18 |
| SHA1 | 39c8edfd5d114b76c14b05d0812efd789d59d80f |
| SHA256 | 9d18b5702eaca08da1cda768e343e1da18814cbd8907e2fa781342fcbd6db160 |
| SHA512 | fa769a1615a21173804c70ea2d3a8cc31c4c6ae646f7e05014370ed584e73f8a175c8d927d7a9a75591fb4d49564ecd6dd4c048b95ac67fabf7ff9fab74a9fcd |
memory/4780-64-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | f7815cbc351a13aad3e262bf5eb46d2b |
| SHA1 | a50ffbabf65e158143360f382221e12fb8216b2d |
| SHA256 | 4fa0d66bc56dd6342caec1b9164630068523c23b37c6233a50e5e8454e070cda |
| SHA512 | a0f5450d03f385d987b9d19cbec307fd2ee5d9a5c4b7df0421eb607f7e864dc5b7b9753a60586200f7c78b34b3c8a76184b8794cb0f5b5c2abbeda579e83ce9a |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 743118d8394cec9ef84dada75df3c319 |
| SHA1 | 0431d662c3dd369c65fdf46b65d023a1ab079922 |
| SHA256 | 56d53b94e5eb54df06c6fe3010419898bd9a9a2aaffdc2d71bc44abbffa15952 |
| SHA512 | abc121eae86bd1c256a5999dc6bd87fe3e9ff91b8ea6f9156ba162f38c9c13855f166cc51b88559faa9aef77f448a1ba301d360187601c0feeb244d0544b7564 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 4907fd937c2804b3f19994cc45f6193a |
| SHA1 | 1cb29267822776dc53ace9919f421242b46478b2 |
| SHA256 | 9e70f15b88ad2c33e19eb68fa661855455beebb307b3b0468273e676390af2f1 |
| SHA512 | 1b1537da323807849cecc071691bb2e83960d367ae6da19432edafad1919bd33c0e8e8b37424e871def58aa3c7a339cf97295ec67b79b699257ac9837946d024 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 6bb921058f57f15349adfdb40ecf03a0 |
| SHA1 | ba06fd33cf6ef6008e96cd6bfcc610f4d8bbea73 |
| SHA256 | 39692650a7c47101b4bdfe6b5fc35076f2f6482b92cce28201e55fa338776262 |
| SHA512 | dc5d100665ae33b21268d0b6a94713e5ff962a60ad4d936bfb2b48219013af97b92ae7fec1aa085489bc218449b2b6f0cb988cdc17ed51dc4853db2fc2552d5c |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 46f5f08e0b4a380b51c6a2b04a0f38f7 |
| SHA1 | 3607002bf6f9f13ee56b27409666f2494ce8ec4c |
| SHA256 | e2c1a580a15c5ae765a1bd24bbceff33319614bfc9bffb474296c4cbd5d3cabb |
| SHA512 | a5c3bf8269510e27cc9339645312634e0c3ad2f8079af2efb488a0839bce83610bee867c4656de68efcbf731d5c67f713601278d61c1e26dfafcf1755ce1b232 |
C:\Users\Admin\AppData\Local\Temp\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
memory/940-110-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/1784-111-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/4780-113-0x0000000000BB4000-0x00000000017E9000-memory.dmp
memory/4780-112-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/4780-117-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 84fedf55f8c8f4c2ada0517db4225f76 |
| SHA1 | 0528b7206d516ce9190de6d6cc22c83fc405b56c |
| SHA256 | 094bec32b60633e0ca914cde94f5a515e88e48ea6cff2f61bf73970639e6d393 |
| SHA512 | f9775a7ea8443650fdd468a526639d5299a8ab97377fe09baee340aff517d6d35100867f5a5c0520f9c88d0859d220a539a75b2b1c35201ca8b8f9b2b8ce99f8 |
memory/4276-120-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/4780-124-0x0000000000BB4000-0x00000000017E9000-memory.dmp
memory/940-126-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
| MD5 | e33aec5aa7033337f6e749a7404f92de |
| SHA1 | e34d97910aba3a86bff54648f25f54d9e8fabb6b |
| SHA256 | 04fca867c197ef8afd566d6c650ce8b87c413488df24ab721029806eccb74807 |
| SHA512 | b40eee505c6033c233097898ada43412ae2711073f7adc96b68c4389fea414059dd6322157ba1239ca486b3a57d9ac6a5df59eb76f97132c30c7cb899a3550ba |
memory/4432-147-0x0000000000650000-0x000000000163E000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | d65693355bb13c4aaede5e1f0b6360f8 |
| SHA1 | b1b05f0d6be91e99556cc1594184b8c222224d3e |
| SHA256 | 6af27fbfeb095c03ec4881bd081ad9926921e3fc9f26c980d6174b67c78d8426 |
| SHA512 | b8f3c6cd37938c0d501d613927e7ee1e600a8f84b2fe23f5e1b49f0bb40011ba1c5c79d856e2f760e1396cb9f9c2b07ec735fba9a28a42df42866834d04099c3 |
memory/4276-156-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab
| MD5 | 5a4f0869298454215cccf8b3230467b3 |
| SHA1 | 924d99c6bf1351d83b97df87924b482b6711e095 |
| SHA256 | 5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a |
| SHA512 | 0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | ff8d3bfd468668aeed72d821b7d4c0bf |
| SHA1 | 6ea8dd030b846d7159151767ba410254fb90579a |
| SHA256 | 229f69b17c63e98c1b4ed65094e9671ef467a4f807102a21a73c49f1073373d2 |
| SHA512 | 29d42be1e06246cdec710cf8081afcd6326a9dbc46da5e764ce0339d4a8dd953c3ecc915f7eb9afb52f5c51e03276fcb7ff08ac44eb5b2233ca8ff0b4e75cece |
memory/1424-166-0x0000000000650000-0x000000000163E000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | b5192da50050ab29ba85abc7e71dceb0 |
| SHA1 | 70e9246efef36ac32ea116198e87d6860a9232d1 |
| SHA256 | 1256da69f9218253b815404c1ccfaedaff1e4fcc36f2e76855754594b32d7b68 |
| SHA512 | 360fb67e5a0a60e74de3c6c39cbbbe8c39137ef3b6d4f90b2e63d1bce06c3a9223d4a4fa7ca4dd88324c2c29910342796ebe762eeee98c5053cb851efd14b6b7 |
memory/4276-194-0x0000000000BB0000-0x0000000001B9E000-memory.dmp
memory/2972-195-0x0000000000650000-0x000000000163E000-memory.dmp
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf
| MD5 | d4ca3f9ceeb46740c6c43826d94aba18 |
| SHA1 | d863cb54ad2fa0cfc0329954cbe49f70f49fdb87 |
| SHA256 | 494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c |
| SHA512 | be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 9583215d91dd0c99a363e7fb6e8ae35e |
| SHA1 | 3c3fa2850ce113eede7e47e39a5fa8e32f9d1518 |
| SHA256 | 6603ba2afd5c85cee8cc20c8b9e0f2068a43389b22abea4046691c0d58114a2f |
| SHA512 | cb3c7a60edd52c781e18c41eaa737c15ce061f4ecdf07b733c272352feb01d356fc60f17888d6f2c827b052f5b2c26346405d6db42103b349f5917669aa3e999 |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 6753965d294e3882b6a306f3a0f35589 |
| SHA1 | 66081debad1367b76ca015af5f0e04414adc407f |
| SHA256 | 085422ad93f26d5c27d6a98beaef693ef57fcdf91bcf2fbcd169386c1d52dea9 |
| SHA512 | c1bd0d55c9aee83f7689d8540d8cdc170ddfdb16fe5538f412ed4a8ad7572c15687bf9cac047a75565015342e65c334305db650e310e90692086f115b59fab35 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | feca56e42c443474abb76b719b661650 |
| SHA1 | 14569b28b8a14a72251692d29b1b79d4d995f3b7 |
| SHA256 | 27e4503fdb45b12786e7ad9b280aa1701b4f9946769061d4ee35664535db4968 |
| SHA512 | d13fc82b59abf714861383b6a395b63dea20905fe7939ba32a70b4443b15a7e01385bef33b7268de54963096c49fcf8d704ac849dbaca2646de6469c420ee8a6 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 549bad6e92ba66d8ec0f3d909b125923 |
| SHA1 | 007853e743c7e4379e09bfadc29f8aa7a37615ef |
| SHA256 | 248a02c0641a3a9b006f78911830fd5e76026acd9ecfbf63ce1d19499629a8f8 |
| SHA512 | 82dc3c10578a69c5a3be29e021cd9b37be57f0b166bc5df1c8b9479e3d9a237ff195cf34135d09a8358fa0e0668fa59e58a63007a268ca8d70715a3420e8f9cf |
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat
| MD5 | 6d1663f0754e05a5b181719f2427d20a |
| SHA1 | 5affb483e8ca0e73e5b26928a3e47d72dfd1c46e |
| SHA256 | 12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3 |
| SHA512 | 7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424 |
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriver-manifest.ini
| MD5 | 0d7876b516b908aab67a8e01e49c4ded |
| SHA1 | 0900c56619cd785deca4c302972e74d5facd5ec9 |
| SHA256 | 98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753 |
| SHA512 | 6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546 |
C:\Users\Admin\AppData\Local\Temp\{55b329af-dba4-f043-8a94-ac85561edd2b}\SETBB21.tmp
| MD5 | e0d32d133d4fe83b0e90aa22f16f4203 |
| SHA1 | a06b053a1324790dfd0780950d14d8fcec8a5eb9 |
| SHA256 | 6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4 |
| SHA512 | c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 6b3fe7f1cee49143653c94b729612923 |
| SHA1 | 1b134f4d7dff33ad2e00c20c7df8b5ae901cc51a |
| SHA256 | a8076d3ffa7847ef1e35852090de398eb16b4ab6dcedf7463378d37c85a81325 |
| SHA512 | e44c6cb1c5e6c4fb5a339fcbb04954fbc02c387bdb191e130f642f194036801d8cbb0e0b44f7a0575c5899ffa87ca228c37de9fe5677eeac350c1a5a14b7e4d2 |
C:\Users\Admin\AppData\Local\Temp\{55b329af-dba4-f043-8a94-ac85561edd2b}\SETBB0F.tmp
| MD5 | b76df597dd3183163a6d19b73d28e6d3 |
| SHA1 | 9f7d18a7e09b3818c32c9654fb082a784be35034 |
| SHA256 | cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33 |
| SHA512 | 6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69 |
C:\Users\Admin\AppData\Local\Temp\{55b329af-dba4-f043-8a94-ac85561edd2b}\SETBB0E.tmp
| MD5 | 1e4faaf4e348ba202dee66d37eb0b245 |
| SHA1 | bb706971bd21f07af31157875e0521631ecf8fa5 |
| SHA256 | 3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d |
| SHA512 | 008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba |
C:\Program Files (x86)\AnyDesk\gcapi.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4432-277-0x0000000000650000-0x000000000163E000-memory.dmp
memory/1424-294-0x0000000000650000-0x000000000163E000-memory.dmp
memory/2972-295-0x0000000000650000-0x000000000163E000-memory.dmp
memory/4432-302-0x0000000000650000-0x000000000163E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 91071f7503e0e8b31c7d1beba01f367e |
| SHA1 | 3916ff5ab1f998b2c85681e0e2e6b3e6ae1f2057 |
| SHA256 | 105aac88d333e2b78cf0951b06be1204b2e11520844bedf98321b314ec58b2a0 |
| SHA512 | 976a70d77f2be6e4346d874cb99ecdb087323ffd548712f070f0184e846028fc0097e1df6c71b4b217543e5ed3976098c53cedf8b8595be5774b2cf87c585451 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | dcb5240c3d7fe0a01a5b5bc21c6b8e8a |
| SHA1 | dd054782ee03d91abb916b09d217a479743b4a6b |
| SHA256 | 90d4451d6e4beeeca5fe4f2aa9ef525b83956b37bc47e91983ca6caf44aa8de9 |
| SHA512 | f41402fb6f9faf69610459bad18c3db27c99f158aca0a932afe76309f83b862cd8e9c88bd3288a04642928e704611d3f03588b25e45c01329a6d51b8e7b9a303 |
memory/2972-328-0x0000000000650000-0x000000000163E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | d902b3a1f73d82e729d28745648d0846 |
| SHA1 | 15afc27aab00171d79265046726b67b9210571a0 |
| SHA256 | 45fcb28b4a2d25f9c72dea2d244c2485a3521bded9c34430614e69123acb6691 |
| SHA512 | eb97723079599be3de1eedf83593ab39f7cf558e799f01e3a4664d256a2918b03897b110a6b59d8c91cc35dad3e305338f75bc31b5164a896e05471090f16d38 |
memory/2972-354-0x0000000000650000-0x000000000163E000-memory.dmp
memory/4432-355-0x0000000000650000-0x000000000163E000-memory.dmp
memory/832-357-0x0000000000650000-0x000000000163E000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 40f1ea52a5205112b877e3d17aef4233 |
| SHA1 | f3e35a9b586dc72b7f9d93ba16b16e082e6ce057 |
| SHA256 | d6db3fdfafcc367b663278ece44d8d519ca96ad456c18e1209f3b022aae138f3 |
| SHA512 | 6156bdff1c428aff5698933587ea2a0e6dbc1c9f16c1cb8d430882f922a9399ab4001f9ac5573a6d2213b1edc0718f6e1961c25ef5d072827e7cebb8b0afffdb |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | ba98d22ef65d490ec59af280013fcdba |
| SHA1 | 34ba84e3435d9d146c9895a447761ba21ea56a90 |
| SHA256 | d80b20357ccad434f688239b8e10c63d9ce5f42547f5db5f5ed921c5b21f6e7a |
| SHA512 | 0c2f8ad7ecf01769c56b0b6e525acc5e671679e8a3a8e9e4ea689d42e5eed8bb60fc2fa8b1971f8679bdbb9eb31114827e823e06f5a93caa97ee99bdb78984fb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | f5f63dd283ec4ea558f50637b79f69d7 |
| SHA1 | 86c93fd8338cfc563e81fdbcda3126d7ba38e0ec |
| SHA256 | afaf3b761870d7e969c3e11e073c6af17fafd72506e48c3f3e2dca754283faa5 |
| SHA512 | 0e743ccfb87fc4c2bc7d0dab09ab40f93de2cebfec046ad1da8c26237d52d32201e195a93efeac2bbe7eb197613c904f2e043356860936e987ef260a027940bd |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | e3915d9494176912ccd7c513afbd041f |
| SHA1 | 133efe556831b7b264f6ff75f2d4633580e40df0 |
| SHA256 | 1f51885bf28655beef881cd7747f022fef9f0fbbb1e3cb73a433eb873cca91b1 |
| SHA512 | 411857ee611b8897d83f45b4d5759ec5c4a741b8ae1ecd0eabe3da1c4641dda34e46acce1d9e6200a8a93f51777b20a64816cb0a96fd6e778fbd7fa1dab68a41 |
memory/4432-389-0x0000000000650000-0x000000000163E000-memory.dmp
memory/832-391-0x0000000000650000-0x000000000163E000-memory.dmp