1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
364s
max time network
368s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops desktop.ini file(s) 1 IoCs

Processes:

AnyDesk.exe

description ioc process

File opened for modification C:\Windows\assembly\Desktop.ini AnyDesk.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	AnyDesk.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AnyDesk.exe

Drops file in Program Files directory 64 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	AnyDesk.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\classes.jsa	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	AnyDesk.exe

Drops file in Windows directory 64 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_3c4de1920e29f8d7\sv-SE_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_f61840f9bb3cd6a4\fi-FI_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WindowsBase_x86.dll	AnyDesk.exe
File opened for modification	C:\Windows\Fonts\fms_metadata.xml	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\ro-RO_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_it-it_e3dca8929026e05a\it-IT_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationProvider_gac_x86	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\he-IL_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\Read Me.url	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_x86	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100enu_x86	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\pt-PT_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_813b0e7ff4172114\uk-UA_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_en-us_5731df68c5fbf2d5\en-US_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SecStoreFile.ico	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_amd64	AnyDesk.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\zh-TW_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClient_gac_x86	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100cht_x86	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3f6dfbca0c1ae0a6\sk-SK_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_103dd0c74f03eedc\nl-NL_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\graph.ico	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcp100_x86	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\FDFFile_8.ico	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\de-DE_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\assembly\pubpol4.dat	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationCore_amd64.dll	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_59afe559321f6050\pt-PT_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_pl-pl_567a2b4934265c90\pl-PL_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\fr-FR_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_tr-tr_e55b2bd8fce5fac8\tr-TR_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\ko-KR_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f9b4b24bb8f4fadc\fr-FR_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationTypes_amd64.dll	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClient_amd64.dll	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_13db940cdf019677\cs-CZ_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_c2923be900f968f5\ar-SA_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClient_x86.dll	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system.core.dll_x86	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\sk-SK_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\GABRIOLA.TTF	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	AnyDesk.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\th-TH_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_sr-..-cs_de099a14860d56d1\sr-Latn-CS_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_58ce15ed32aff074\pt-BR_BitLockerToGo.exe.mui	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	AnyDesk.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe	AnyDesk.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

AnyDesk.exewinlogon.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0ecc5028ec7da01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000a0ecc5028ec7da01	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000004ec8028ec7da01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000004ec8028ec7da01	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000004ec8028ec7da01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000004ec8028ec7da01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000004ec8028ec7da01	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AnyDesk.exe

pid process

2640 AnyDesk.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

2588 AnyDesk.exe
2588 AnyDesk.exe

pid	process
2640	AnyDesk.exe

pid	process
2588	AnyDesk.exe
2588	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AnyDesk.exeLogonUI.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	2588	AnyDesk.exe
Token: SeShutdownPrivilege	1632	LogonUI.exe
Token: SeShutdownPrivilege	1632	LogonUI.exe
Token: SeSecurityPrivilege	1068	winlogon.exe
Token: SeBackupPrivilege	1068	winlogon.exe
Token: SeSecurityPrivilege	1068	winlogon.exe
Token: SeTcbPrivilege	1068	winlogon.exe
Token: SeShutdownPrivilege	1632	LogonUI.exe
Token: SeSecurityPrivilege	1068	winlogon.exe
Token: SeBackupPrivilege	1068	winlogon.exe
Token: SeSecurityPrivilege	1068	winlogon.exe
Token: SeShutdownPrivilege	1632	LogonUI.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid process

2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
1624 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

AnyDesk.exe

pid process

2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
2640 AnyDesk.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AnyDesk.exe

pid process

1624 AnyDesk.exe
1624 AnyDesk.exe

pid	process
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
1624	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe

pid	process
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe
2640	AnyDesk.exe

pid	process
1624	AnyDesk.exe
1624	AnyDesk.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

AnyDesk.execsrss.exewinlogon.exe

description	pid	process	target process
PID 2196 wrote to memory of 2588	2196	AnyDesk.exe	AnyDesk.exe
PID 2196 wrote to memory of 2588	2196	AnyDesk.exe	AnyDesk.exe
PID 2196 wrote to memory of 2588	2196	AnyDesk.exe	AnyDesk.exe
PID 2196 wrote to memory of 2588	2196	AnyDesk.exe	AnyDesk.exe
PID 2196 wrote to memory of 2640	2196	AnyDesk.exe	AnyDesk.exe
PID 2196 wrote to memory of 2640	2196	AnyDesk.exe	AnyDesk.exe
PID 2196 wrote to memory of 2640	2196	AnyDesk.exe	AnyDesk.exe
PID 2196 wrote to memory of 2640	2196	AnyDesk.exe	AnyDesk.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 1068 wrote to memory of 1632	1068	winlogon.exe	LogonUI.exe
PID 1068 wrote to memory of 1632	1068	winlogon.exe	LogonUI.exe
PID 1068 wrote to memory of 1632	1068	winlogon.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe
PID 876 wrote to memory of 1632	876	csrss.exe	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1624
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1952

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
0615975eda299ea1840fcfe4949ee28b

SHA1
20b19bdefcd795844f0ed20c9272cf925b52f2fc

SHA256
58b5ee7d912a83979c9350e85a93f170f5ea87f7940475aa4e8f4525c713951e

SHA512
6e85798220af7a78248249a464bbc593e3901ef9e103765e138f2b9ae030f25bdde39f15b1e31b96c02b62f9c6746ed1fcd6feb544579370dacd8c8366388196

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
41KB

MD5
f723dd04cc87e15f719eab218621bb88

SHA1
6883007c70e7f122d6a2c6a415cdb2b6107cbf1f

SHA256
c36160c9b270a46732275b72957b0d399abe59519e538713298cfc5253479f8e

SHA512
4cd2bddc50209621ce40c4d216dc5056fe3ac17909087674e8927a8e15c59e5bedef80ea22e60771ef96346cc2e039ae47a23203d199de55b0692bcd4fa5374a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
79KB

MD5
446b238fb2796f6e6c337007527f7ddb

SHA1
4acb026c961e3e58d5ee5b2e502ec66406f02de8

SHA256
f3e14ffbab3bda6c90fb636492823c6225e1d0e0ad7a8beb29612431f0c3eefd

SHA512
15bfae6a9e18b9251254ffa645d87484090cb068a4b16eabcd0c95fbb21210d9fad3f417b9725a5c82b97ca5702c0450a27040ab24499c28e6c6c273e8398a44

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\connection_trace.txt

Filesize
184B

MD5
89c502bd2b232fdf03c88ceace1905d1

SHA1
9796471e2e6bdcbfd25d313ff9afaa2dddb351d0

SHA256
afd52bfd24b9c7f4617c5ffc8090b0ebb14245066d1349df120ec6a296cb3993

SHA512
8eeaf77ac8f7049927c915eac8a91a910f0ec9421bf72507afcc55ed504801ed59f82f714a23fa270ddc3fb016025d71dcd149af3aa04087b313bb5106808a51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1648a3ca59ea7d2c80528189e150ea5e

SHA1
9387257b32ba7da489573bf47d34b40d3ad87365

SHA256
47d5f04338ea8e51e0ba5b08d9f150797aa9a96458c16bd7769daabf40d38ee3

SHA512
dfe216c9a9b495ea9e7f9265e5a850948ac97ba2bcf07dd7b49207eab12fc4752f810a05998748a86cce0d150f0a24d942a6cd68749e64e7a4cbefdd44a507ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ad3133e7d9193a99a67081d5a0d145c3

SHA1
fc2dacddec18d6db071ffd737d5624c2bc4168e0

SHA256
1ce1d9886fe0b5433da39c77c1b33dcbd12f8682b4d54680835f3e9d25f34a0f

SHA512
97e62b99554901689eef53ed0a4cb759ddfea27622beac527338a594fe89f29550d663c03ae00dd2c52a2818032487d29f5542715895315b5dab2ef0a0a5b037

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
c38b5ca669cef488c1c45073aa4838ca

SHA1
ccccd29cedaa44dbd0b96c4c0a2bd07ea839560e

SHA256
1b3c30a727f9b3dbf8d51403f75976a4bdffa82f03605afedb743c3488ce05f3

SHA512
980a992c2ea9d0b21f8bbed264cf52b1076089e32666c4b0b193198f9b650c491e5adada25ae313c7b0093c84771ff1f7f2cb45e0a38e52c467b9d9997d1d09d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
60e5f5a100dbf5ee50373336e9b1b46b

SHA1
8d5515f16bf473ecbc9ab9d94a59ff58cc41c27b

SHA256
c1a706f691351db267dcdf37d2e89c6dd01b3172e83c69964731700b66d4ae28

SHA512
8140e6073f792a7c363ab81299914bc2d4238bc6047f1a25d99dd63c6215d49abefddce22b4df1b684a19d8868416d65aa91cd17dfaacf898e574033b3d4c859

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
28f3c935b3429eaafe4e6f5dbbb1e282

SHA1
8b4c85b71f623a063efd98150aeec6f2af69ebc9

SHA256
1043f19956a22880e6ac526e399cdd0e95b6310c5bb5b7b089e8fbbfaf97b294

SHA512
3e3d56e01f8a0d60c035b3f35d74b39409705a6e5adec60f7f67788a2e411b1b1c7d6375882de6e98cac383a6fe98646a4ec28b73cec143c28a10b048342eee6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f465c18da0e029af47017407b9612507

SHA1
35754e0f50aeb540074a4d50cbc96fbbe95ebd17

SHA256
71fea9a761fe638aa62660fe4f7f42a490fb1a9e4eecf3f2e3832de24e482c96

SHA512
4425e88b660244912d607167e000cc0ee3cf3e63ca1ad2b2cc7f80ee51ff66fbabaafadc75c004596bc0e080d0da7c7e362e07166fadfcae2dfe2510c17642bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f30f3fba968f1bf5ca8864867832fbe0

SHA1
acb9e137f6d60757fe86dce2033c848072710568

SHA256
d4619185177fec9e8f8267326de774b8ae61563e73d7686e8159a66791220660

SHA512
d076375df339b792f32e3b61e745de777498655b1ff6db0e8c4314aa1e62e4489b0deeebd05e07e469732db02bcc25ed523b41b98a926a7f2212de9e5a6525d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8d97e46f4d36b6356516f10cec435dda

SHA1
53eccb2cbfa885f3339e9cb5b2dfda5b43df5011

SHA256
5a1c096aa0879fd86f4a9e3a97748a347022ddb58efae8117a602132a66e15c3

SHA512
9ba35d52f9f3b42d660e0b18c731105266d34d388ca11ae7f8f858e3ad4fa7e18949233da4907e2a31e6327ade24843fc89e51c50d87c4aba278639419fa2106

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
a58adedf805bfda81608a3347382f9f6

SHA1
6d5cbed0829ec5caf7b93297ae3230c538c789ca

SHA256
54a385258b33a0889cc0968daffe207545badaa16b2f5f8ff3d85c8771b38b82

SHA512
1a38a32a51a2130af4a351af35e9b69b260d14da7dc2e9e7761f772d4d4d3691fa02f8f2ab93379232a14f572c81107f26b3ba9eb3d5074076a7df1d494dd2ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6f50a9e8b2649f13f6ee93bba4acb751

SHA1
f46443d06181f1dbda3d78f7c5957b59db765ff5

SHA256
13b35f1ec3015ee7daa5d644748fad1315d825d206078bfe707ae05990819f86

SHA512
50909246f4f9638c4c033e38c4326f6d77fc1a9b4ef9737adc028412433407fd619c54abc30f07f33d1e75bd5e57cd4484ce21cfab7c689271bf73d4c43603ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f7ee6669da8602550c107654c4355a32

SHA1
49a118655cdc12db35bc2d989e00ad05b0a02672

SHA256
ee3f43adb75229f3d2dcc33d9fa1765f52d35e6c793290a499175e8d61b43f81

SHA512
f26514a03f81c696dbabd96249481f39d34d8e14242b1da5d78d43d4fcc1534e0ecc2b4288c82b9b38881b44bc63ebdfa022a901d63fe2f81d665945bdc97625

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4b149a3ceeedeb4941b018dc3b62b7c4

SHA1
2be90063d6b99f9e187b752a4607dcf4a3a47652

SHA256
aee79a39e7f93db1a5914411d704af4232970d33693fa2a687f466b18d795014

SHA512
ca73ae48dca20542fd25ed439b0489e960f7a1ee9ad55dc2f5652ecab83fd15ce3294acae20be7a3dad37cfd8fec3c7683c0c88cd4567b4a11c731604a38b046

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4924f1f72259547a8230e93d7a0c0e44

SHA1
ee57298fe50301407a1d48144bd5d530628389e5

SHA256
a2a168cff6f7909a8c17e1a922082eab297d0d3866832bac8efbcb01d6c2f13a

SHA512
fe858917d439cda28564c61e5999df9101154494601b70370ec9ce1a86a112ca20e7d30839d7ae5604f4c448934316f0af53221c46bc4dc0f4b82fd37763e1b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ebcb2b0c5071f77c31b98b05a1e862ba

SHA1
2b2d23f97a6e2d5e849bca078933a9a2f1dfdad0

SHA256
308a5e74a01e49552b25e0dd15fb7c72d3fa612c3d2ad17a86f4c5be65678a34

SHA512
7d1480f53b879dd01639da99d864b1b2ed6010b95fbd6dc4ccb99b4453e4b47774c80386d0990856b6a710ad89925684868e4fad0c344245a66609a34523e655

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ea5e1735e4150632967408ea9f8a2171

SHA1
667978373bf214892908daf091099667e242b3e1

SHA256
be936d44f4f4f6cb466648283a44c63a102ebd34eb275874516a4b5955ab6a51

SHA512
074921b367c4ec77759c1ec232a23d1eb17ac70bc14b8f0196a010fec423e55bbc5a29e8d6fb99ea5e169704e2a2a8bbe0c863cfbd79b31f6a9be5477818ff0d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
70dc481d1c517b262dc672f7b3919ac5

SHA1
b6dccd25f883ea2b0a7a3aa9c0d3bc11eb96e14d

SHA256
9d17b29e293491bcd422be14cbed49bc19df0dd88d47c38b6608be85b3fec1de

SHA512
67dbdda3035bf461a8221bee283e938737f253a60e942aa1db2476160c6da75aba3dfe7f2ae8035568eec5a76e0d738c55b09c2f93484acd925d1d2e2ea3dd20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
6f6969c8bb303e5d25e7a6ea475a4887

SHA1
157bb035a60c86eafb5af56946ef383fbfff65d9

SHA256
da7f818a1c31af434c04588f982cb153bb8f79f9ccf986f6014c0b908867a4a3

SHA512
8fdf772bf65c9ab99f7694de1299ef42c452b15408930a73c4d2c3361232b0b8dcf372cbd6ed63d8c0cdd9e7601dfdb20222f2a6a2b1cda05e9a0a1a4f7c72c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eb43d19a5d5eb39a551ed33e55fb6d90

SHA1
09ca56a91e4457f3b943f1632f73bb7e40febdab

SHA256
6501adb0dca49dbd448e16e527a235d77449d76225f656030fa597ee3aa64bd3

SHA512
0ba19b524727d295cc5c77c3c1dbff24876883481c7ac3513a2160b9454a13733ee344d73b4918e12fd71c91dbdc2e953e544ec9f05c55bf547b58b370b28c5a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0856a81b2d5349cc8a3b577008c1a055

SHA1
f894210976712b34abea211faecc963458d3ce6a

SHA256
5a8f02427a5024ad73aa97b7559da59a4818487b360fea141ef46cce693e2058

SHA512
504024608c81130f30b3f86b6adec1a72e368c1cc1e578e20052aa82e8cd40d22cc0fc2b83e70cc9b5586cc3a0bc8a0f9984bb46d7a7f57b3613c5ba34d9fef3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a39eb965ee731a8ab692f0e6f5d0be44

SHA1
cced0a47dae05eabaa5dbd9333a76bf866b8a463

SHA256
9f0fadb243a2427aa361dcb5be44fdf18a6dedf165663fd1892153ec3a3a6262

SHA512
387d4a6da9d701822a17d56f3522a7b6c092af8d051aad87e9d195289eadb59dcd72be84e22c826e314f686ea10f064991b8e46f0c99d6356e1aefb24e56d14f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
199387f3af4d21a02d416946c20214d3

SHA1
4bd615db53df1a6334e14117a71a10366243c91b

SHA256
2eb7ac069ec032233bd161ca6226ba100b012f4a1156e725b07b8ccbdfac9a5e

SHA512
bdda6788117a94eecb36dde48415cb9e6e0c8d292befd9a7807d8bf511d77fd2286eb1399b8ebd3e8f80cbea0e85ba467db83e1c6992c06f324b3bdb14c0c6e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
94f3ff48b9455994f81a4234f34a2411

SHA1
0d0fbc77973b39e7c0c73eea90050ccb5a457d70

SHA256
a20c8642c8a5ca81c371ae8a97ae5812fbdb87a5eb8fd6a688dff7b43f449231

SHA512
9da8956f6f222a2b58e38e0c53859623ca11119afeb8720baac0fce72cd3218d262ad884d25bf793342c14e44a3afc750b7e28ace38d2160dfe0ed62ea993032

Download Submit
C:\Windows\Temp\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
memory/1624-347-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-343-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-339-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-335-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-363-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-306-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-325-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-359-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/1624-354-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2196-108-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2196-289-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2196-2-0x0000000000E04000-0x000000000203A000-memory.dmp

Filesize
18.2MB

Download
memory/2196-4-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2196-1-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2196-288-0x0000000000E04000-0x000000000203A000-memory.dmp

Filesize
18.2MB

Download
memory/2588-10-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2588-321-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2588-307-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2588-337-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2588-286-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2588-328-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2588-291-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2588-109-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-110-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-346-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-351-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-12-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-358-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-342-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-362-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-287-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-366-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-322-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-371-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2640-375-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download