hxxps://anydesk[.]com/en/downloads/thank-you?dv=win_exe

Analysis

max time kernel
170s
max time network
173s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11/08/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anydesk.com/en/downloads/thank-you?dv=win_exe

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4840	AnyDesk.exe
2068	AnyDesk.exe
1340	AnyDesk.exe
2888	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	AnyDesk.exe
1340	AnyDesk.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678195023463761"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2068	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3068	chrome.exe
3068	chrome.exe
1340	AnyDesk.exe
1340	AnyDesk.exe
1340	AnyDesk.exe
1340	AnyDesk.exe
1340	AnyDesk.exe
1340	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: 33	780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	780	AUDIODG.EXE
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe
Token: SeShutdownPrivilege	3068	chrome.exe
Token: SeCreatePagefilePrivilege	3068	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
2068	AnyDesk.exe
2068	AnyDesk.exe
2068	AnyDesk.exe
3068	chrome.exe
2068	AnyDesk.exe
2068	AnyDesk.exe
2068	AnyDesk.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
3068	chrome.exe
2068	AnyDesk.exe
2068	AnyDesk.exe
2068	AnyDesk.exe
2068	AnyDesk.exe
2068	AnyDesk.exe
2068	AnyDesk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2888	AnyDesk.exe
2888	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2524	3068	chrome.exe	81
PID 3068 wrote to memory of 2524	3068	chrome.exe	81
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 1760	3068	chrome.exe	82
PID 3068 wrote to memory of 5068	3068	chrome.exe	83
PID 3068 wrote to memory of 5068	3068	chrome.exe	83
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84
PID 3068 wrote to memory of 3448	3068	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://anydesk.com/en/downloads/thank-you?dv=win_exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1623cc40,0x7fff1623cc4c,0x7fff1623cc58
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1380,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3648,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3088 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4808,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4852,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4860,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5028,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5548,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4336,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4620
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4840
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1340
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2888
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3704,i,217148321108373291,7311896098828273348,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:3756

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f270823213e2a1525abbdacf63b1f267

SHA1
c3c0c066bb83f2f8374ee08ccfc5c713bc578856

SHA256
b5ca7b486d42741d141560d5f57e2fc92b35d83f99fea57f2bfd70c67b81be6c

SHA512
3eb9ff564aa414e47a7b015835789caeb41ccca41ebfbcf982dd9419a5cfaa74168b157b59ec5a8060bbfd2822b5536da89b1289d095e16382624c552356a34e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
e0f587cc75b5d49b9bb3bfa612923317

SHA1
796d9e31f77f0cd2151c7a8cf264d0f3895b72b2

SHA256
8d74ee55bb562bf91958d06754f75129c0be50bba6347730c9e8d35f9f99eb0e

SHA512
eae3ee36fc7c7eb5647d9b2b59c0d3af5e873d1f39a0b307070126a165094fceb0d96ad260999eb9543e6d7d2f3334904ff76f15c6340c2566c9891e4a541fd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
2f62b26758e6b673999231602a736bac

SHA1
d1656dae9b08c7f78541beada3a4eba56bbfcf72

SHA256
9458d06195491fa4cd1c4db54915142ac7f4f30d461660ee6d82e1fefc13e5e7

SHA512
2a20cee8b6f3bd73d65e741b2b91164f9c9a9de7b42d0b7650ed77e38b3e716072e5bcf16c91787bca50e214854fdef63ebcffee0b0ea97418dd2098f95ca549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
4cd563ec7ae182a9002adc9b2399a0de

SHA1
6d95ec17f1ee38e64a394cf642acb0eb527355ab

SHA256
a1fc2ceb65c2d04a7bd9f49e58c88a6fab35f3a0c62f3aff3679f262aba301f2

SHA512
f184f69b5fb916d8747d95bf313785a5512f6b3e1b84141e2ade5ea86c3f67752f708e86f970783b10a4f70b524e53768cef076c550e4520e031e13a9c7b26b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e08dfc304ef5ae8c098a2621c88e044b

SHA1
e6220e036f5c2b125ad63b51e94f8565ae882658

SHA256
8064ef74a9ea72348ca98e0376c7d07e79d1db05db0df0d79c4ab5940f7fa836

SHA512
a28a48f4d134623cab13a8aae1939f712a512b257c97e21ce7ff308ff10f17f6ac32f4a690ef2382d39f783c63315d3fff0c14a873cb22041a7d88dda95e5ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1bead01489d96c1f493ee29fe5b73169

SHA1
5ea1f8429a22b7ca478fe45a5dd271e3bb78a11e

SHA256
473ba6efa4354f43ede79425d0f864a1c16b31f25909656e40e7c2aa472e1f38

SHA512
c58fbe588a533bc4bba7d7fc2cc1ffdace0eed779449315118542650b83f7e210fae3afa0e4fd9789bc3a4770c400ecd4a76c5552335ee44d8ac08f050d058c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
62f5631899e2d8894996ee5ca4c44e13

SHA1
e952f05dce1c8657e37fe2c1928a94b03741ed08

SHA256
8e4f04482019841120a4af53829229c070da795a5a33ee44f0ca89aa0b2b8bdc

SHA512
38297c9c7ad0212f8acee691f9382b2b00069285009c56476056ee9260edf63c33d0027022a73fdda58f2639a4010fcdf89574791f8b94b085321db27add9a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\fe1796ee-1947-439f-adba-95b87b478452.tmp

Filesize
1KB

MD5
5d3fca1ba7b867de8f1e1607ee9f40cd

SHA1
ba1276365b2270bf49bafd071d63e34189efa974

SHA256
91dcc2acb1738691ac9ad7582d1e7806596e35a6dd6c4cfed9077ca786eece04

SHA512
29d5896ebe897058980c14ada4d28e3eeb7f8b4e5886db09963beb0372abaaa545284f1d81bca561430be3a0922cb6aacb838b53df0608f3ab44131ffc0055c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
583120020baef2c57a486a91bff8d496

SHA1
d3ee306626474d34ef3547b089019e152ae2ad87

SHA256
43237568b49274e155a7e60d4261a9e1a2444d8b0419fd049cfa4d385ddf0269

SHA512
9cd475846d880ae30cf8a2ada005844df146e6f5835c0cac02b60b84883ef0baad70430de4a0c9e1fa3737620d362348cf883436a2782cf7591057e383a84b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5bf644d8668e6025a9f62df7c9d1c4b5

SHA1
5369249dd61625b6fcf7765a9036d02b60057616

SHA256
6762a4b1dc96b6decd6de5c1b3a5987f86f701bdd2c72deeafde13985fcc9924

SHA512
ceaca918ffb6c2831e2fdef3af507ee5b1fff0bd4e126338ac637d01254c931ade94e6ea5f003691bbb8f8067496a565b493ee8adcbe8c21ef25b2aad2608a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac974f860407d17c429cd7c06525c6c9

SHA1
0623d5d8722189d7f1c4a95eab1ecea199cfe0aa

SHA256
ae1e1f3913cb3a0221531166a5093f876440cf0da3373308f63a09ba03718b6a

SHA512
9710aa44ab3354e6c907c6b79f5269cc5eb9097543a6641732d7869f7a44f7eb467813c403b218a8968a80085319157946726e28cea7f162df8ef62a7bab724d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
105B

MD5
ed9ca0141b6418de4b6ad28764c770df

SHA1
c6eba8152ad4207bf206e6b76c8d7a14dffc99df

SHA256
68edac887d0618602f808362ecfabfd7fb22c3fbaf4e9698df9609c76edca50e

SHA512
823602ace2a5c167df006e27e9fec1c6807949b42d815385477dd7f9c3243b738fb2dd935a4fdf8ed66b94eca66efe78c8420b9c7931e763865131a5b8fc3a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt~RFe57f126.TMP

Filesize
112B

MD5
6b3458182eac78b735537754a560f142

SHA1
26115cf8fc0c0b3cb92747099aaf16d46a28bae3

SHA256
b9142efa3ad498f36f2e6703b471723f558d2cf80ee98b7419efc15741b2d78b

SHA512
7341db333e0138fc2bf33ecaca42e8a30d9e2b418b9ad795d5685defc349601825af64dec41dc6fddc6dc6d76c4b9ffe9e4db1eeeca9009a2501287c43175e41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
22ae41a8d876abdc8f4cab5ec675af8d

SHA1
e461328414af99b795615653019e59b9fb2de401

SHA256
cb9b4f78c2e1923674dec51d7ef04c7a1ac7a9cc05aed48684dc03f01b5d7ba4

SHA512
d7e8d42bdf97a1d9c7e880bd604d2e73fe215b4494494e5eb6992ca1aacd95d252cdf95cc779f25f6ee5ac80500b9205972c521540a2d1a6f8aa5cfe7f3415f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
d7193d3be0f9741da83ad255f7dd7484

SHA1
7739967899b627b134a2253cc0e045843a71cc39

SHA256
4553fa33effeb9ad0c8da479a4f12bada143ff29c03e1a10ed779475f77a78f8

SHA512
b7ae4e0a517c7644a37555e2b59713fabb6bfa93673c6cb7595063afa287c4f71da32972a22020fa09355c4b9452ea96f25d2bf3d636719cf11e16ba3e78f220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e4580c2b-901c-46c3-87ec-0b58a8e6c121.tmp

Filesize
101KB

MD5
20224e46d89f0d5457ba94d471bb8ffa

SHA1
683da07c9dcadd4ee86924e04f417412e0c117bc

SHA256
517e4da6f7dd945f3ac932aa850a8e3e580a902dd8320a1592dfdfe7b1cb4181

SHA512
008050841d9173b40c6ae948655f79ffe2f6e9be3e1c39e4702f8460e562a1a3c45d6ac534a90b46482697e93eab95cee06b5f5a7b418c7d275651f2649dc2e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
015bb9c72ead4c86a60a946a04435170

SHA1
f70d5f3439385d8dda4ce49658e52831c11956bd

SHA256
65d0ed91b297da6c53790a2eb1832b9a741df316894aa6caef426be05f5c29d5

SHA512
39d04fc5e83b8ea36325e8f5fa276f18ca864f34efecaf138e2b64a58a2549468a5825af76eb473d536322342765a17995b2474e577fb152e8eccbdafab9de52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
ac3fa4c7f32ed30e8c1e350cf1953735

SHA1
2c6525062f02ef84ccd39ac13ca4b906edb4f699

SHA256
462cf91496cafdbeb6e093fb8d3ea0a729d5e49fe1589d04a8ad9c8153ed1b76

SHA512
004675e3618d9106ec6e706563874709132a7912a47d83f24d92b77da07157499d40375372940a3a414f160e3e17ac1d8615fdfd8bf8e9fef5c7ca4ba999b12c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
50KB

MD5
0b1e40eb1294937649ecb80f017fe959

SHA1
28bc2a04ef4fa7c171c5b62606382967332ca28d

SHA256
813d7ac03987182a342953e419f1d10840a3214bb4351007c7027231af590db6

SHA512
603a475a368c9c66650788d705e4ce9556d50ba2fb7ae25378171f6834a5fa346848061207da098aa3d5d1aafcbcabaf502f96cf841cb4d6bc290e4ccbbd0813

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8102c0980cfcf74f92740decd7b91e87

SHA1
e73611227da3e9d42fdf412afc7e9f73073b73d2

SHA256
a04bbe548d6861f5b678a2c58000c0dbb363be3750b86f8533c6b3b149e8975d

SHA512
d915117bb45b81cff0c60f60b2da1a6b5d10dfe60a9969a06545c9147d6edf7876e38ffb5eae52df840c2e24a222e12fa609a500677d742cabe6e3e15c3c14b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b24a4f0f9f38e3b54c4967761e86572e

SHA1
d33715e6f472afc5205d9258578792001922c5f2

SHA256
4819532b8793c1272e4b5460b38441f539465aca2c3c0a48b829a17517030590

SHA512
6fd510dfd79a2853f992ee41180462533d1de809e88f26494fcca4818085ca0b36fad44e88a22bf99c2b5dadfd5ba15cb112b2037f9d6e21043ca18a8f95cbeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
a8afc68888f268a3cf2aeb5849950850

SHA1
b3f65df79e85cce963f8be31a90f99d697c15737

SHA256
65ea135894195916011a6fade4085c67b81654869c39549f6ee89ce01ea63968

SHA512
0a3c841f9b13b79caeb894b6c6fd0befb08a6c26dded3da5c28486b9b9530f7e860d617ea623855853a9c069d3e712738e16f94b0c292fa4f35bd474ca38497f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
909cd141178b1ce7378e60a92c31f58d

SHA1
82c989a0fc1f87ae78888568e8d29a26be1e203f

SHA256
b6af5381f520065ded29a5a1decc439da41dd564d2fe84086d2d5e6a23f6abd4

SHA512
501c8a5dfb80f5748f8aef202a3932cd272652eb52ddf763979167c88dad5052cc1d48a5cb4105e99f7416c51a86590a212f35bcc3f53ea5f71ab6e101cdb9ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
10940edac240c7d4ec474cba8200a3fb

SHA1
dbe0165d30c8a6b6e70a45b282a4f1871c169f3a

SHA256
f4012270c3447046fa38a5caf3df89b72c03edb38b45f228c38796281485d059

SHA512
aaf928e1d9d19e96459e6f104b4cfc14675a45efcedcacec400eff837812b68233610d8a3689f93608c799f9b1b27aaabc2df341a28e401bc4165037f7e9ac93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
2a577602a65d33536554c12440e6bb36

SHA1
28c91d8b507054985ec1f88de5e576669cc80da1

SHA256
5c9f08b53f95847b4a3508882f1daf9cc78defdcc8e8876fa1725542df9825f3

SHA512
7b2d3773def41ed6e68fbc1848e0fbd8110a5a68b271989cb58a50b40b7bd9efb9384537df7fc4c01ac5e6b2883e1bff8c99aee3bd4732e229fd3ff04f09b1c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
9a2e603744be01e6cd13f3622557f12e

SHA1
ee4c7632a347fe67d5ea5cef0d64b707edf65266

SHA256
bdc9e134410b3a7470857c83ff7b14b61a1c387a55e2ca0618c3f88bab4c2e20

SHA512
fbbf618f6c10e820f9489f966d0eb096fb46db8d75f8eb226b3a606eaa5e2073cc140d362e745d4ee3803eefbc41612143fbcd826d1d952d466fc51c06c5a62c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
0d644f6c105f3e56ee37626c3459abc9

SHA1
42c7653ec2920dbce3fd310943e8ec24a2eeaf28

SHA256
08ea15ff7ed4d711c73ab2881efc299a1014ee26f449e830b50e07dfc00ffd32

SHA512
20a3b8fe37d65040d9cfeb5b646a7947d3af99e11979852cf98f0290d5bfdf26b03eca39d0732776f1bc40a93a7c6298ca97645f73d797937d908209e3ff1ef5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fabd14b54a2f7de5baf7f0cd23e5f966

SHA1
7f7b2fe3ac51cb01d310bf2a96808ab50009b81a

SHA256
63b2a2406a8e58e734a491a1548436a9ad8d67ececf4ec1f0515abd169be6309

SHA512
b3621893103a5292cae761a44a995ac27c22567079a8f470054d29e9e267566cea4696c5b2edfd9d2bae58b01b4f51ad1d2196f75380d4d18db41cc6b6b5920a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1eb94cf02ceae5c5a887a467036f2447

SHA1
170f08973cbb618444c63c47013ea3d961bb7703

SHA256
6ca5b413246fec212b262c0cb00500037cf89eb4ae848cae23a57ef7f6578d36

SHA512
f1164660fddc313f38ea83d0484d41191b994153358f120bcc2f5b9cb8177b008a73175f800a729ce1430eb85a8d3976c8b850aa32808d011cd54e9f3b8427a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3839aa6cd7c20ec4bf9259c986b29694

SHA1
77d393907d93940fbd50a85875fae2f7c8ff4083

SHA256
35847e88594d517b327403b17a7814a4cd4bc232c650fd078f06d0e4e9ec8c3a

SHA512
17189c8b8c6fea33b06517cd20de6c5d3c7388bfb7c06c6faa027d7b2840aa7b3878de9e5f9c183b14fa84c1a9b230374ea8117a7102a4dffb7c4a4472b28872

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2bfe4c3b12c407ac2f9154f9af635d16

SHA1
e9de2f494313d9df3e108254712f11c6bd1aa99e

SHA256
b7aa9276431258ab1b57f13a4b502bd7a7a938f92f0bab5040b71f3a215a7801

SHA512
f5ec811bd0a4fcd0ced32656a8d7f6010c97cbb9ce996e6ab783d8d7b299fdd6bd724890c063315b7de968374058c8e13437adacca144c46d4e8c56c40c17ff4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
15fd543d33221c057729c4b3c538c2b8

SHA1
42b6f266b91ac5b48f6d214a7883b6e2e1cb1c06

SHA256
d3df4588a4d0f90cfbb8b7ad0b1e7b8bb15d8a3b993cd1a346ff6330e0814cca

SHA512
12eca9541494a0ced065219876c87ef9fb6af8357a6f72dd705be10da269f2885e87c6f8c28b2431ead903290580d99279f8e3ce14ec38c862a7c6a2a2cd6c68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e3fbada05f6858cc06c1c1982adf8faf

SHA1
716abec34dc0f07a8bb68b736d3247edb51b53a4

SHA256
e031644a1cc90781011bece5d08625e59ccab0d4e9b216647ae46480052bfca8

SHA512
ae6dae9e216074b7891785d725a41f052adb01c6a47ff6426242758a145b3cbc29f59436c32d715c20f4c3f9c3c53c6216e88d326f434f62232a585343e130b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c8852c58371bf4fe1f395e945b710643

SHA1
06e5e8497af81457d205982bea27a05aaf376508

SHA256
96df5e0f57f4c85ca34b89e8e64279865e756d9294205a865e251da62fc09d73

SHA512
6c343e6fa3972dfd2dc36440fc1140b03349066e29f79d49fab252d7709dc34fb272d13e169734f9ddef7ca5da0032439630921a00564a8ef9ce9d3861357b81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
6a44c75a12fbcd5b2c87978e11efac54

SHA1
bb5041a1598da3d8868f180855d28dc195bfbbd1

SHA256
ce28fd0b320eddcc98073dc06404e3543c70a23449699d5fd3b84b061ff2ad4d

SHA512
84769d0bb60155c875100210676caf093a50b66a5305a3f953f3e96cdca967be150c2aba7e90de3f6dc7aca5d5420dd4dd91199bb48b99d6e3dc41f90a2d9ba8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eca7b659d0c4124572f4470d3593a45b

SHA1
40b69546e14410f5444b6e68c0076e790ee6b315

SHA256
e2ecf332a6d1a5e566ad81fba0d56627c14d2c6091a93c319e29397e20443d55

SHA512
f15dc5206b3e1e89071437d068cf248accebfd773bea976b3d33ace78ac1c03e178337c05e6bac611c05788488fbd88f434bba701286f5d691d8af31530dbdb2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
5c7a08d85c84e8ed39f7a935e6f44933

SHA1
5751b53043402691339661c93bcd05755468a0ec

SHA256
ecafed2dfd046fd72ee9fac4671d83b6cbf031bf5c212430b5aa8313da2dfbc5

SHA512
0dcb33327518e2c489daca61a5f80fe655c07badf08a2f665af871ffaee76942dc549e95f9502cef88c2fe916d2253d74d4cf32b532ff2cb1180c4d2aca11dc9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4b772ee9391a710346b213e22e0ac7cf

SHA1
4a3fd8d1080ecc03239072690f2593ca67045522

SHA256
160306c7c599f1f20241cd65573280f8f986774d0aeb0fffc819e6567971342e

SHA512
f16ad4cafa4dbe494a71492027078badc0a499dca3205a7c957c80d6603f93a9e570692a3e8b656db8f9c4a15378ff406328b5ff02f67b905bfc84340db46015

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 906683.crdownload

Filesize
5.1MB

MD5
c8246dc58903007ccf749a8ad70f5587

SHA1
0b8b0ec823c7ca36bf821b75e2b92d16868da05e

SHA256
347e7d26f98de9ac2e998739d695028fa761c3f035dbe5890731e30e53a955b3

SHA512
02f5ee6fa5365498ea537f931bab82e3d95178cb8ca42a108030649283290520c27490557a2b642649533b935503ad240acedab005bcbf3dd7691f5671caf975

Download Submit
memory/1340-617-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/1340-643-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/1340-295-0x0000000005E20000-0x0000000005E3B000-memory.dmp

Filesize
108KB

Download
memory/1340-298-0x0000000005E20000-0x0000000005E3B000-memory.dmp

Filesize
108KB

Download
memory/1340-678-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/1340-267-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/1340-658-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/1340-299-0x0000000005E20000-0x0000000005E3B000-memory.dmp

Filesize
108KB

Download
memory/1340-630-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/1340-654-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/2068-655-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/2068-265-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/2068-618-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/2888-652-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/2888-633-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/2888-660-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/2888-680-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/4840-253-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download
memory/4840-252-0x0000000000EA4000-0x00000000020F6000-memory.dmp

Filesize
18.3MB

Download
memory/4840-622-0x0000000000EA4000-0x00000000020F6000-memory.dmp

Filesize
18.3MB

Download
memory/4840-616-0x0000000000EA0000-0x000000000260F000-memory.dmp

Filesize
23.4MB

Download