fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
2694s
max time network
2696s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-12-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

8^/10

discovery

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CA38CF219C8E9782A8CBBD76643D24E4F2D74B03\Blob = 030000000100000014000000ca38cf219c8e9782a8cbbd76643d24e4f2d74b03040000000100000010000000e4e34304f4315a15a0bc0e413363721e190000000100000010000000c87364a1df5cfaa973f544a5206e8194140000000100000014000000573133394358b8d9f870ed67cd50374f92d3ff710f000000010000002000000092cfeddb8485b879cf9232fde30df21fd200fa56712c8c92908b447e1a1d33af20000000010000007a070000308207763082055ea0030201020210030e330a8ed28347bda3bb478e410d7c300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3234303231323030303030305a170d3235303231323233353935395a307e310b3009060355040613024445311b301906035504080c12426164656e2d57c3bc727474656d626572673112301006035504071309537475747467617274311e301c060355040a1315416e794465736b20536f66747761726520476d6248311e301c06035504031315416e794465736b20536f66747761726520476d624830820222300d06092a864886f70d01010105000382020f003082020a0282020100972d1d652b2ae50cac2c1e499b38c5c561134e6348ecab72337b67dfd1f7bad70054193e2252007751d9ce92967b0454f8a1957870034b465b41f478e60ff6c92c7fd735506ef2b7a81c18acc3729f8ce22cd1caa429bdbe5d5f0ac942344a3ef4bd5fb1048c47ccd25c2c4e315caa2686d3c1c469cd3793f5be068c00b91d7c673741cdaf4a05c1a782e8cc5eee6c09dd927eb31f1eca0c6cab4350196024ab28f5a59f2cbde92850042aaa6798deb5989495ba9224d22b3afe20aa721a379265049ed9d9bc86884dc7c16611e2f784c456d199760ce5d8debd916e68ffcd77c15d71dd1bd4f0ab4aeeafd2e4850c35e6e7109c58dd068e50d5ad9e3d9439e95e007aa2a06222ae6bbebf54f30953f6479fea4d566e4b73ca023ee32cae31f3d59fbeb1f99e218809971def0d1dfd019620c7b251445b6a450137c8831fec87497c7e54533845eb7705a46950a314c78212b079a36dd6353e3b1c1a93b664c2e69f3a1c339dbaaec468c32ac73a48e43daa2d5b66930cfd6ec9ebea031bd3ec04f561ff760bc7d3f713fe9b3e9ec38718750fc452df6ab65548bce5def71ff17c7ed1889165cd03602599f3851b247003f09c896300f23cca788100ce263f66a4ef827e8a718cca76e0d6fcf93e95ce359efc329217f88938b29213a5789bfaa9b471c24b5bc9aab23b68796c185dbbb840b7a074944a6960b134c7b25ed6f50203010001a3820203308201ff301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414573133394358b8d9f870ed67cd50374f92d3ff71303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c30819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63727430090603551d1304023000300d06092a864886f70d01010b050003820201009bc3d91cb63175cffbc813b2b5814e77c9940d5e0c2d10fdac84edc784495ddfcb2e4f2719af9843101e70abe1eb54300a715573ccd0433b0dd8ee13efd79eece380f233e18a82ef7b50c2e4f7cf2167e8122a01a8474bd1d3e93c20193f3a45db0afedf99b51460c0e0e8b62b82d56b57e22b9bba3a07696a2799a3fee38dee6a5308d0d429a7c64d59031e0a0e37d91febb3f2fdfa34c9b931d0ba00aa1c9438db280424c8958ef86297c18093c66fb8ac5a2922a97447eb566195def497706a8650fcd7ca6b58ae2cef3315ad47766b35045f419963564448bf06b90094a691de78716c87d58a366bc8e239066e99a81639c03f99c96c68e54aee17af02052b8e8d399499bc03646b44c675f98cba4e86a1130ddbff1d9a78221d5217c95a9fa3587c43d9fda62693aabd448814380e0c7e8a1a32d0a0d3334d33b86eeac1de3828a8b513f8279984e9aeec85544c0d5a3e9c57dfd5641a0598af756de93089c007744baf14b15bb28265ba9aa8088c3753a9c099daa36d8ce4a304e803e8728c5411dcbd182b7ba9caf83499cf3e0ac836a789f8fb26a543e438ac16b3ed277ceb0df5df6e0d0ec8634d8a4b3bbf30a96da5113c10623122820c6b316fcf6fda942642003cc09e658ce6548d55a719e85f6d76b5152c9df8efdd83f090a7ae5acbe7430ae395dcae7b8dd8e859fb7a48c5556a046bd89e2a9c68c9fe2dba	DrvInst.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET557F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\AnyDeskPrintDriver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET5592.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET557E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET5590.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET557E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET5591.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET5592.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET557F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET558F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET5590.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET5591.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\SET558F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver.gpd	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File created	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Executes dropped EXE 4 IoCs

pid	Process
5208	AnyDesk.exe
4128	AnyDesk.exe
3116	AnyDesk.exe
1124	AnyDesk.exe

Loads dropped DLL 4 IoCs

pid	Process
4176	AnyDesk.exe
5180	AnyDesk.exe
4128	AnyDesk.exe
5208	AnyDesk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe

Checks SCSI registry key(s) 3 TTPs 32 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\URL Protocol	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\ = "URL:AnyDesk Assist Protocol"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3870231897-2573482396-1083937135-1000\{16A1CC1B-0D45-4567-AAE5-EFF83060F613}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4128	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5392	AnyDesk.exe
5208	AnyDesk.exe
5208	AnyDesk.exe
5208	AnyDesk.exe
5208	AnyDesk.exe
5208	AnyDesk.exe
5208	AnyDesk.exe
5208	AnyDesk.exe
5208	AnyDesk.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2332	msedge.exe
2332	msedge.exe
2180	msedge.exe
2180	msedge.exe
6136	msedge.exe
6136	msedge.exe
5364	identity_helper.exe
5364	identity_helper.exe
3452	Taskmgr.exe
3452	Taskmgr.exe
3452	Taskmgr.exe
3452	Taskmgr.exe
4836	msedge.exe
4836	msedge.exe
2176	msedge.exe
2176	msedge.exe
3216	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1124	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeAuditPrivilege	5420	svchost.exe
Token: SeSecurityPrivilege	5420	svchost.exe
Token: SeDebugPrivilege	5208	AnyDesk.exe
Token: SeDebugPrivilege	5208	AnyDesk.exe
Token: SeDebugPrivilege	5208	AnyDesk.exe
Token: SeAssignPrimaryTokenPrivilege	5208	AnyDesk.exe
Token: 33	4380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4380	AUDIODG.EXE
Token: SeDebugPrivilege	2016	Taskmgr.exe
Token: SeSystemProfilePrivilege	2016	Taskmgr.exe
Token: SeCreateGlobalPrivilege	2016	Taskmgr.exe
Token: 33	2016	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	2016	Taskmgr.exe
Token: SeDebugPrivilege	3452	Taskmgr.exe
Token: SeSystemProfilePrivilege	3452	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3452	Taskmgr.exe
Token: 33	3452	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	3452	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4176	AnyDesk.exe
4176	AnyDesk.exe
4176	AnyDesk.exe
4176	AnyDesk.exe
4176	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4176	AnyDesk.exe
4176	AnyDesk.exe
4176	AnyDesk.exe
4176	AnyDesk.exe
4176	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
4128	AnyDesk.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2016	Taskmgr.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1124	AnyDesk.exe
1124	AnyDesk.exe
2176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5728 wrote to memory of 5180	5728	AnyDesk.exe	77
PID 5728 wrote to memory of 5180	5728	AnyDesk.exe	77
PID 5728 wrote to memory of 5180	5728	AnyDesk.exe	77
PID 5728 wrote to memory of 4176	5728	AnyDesk.exe	78
PID 5728 wrote to memory of 4176	5728	AnyDesk.exe	78
PID 5728 wrote to memory of 4176	5728	AnyDesk.exe	78
PID 5728 wrote to memory of 5392	5728	AnyDesk.exe	81
PID 5728 wrote to memory of 5392	5728	AnyDesk.exe	81
PID 5728 wrote to memory of 5392	5728	AnyDesk.exe	81
PID 5392 wrote to memory of 1624	5392	AnyDesk.exe	87
PID 5392 wrote to memory of 1624	5392	AnyDesk.exe	87
PID 5392 wrote to memory of 1624	5392	AnyDesk.exe	87
PID 5392 wrote to memory of 5100	5392	AnyDesk.exe	89
PID 5392 wrote to memory of 5100	5392	AnyDesk.exe	89
PID 5392 wrote to memory of 5100	5392	AnyDesk.exe	89
PID 5420 wrote to memory of 5748	5420	svchost.exe	92
PID 5420 wrote to memory of 5748	5420	svchost.exe	92
PID 5748 wrote to memory of 1276	5748	DrvInst.exe	93
PID 5748 wrote to memory of 1276	5748	DrvInst.exe	93
PID 5208 wrote to memory of 1124	5208	AnyDesk.exe	97
PID 5208 wrote to memory of 1124	5208	AnyDesk.exe	97
PID 5208 wrote to memory of 1124	5208	AnyDesk.exe	97
PID 2292 wrote to memory of 1764	2292	launchtm.exe	116
PID 2292 wrote to memory of 1764	2292	launchtm.exe	116
PID 1240 wrote to memory of 2016	1240	launchtm.exe	117
PID 1240 wrote to memory of 2016	1240	launchtm.exe	117
PID 2332 wrote to memory of 5960	2332	msedge.exe	119
PID 2332 wrote to memory of 5960	2332	msedge.exe	119
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120
PID 2332 wrote to memory of 4144	2332	msedge.exe	120

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5728
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5180
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4176
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5392
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5100

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5208
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1124

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4128

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7968beba-8d7a-6747-b636-394c7428365f}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5748
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{92F92A97-FEC9-4725-90BA-A3172C8AC67D} Global\{0076B57B-7544-4AF0-A28E-424BDE9E3B6C} C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{20b66686-af79-1f41-b22d-c85d7d5c179b}\AnyDeskPrintDriver.cat
    3⤵
    PID:1276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4688

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5652

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2264

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1364

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  PID:1764

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac1023cb8,0x7ffac1023cc8,0x7ffac1023cd8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,1300981595508855401,2732646723598208659,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:5292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2852

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
PID:2960
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
PID:4524
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SetWindowsHookEx
PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac1023cb8,0x7ffac1023cc8,0x7ffac1023cd8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4004 /prefetch:2
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1520 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4180759037954186039,13232742663774612628,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:5544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
5.3MB

MD5
0a269c555e15783351e02629502bf141

SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d

SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a

Download Submit
C:\ProgramData\AnyDesk\cache\device-id.cache

Filesize
312B

MD5
8c3376462d20b3389e6d164b1e6a9a70

SHA1
3f814d59d96e6009f4189475fd2b1094e7f5895c

SHA256
c6564f1f3ca71825d6350db433d827fac3609f9394d0266f2724b05ab047a3f2

SHA512
185acf93c750b858131b4181a00774d70d4058f1dc2dcdba0db7916aebe98bee3d49ffe79c888167b068a605c66322356ef9abe1ccd3f18395b2d409b9426bb0

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
f4af6169a6d61d588a381da52e593e0a

SHA1
372abc78f2ab104e349e28477aab9e2656cbccb4

SHA256
898e1de11ab53423a57d28c80e2f1e4a51c5f0596879fce3c2d247faf2359ca4

SHA512
2fa01ca1db1326f653e1c5fe56415635913336141d117e217cca7b590154eca26e2ade6b0db9ce9923bf9afae713a22f922f969f0e9f5ee6ca98dbd4b6d57ab3

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
951B

MD5
fd1c6fe82e9f13f21961cb3b874c0bce

SHA1
a48be35c75a71a10b24fdf3035da01e6eaf144c3

SHA256
ded5d88b4ac373c2b8ceb85a0e9a421430dbba4652a7c68bfab70af6c4d37ef0

SHA512
ca5df19703f122d6e773d8d0f2e91961e4d6b75b58a3b217d49ef2a018e510d8f1ae4dc51e5511091dad9b4a0937e3a8ce2bd646224794af74f2fe584be22c00

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
951B

MD5
7b5f2611121c92eb2a940966cb5e54b2

SHA1
30813813166510f8756190ff6b5592b1200469da

SHA256
40c7e3869c71a7d4add25a46d860ca3efa6d9060694f03764129fc4d59a11d69

SHA512
d083d8be14ff5e5bbcf5e4679be519a813b219cd9eb747d5e40fbe7cf668c7e3ecdeae5d304f15f81158e63db21c95723b53b6b4349222ca36cdfdc3535843b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55598db3dc40b52ef5937f295fe3372a

SHA1
4ca25d612f4759ed48f166df42e42e0b9be44819

SHA256
780a259ce0e385d50d83d2335dae08af681fc49ef9b0f3f0727d5ca8ba992cc0

SHA512
8f6a05691a334351ea534671619606f244bdfa761b20f4c42f60fe8378b56d1155af0a612f3dfcfe9ebe96ee1edd97fcfb3062113eafa57e2d4349ea9a360c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
67KB

MD5
817c6ea19143473b77d079ee92aaf6e5

SHA1
3cb2cf3fb008ea6ace99ee881a609c5b9d095c19

SHA256
8f190d353565ec6e5a922985ed0baf7b5a3454afa62f98489849459170a13c4b

SHA512
7dca0947423171e3f6b00dd4994826ce1662b41379476690492055cc076378fd2c921d41290a8b09537abfefdaa19c576778cac5036094e751d21417103eab0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
1024KB

MD5
9ba2064d38eeb5042951f9699bd24192

SHA1
5c3589f43e20ad11b238e51298dc63b98d256794

SHA256
c34948200ad5e17597d3b3a34052dadee91382d802028495610ec2b9cf1f42de

SHA512
9a964d695e064549bae9931601c084cf2187398546309b8a94a955b33f1a94763295486d6e053a63f5f6f9c4a32d5730bc5b18ae2a17a52d986f6bc0311b4553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
20KB

MD5
59ee96aea4061c8a38d2506c4805354c

SHA1
273902cf69f0ac50ad5c654fa14ca8ddc295b99f

SHA256
7c8672db679b72c70317a6edbf0c2311ed3653e1d911376cf232e334ec7eaf4f

SHA512
6ddc4427481f02ee4f3246384671ff8d41d856d8b0e281c651431a2377b16991c5bc3a3fafb5c1f80ccb05f9219cf201f9ec547286940584c0a671dcfbfefa3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
261KB

MD5
9a272873810bcf6dac565fb30527c1a5

SHA1
db5928a697e543d11a6f00176f8734a1036188ce

SHA256
1e1dc01b11b7b29b94c2c5ac3d8133c765645b8d26b9b2e3dc341ef09ef339cd

SHA512
17d336b9324f23730656a07528469591186f21436eaf317868fb8d2fc5163f019006ba1adc144dcabb82c533dee5e590d0d217364c5cf04b3dc134af0a900838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000084

Filesize
254KB

MD5
3cfbd87ad551603d07ca28174f86fe10

SHA1
2d645ab4489becc1c9452993ba2a49c4c2e2086d

SHA256
1873f3f5f78605495cc940cf36b4fd7c73d88f9327410cc37b76e75e693c1ac3

SHA512
e00185f2a5540ae1d42e55297d96458786d65b54933b0d0f139c6e6d661607832fafff546cf2aa9dc178b2489cdd462d8b88683457a1bb867ffd01ac2e1c41ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
463bf3633a0c2be44c88b6ca012f4630

SHA1
916eeead7eeb8e02ecaad43be1c54948cacb851d

SHA256
e40ebe97faa647062f248f700cb83d1c1dbd909afbcdae5d1aa6e2b47ac24bbd

SHA512
25a3451c017ad60c14ee17fba087f9d3291b92b0097c39a6bba20588207342ed4c1316576f24c68807bf88b3c99a46ab9c10ad5ca7a2d61ea40577fb66981d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
989b5513b9f0d60d7a2c09d77dbc2e32

SHA1
f031f5e10577a7566c380d7e245203b6d7044cfc

SHA256
c00e69ebd158a0c72babf59df42aae859ceff07d8d25e4ce0547151a9b22b3fa

SHA512
f38923f5980d7599ca236e1117d67d6e59c1f137615aa17ad6f4ba55c24f582dd665eb48cead0bcf85fa6af519789ebb53a1ffb42eb0adb79d60ab9d00d91ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
866e4dfa88b27bc8bffb7a03092eda31

SHA1
5cf25106a21a57f7e25cf9d11fd7e5ffdefe03ac

SHA256
dcace30f9caf63f34a1b2668e2074018f7eda35748c9be5a795dc4f474e64acb

SHA512
1584131bf92563a208a62bfe6b1e8af5412babddeda37af67e8adf9582ec7d17292e445450c1db20e30defe195fda7540f3e16bc252a6706ed90b8c128a940ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b833a1c85985d8862ff67bc3b74e28f2

SHA1
6a9802ba1fc61def59cf7654876011021c7d0f0a

SHA256
2a9dd02cc9db64c75c51376500b442e2c1675da055531b32fccb39811cbb927f

SHA512
a849ff41af884a5e4cf926a76e5d6968a0cad2f578a163fecdde603e1fba7965785a1623d13ab16b8f7efeabd3074b6fe3dac557dccf508131237b7499da0476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0478561308c04d2fa6b82436fa046e82

SHA1
e99191daffec9566d362fc4479821bcf46abe0cf

SHA256
e70df03c14174b7660fdb5e747ca8dc7c20f68daa52ae572899a8be94c4c23e0

SHA512
9dbf40d17db7911ce976f2918737d48910d16c87964ca6a73ff86b9cc5b060acc3e08490076c7709e691516f38472a609bd688799823644be66a42246e7ff127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
33dfc235ac92104d1424eb536d22c509

SHA1
bb1bfdaf85648202645ac6c2efb8255e6096fc46

SHA256
7419e5b287cb5ca3dd6a4acb366139855113c9760a76610ef0c7c2f2478a5456

SHA512
4f7361d55b98bd191646278df475c7141924034d18758518d08de03c802824184ba3681eb93ec6d9e2eff37d42c6e97e71008bf2c24720328d115ffaefddc768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9c20905bb656dc0955cde86779a57695

SHA1
796d62555d6325ffa51470f1f20a543f95e9abb3

SHA256
3125aae7b0c6f529f9a7a94ba9b011bf87416f8b6ee5b20900a59f0a1ce501dc

SHA512
c82af1cf4a35025604f2b07db85495c811f9345c6595dce16ccfa7dec33923b572ad4689d25f986fa079b47f3f7b04f474999837fb5f0d43717c61d8c6b48bcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
c023d716d85c17c0fcdb3dcd9116f224

SHA1
434dae12322fd3038acdc228b76f3c57d9ea3d82

SHA256
36c2742a3b69c731633ff0ab3a25e6fc65de20c65b9a1c1624b8399afc83f4bf

SHA512
563d6d4d883667ba5fcba4209966cff479b08bfeb7e470ff2863523a5318919120a630fd9da48bee1b033aa388d3e5c200ef0a22b546383bb2942992347bb35d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
82670017a79e748b688d016868dc6ccf

SHA1
1d61ff13460c69d7185332b607ecb5d7864da2e3

SHA256
c3450c24b0be3d54b2850698f7a9c5c8835110709d30177eb2e9327da1ce3088

SHA512
703840fbb0557736e4815197df34a74dc3580db9091e0ba760a6ca3adbc98454511a5009b686f34a4f7b5927bf5db52f72f92377253aac3d2b6895c81077a13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
a6c9911728030c0cdc0b880cce75ce7a

SHA1
eb925f06079d3bc6c05904fe0d74123005479aa8

SHA256
11f69f17f360241a95bee9f18268315146671afe4bffef75349a7e88906a57c4

SHA512
c1568e78b2397ea77068880b280b58e8ead56712360f1c7b4c808ddc1a5120cf088d3c8af260ae9caf6079dc8485b5161d624628ae1eab6207911ca9919cb8f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
18293bfb0d036d8a19ebdf5825bad3bb

SHA1
6d7fe0c974e62636b972bef0d5bed7d11f882954

SHA256
96c4551406b6a0a351edce0f80caa7c569d33acc95164267a8bd78a12eaf571a

SHA512
1e56e43ea382ace6656170e306fa95857ff49d36378d0d09d6ca7e06ded7378cf5de468ab0c015d347c5229cb10f49b85b7dbde000d837a35b32be05a8dbfe61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
466dc04a83714639914a63fbeb434ca4

SHA1
5d64c1cbc469f6e00dc03b02a2456db7b188f8db

SHA256
de5886ed6d733cf79f25fff8fd7b9a39158315085d288b6b655a3c84a231422b

SHA512
4d1af3d3947184defec6e97e2ffa2c60c67512fb7bbecb7b367811f2cf3465e93b7e7c8dd12a3d049e62053d8bee89631b21ac946a2bd0a26cb355a9f79cf88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2ce465b4b7aaa59e05b55c47242a479b

SHA1
10413be3a8d9d8ad5b7396760056f7c84aaae473

SHA256
9c37204c37d6bd0cdd9099fc5786e219d72ea544f05717d68e5f2aa1c6752947

SHA512
79509817d369c5f038edad680dfa8635656cd0e93d2cbb5fc74b97de05d8962f74a86403233e007398cbf9b617fdf6d6a63cb3d7fcbb27e6f1bad3adc62c339f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
32f858a6b7cdaff532097f11bf879cbf

SHA1
0c460683c0198ad07f47859e502b7943c6439d34

SHA256
720f773dde3a25161dcc4c3842c74986c64de6e7d20d516255f71640f0b2d391

SHA512
7cbc873f3507455d5a76128e0a1e95be03701b069ade2b263849384997444e759c5928ee8d3668e80596eecf24784511c90a76cb49271611910ce591d6d7f485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9779e98410e3d0ac86fa58e144871deb

SHA1
35ffcac4dcafea0fa43f4d2fe287289a780a36d0

SHA256
bd6e1b88f921cdcc4a5da09b43e4abd46f7a4cebc9fec8ecbcbffaf77f304601

SHA512
04d7d5a21b752a5bd163d4447b18baa2615c7f04d1def7421bd40f190f71d0a84f1083ec9620b94f504349bc575286c91ebe462ed854c907e8bb1aed17d5c6f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4e62707f4f013fc2067bf9c3e48c3997

SHA1
fa36410bd26e24958dc36922b7ae6470bb4f2bc0

SHA256
7f4b7ed7c83f19dfa0277c5b138dc1df2ac9c0400304bd187b9182db264c19d6

SHA512
a6aa499ab794ae380a61bf5ec8d8fdb8aa0e8f013c102760e61ef52e0066467386496a547a7f70a3677cb6674dba0b0e7c6d51a52b5fd7ee5101fa80a3b6ff21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a5f4d10672a279cd06689485321101d4

SHA1
cfb97b1500dc2309212114c64936044ec6e517a0

SHA256
d28329b73bdb020539a341096a17a34edd1c0f487d9a64f6b0d4006067b2367c

SHA512
62df2dc7f166c96010fff2b89cb2678ad8171211d2e8b9704574caf883cb0ab878df245b8696794dd37dd95884284ffa363744e57e59f23e230d478299424a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9fe14142e0388cd7baeeb289d3e42346

SHA1
fb5617f723006ebdc86b76a2ffca3937b8ec5f26

SHA256
39ff5fa9b45f91fd028e260f5d7b453538cc2ab86f3d471b43235e9e24ed7fff

SHA512
2e23bb9f4efc2ae8d736a8d75e85682d077306f468662013cc5e14616a00b1984a3923de6b2e1ab3a66679cdbd9568e3e6323e880c222e5d78402a8c24b1f01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
435bf2f3f6e52069e801263584075eea

SHA1
e3c0223998f2dd4da0ba404e80372bbc92e8e7a3

SHA256
51e6ea500bc1e652c20ea0d9ecbcf8c6d93ec631cef25a857f3883f549557899

SHA512
a814cd8871b3e17634e9187b4991385576c41a6cccbb92d232b1abecb17ff0e7cf5021e37aff51452b4d34c884e29dbde31ae8813b74fa69db9ae38dfe55c50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
94dc791ef70905cddeeb5856ad11da9b

SHA1
ee392d856e5773413ce24b3135c9bbd5a1a7059b

SHA256
9255aaec66c126d0b7d9d2009665d936c57b9d6580e3be4bafbb572df2a955ea

SHA512
9df253743c2a131c77d604ba1f458e0bdab54d81d0613b5472a39f230686540b782128845837878ba3823d202df339bbdc940d7ab2536ba02c4b48d80bb0856b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f2ffd019ed3fcb9127af03e9bfd57380

SHA1
9035b3a9233c67fc25a6f4698bc7dacafd106032

SHA256
73e0c6aef310fd4b5c6db640cdb3a020ac15e155c0d0d34200edcb84966fbba9

SHA512
2b5b009a901370579cbf76c7b0b67909cae284e450b8468a684453683364e649ae4d8f6608cd1e93591eefa27b9a726172cce45464bcd0907b72fe16fdbaa7dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4de40eb687e499cf70cdffbf07fe48e

SHA1
d6723913bae72f9ba597fe174a86ea45c421f23c

SHA256
2f5ea18e2de9a728ce134ff9796f33e901ff8dc10035df50aaba70f5f99d3788

SHA512
9eb95a37ec0fce568e8119aaaa7fffbbe98ec7893cfdad4431b35375f10c0ad9f265cf665f5bb0621524906ed3c40ce4110dfe1cd76c0d491e41de123c8144bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e356280109b9b2dd1082ec304e46d3c6

SHA1
0f035e1c7756174ead2f9fb9a98f95f4d607e787

SHA256
619e09cebe1ec407aa840ada38685795394ec42a6a6efd399243851b837a457b

SHA512
40ceeb5fbf7baacd27752b98077f287f063b346d5558306bbf9b26a1fd41527f427c280b2ced8a54d6b933d040652bce3c049dfe221610f839521fb6f4998a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2c0b2f24834e76228811e13030a1bbe1

SHA1
e13b6506b94b5743179aa4ec1b96fe66ca75aeee

SHA256
cba22aa26efa6319ea3591ec0b61c658e4cecdb76da8048b992a216c0b7963b0

SHA512
210f54a7f2dacd18d6df9e5cd724f990085fb8ed0ac5dba1cb798a344f0a5d3a7c2057cf8cbd1736164af8b408a833c3ffab5ecab288d9aa6f7d711a4ede318c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
415b85f24e385a3b566154204d5d571c

SHA1
6f7abb16b14919b670d7009fb8666157e55ed80b

SHA256
5485429ba518dc476080d51570cc931ff61f24cf1ae9a762022d502bc8cdca40

SHA512
4a4eb3b7b1732e38c1dbfa68c2cea88da3f925460327ba935804fbc12cbdc775f5a5369c23d9f82c3e179ba5c42a64df6975232a4194d8be621feaea14a907d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
98fe63f710249c93ac3791344c55357a

SHA1
0d6515e61ed5cae194da4003dcb9218d27fdd219

SHA256
8723a20dc947607d7cf9a0b1bb8dd83926729e30cd65d824bd7c04043ba77370

SHA512
4f0066bc1b69a287ad62ef94e886442e96ece54f3bac67b055c4414106275b3e7551cc14e7a18b676da3b760964fff7e8cee150fc497968b3469ec9064ef5ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5fd431.TMP

Filesize
48B

MD5
81241557549e0c100d581dfe067761b9

SHA1
010f36ccf82286ce9c76328fba7a3f41315727cd

SHA256
9da1aaf2960dee4153e95235d8f3cf37bad4775e6271f7b69100f56474065a03

SHA512
ee3aaba718e74a7728cc64da7dd09fde1a2881602020698ac854e490f71ad65f0dec062fcc5905e2177284eb04ffdb6e2d14edcf6d54e2c8722e8eddbd20db96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
6f8879fb02b75cf8bf23726e63ad109b

SHA1
6e4e911da91ec15eeb8a220ffbd811c96a2ab1d7

SHA256
0240eac23fc266b629dbad9cc3fb471c0c11d1336dd82c7413bf8366499b57fd

SHA512
595815470f731d6361b540e2d91461ae057164fcb01c8826872d1d759e7f16664f6d4484088a9866c69ea8a214e476a76e4de835841b2408aec10a0db7672c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
50508306c107e3bb66c8aa503f6dd1e7

SHA1
175d8bc845f4ffa052b40d27cf395b9cefbef383

SHA256
17dee3b5fc44f294aa064be4ffe6a417886f32ba428452415d7add9446d0a131

SHA512
1418918b85af3d3874a7f758b1c2397c2aefafa8c1ead5a8b01bb0b11aa8f55b9870781ca6742a3ce60195f702bd4790bec3145e7b9cdcc72df78e0e35671afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e284bdf577bb98e1439762efdb81d310

SHA1
f6841a51088a16b5e8d4fed829569b553eda72d7

SHA256
3a1f12cc1c6aa00075b0b6e40a1bc50ae34facc3bb8a5fb1864f20e61c5b8b3e

SHA512
f922a8645256c5334c22866aed6ac3be082ea1cca9f47d466ba52bd0b2f6a06b1958b3729edb4e2f1adcf775fb7165ea4b56336d405cf0ea95d5d90b2dd8f537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
72de562ab8cd7be0078b7e49eff5d0d1

SHA1
39527a52d70bd681251712c02b850a2fafae4ffb

SHA256
db41885626342934e6d353137021d933987814f7218e864b0bb99f98460979d0

SHA512
5b4f66eccbb09e3633a9971e488f58fd0cf30010b5784fdd1b705e1afddd032b3c8e3aa477c0b32d3f780d4beb39ae34995c4bd62e1f2e133afc58e16eb4120f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f7f8d911dc3be435fa478371e1886ad

SHA1
d6e16979fc13144a2a5ecd5017237957b83beacb

SHA256
07e6f76e47da8cd745e41ddd47d03d6e7ae4f900ae3a09e523060b7a14fa7b2e

SHA512
7206d32a19b8b5069ee5131866376c550f07459976380d415e69805b327b926abb23b31a3270736d37af65513bcc71f6ce5da4fee94edd64386b19535cd18ba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
10712ce793f1a4c0e1a6d866e1a7e874

SHA1
e7d66cc7df1abe688cba99e970506c14a206190e

SHA256
6a95cb6c1a1268c65dd0c1f5236e581cb6b5a6fb7043a938d7310618cfac6470

SHA512
19aa705f92b862d33ba6cf2b40acce8739f26869828f98fa690658708e7e1dbcc6631fae530a40ca3336d9583363fe64effee97e6ef5f911657555bb12dd05a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
9c2e42b2ada3221c8950246d8e955f5e

SHA1
e59eb5f36d2b12ce14ac1ca754d079483822522b

SHA256
b2a3ebaf49821d535f03b2cca0032080f4d413c404369fa100b6ec8925780d59

SHA512
0e6b005445c8a40eda56fec8533dd035ca5ff3c3d9e3875e2cb6302328fb19cb4548368dbceb2dd5e81012fb9bb3f353deae2bbfe33ed8ee7db70872e7494fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7cc3e14baec55a493f87a732c7583d8a

SHA1
7b651a0364432fabc0c8783bcaae0f79282911ee

SHA256
927707a23325e3c981eb3e6b0f9e7f9e94563ca85cd97c62ed7cbff44b8e8679

SHA512
94322504581abee4c3866af9bf17f16c4d5091845ea54b644ae33da28b2e3f3dfc49ca735c235bd6bc79645d037a25a08d57240cdf6c366278dbacfd5999b201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b3f86.TMP

Filesize
538B

MD5
e909f89a90fff4160ab906a387f77891

SHA1
bcdb7b899c061f51452c9c9b93d16a97b1f61e83

SHA256
f9702ae656117209e9b4c306a5bf18c1abfac0dd8fdfb8fdd6fdc63050e038cf

SHA512
39690d5b9454c37353272469043bcde960483120af31b1b89c6ffcc5d04ad2f64e63b4b55d1f433a9cd37512e62734975470f4526a7f2fc1512d070fff1054d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b4aef86cf95890e5cea6d6ee1a2caf02

SHA1
721aa99f711d19dc3e0e9531736e179b5dd6e886

SHA256
19b746e509c75bf8c38057daf59b952c0f1f6252601bff78c8738dd77af99da0

SHA512
c8da751066d3f4d41a1ec4cdd5e56076941910476124a5fb03f05ac473987e2d0d9b6b895984eb3610c4f40c134f68430f49966e7e06b5dcd4d0bf4753328caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0f549d35e254c81a842be242eb38ccfd

SHA1
1277c3b7030c5d2bc8fd881e29f90b594c3b3d35

SHA256
5b3dd56e754cbeddf3e10bbbfb6611341e10314a3d5813cd63af32545bf043f3

SHA512
eb1419d8c70f30bd8d47dde36f71efca40c1470c41b93e778d5bb640478d429631cbfd09eca0616bfb45bd6ab19bb5b4c3623149c7b5a4f0c336c970a3efb76f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7296927f6c2adb2cedcb39f35ff9ca7

SHA1
bf429fe2e1a8df9efdf79f3b4470d8b2315b8d6d

SHA256
23e4f755b7966f204d910988b826cf27b152148f277cdc7841d3164da13ec2a2

SHA512
7ffde20bbffa6f1882c8f19e00532caedff6322b57a77c42ef166bf547dffb7a23559ecad1b6f823154ce713b563f0c8d1fe12d5cd0ae625f621e221f6e838ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a263474f-7019-451c-9579-ba3074998770.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
c0f1eba9a93fd16b118b1c94415744cd

SHA1
b514e54cfefd419af01c78c498173391bd7e2a47

SHA256
5f8acf1b43572469377ac8abb33eb5834449f08dfc09934a343100464e22fbb2

SHA512
2ebc780fbf29fbe6e0104a82fea64ad993705e3e7edd71b4e412a48abb2ab334ef3df42270b794d1f489a107b38f60b6bf92cc96d3b1bdfb05f5028f0a79f696

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7968B~1\AnyDeskPrintDriver-manifest.ini

Filesize
252B

MD5
5cda10b02df931ebbad3d0fc9d9509b7

SHA1
f04b7885bfac4bee938d047f6703c58d4087facd

SHA256
ca33091bbdfd87bb3acca1a3eec96d3948a0830d9bc7bef3c40e15055e4c9a03

SHA512
99cfc18278eb4726b44caac07f1cec7f877791290cecd003417f1ab06716c5d4c004f2dea767676895db0e96dfa2023661d44684bfe990d5a97fc03e60dfc6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7968B~1\AnyDeskPrintDriver.gpd

Filesize
11KB

MD5
ddf4ac6ecd52467516b31e0939b8a030

SHA1
bd452adc22223981b67dc4d665e3a0e8cf470c09

SHA256
019677297ae01db991a5c122ae582424e51d41ef7bb81fdf26269afaaaf5ae22

SHA512
a63b7dc23f8a8ae697aadc564e947fa5a8d3429f319ea72f5b0cbb77c51bd4f7d15450218360d6a742e2f2e3187745eff71f237079bc01fa1fa5cb6fb3c7402b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7968B~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml

Filesize
567B

MD5
8accaa9aa32148aa2bcd72ff14880618

SHA1
a1226a1c5c92e41ba22b382debc0f9a754b92c05

SHA256
aa0b5f757b3d83d19c973fddc4e82722b530d9aedec51f6a540a91126e4cc0dd

SHA512
026e07faf75a5be8c96ae59a93302a487a18b193b5d915aba5822cc27d2fd1f70fafb9239b34df8280b060f85bcf3316d1d4d5f1b21c8557b187affaf490a3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7968B~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
299KB

MD5
a4e4b05588899d7dc1d70c651cfce2d2

SHA1
c280c7f97e02eb582f09805451e5b17c34d0e119

SHA256
76a784f5561994bf302f0d65576efc676866429497a16a611ea38f8fc8939396

SHA512
428bd7da6d77af8413227ae3382f707436dbd494e9ead7a3d002a175ba64ceab71f76fcd94581c3f2532809fa69af1eb29a56e48a61d37fe42dfddbe4fef0278

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
be97f31bea5a96fefd8c17741d19635b

SHA1
8c8cbf990168badbd4f9888791211cb24413293c

SHA256
220e14b58eb4ff7f45fa12765b9717f9dcff63d7e76a5b01de1cb2d1073c4695

SHA512
6848105c639a71b706aa064968207219e93aa5a8a5b3458792296a2c50cdfdc6d596c916bb4d841edc6a3ea36a8986821f45201c91245b40778e569e70444feb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
31KB

MD5
068794fd638b9d77dd9d5d4ef6ce06ac

SHA1
e0e3316ee34a570851e7904b08059dd48e7fd69b

SHA256
30870575a0fe5b0eb61951b9a9005c67501bbc1a9225c8b1ecaba175441cd2ab

SHA512
c61007b3bfd7e8d1757c2a8188895f1fb2ed9055c14ce25b79ab97b385097df6a96daa5b103562409ae679910a28b28b744b6ca39a8c291c8d9470ef600c8e7d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
39KB

MD5
734411bf6f80fb94b394f061e4a245d5

SHA1
2736063c3e68d1ac93ba2d3ebd96f972406cd0a2

SHA256
e8f99403def0103a33738665c8e95b94034fd86039959b0a908749e655f603a0

SHA512
3ac2de71f0bc05e14e643bcca8332dd7caff7839e5d079cc7c2d7c60de9970cc1a46b0bc8782e571e74367c2ed68645f37c942e4b9736706616b7cf82d25fe58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4f18c7c712815e699d2ce1cda6e0e9b0

SHA1
d557c346830da44d8e327812858047ee14426315

SHA256
cc605cdefca1f21eb4a020324640420aa3243e8719c66babb0c9bae546ee8083

SHA512
edd012efa9cfffc8ad6df9f29729a60622e9dfb5067c82ae3b5e144eb8c0e825fa2f183fdd4c62145958e57d41972d386e83a267246c28ed5ae46bbf388535dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e9f1b05dfa735ffbcba99fe35f070d80

SHA1
9a0c6d1928586a6d68067eeb079dfaa446b5179f

SHA256
c4162dc0605a3d4de24797e044306f3162e3198ad6dd924e4f3d5ce1adf4fdde

SHA512
166f04c4633580747e48081a7d180299fc9156d8d5195195f32c5b3a06c552ba38b3d628c38428f36549e0298d15325581461e1ffcb2888f26068f2dd3638a7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
98af35c32e4af16c35a823ddb7883627

SHA1
9a2408472744add4c4a5f2deabba509e0ea216fd

SHA256
181e898fc63fd20d803b5389cc59be1c6ce61c88b442993762161b46ceac16fe

SHA512
41b3bd566a99287ac3d23c939ac92211cabcd5b6ddf2e97d4be6e3ca12c9720dae78ce0655183184140300b1afe9c1e54917f9828aba46df938dfd33fe5ab631

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
1c7f7d0063f3a59bb5a0628414b0d9ea

SHA1
fad68341473641c7f0748cce5995d76e482c5e3f

SHA256
d2ae44e711d22920ef0f16461062361b124dbe7f10cae4393305f701fe0c7ec3

SHA512
a6ee22414d8d7a097ac25cc823e23d2742cb93190bc819bd7ce36c7103ca8c6b63ec824ba1ae99717aace1c4d974544937afa92f212752e3fb68eac5d92a0318

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
bde9d36fbd37a9177d25d6f40fe46895

SHA1
91609dc670de0487b113f6b5e4753e7f83f507f7

SHA256
1c4c4e7375817a73a7b1317c4b2d23c9db2bc1f12f2bd04f54a830669a180ac9

SHA512
89c4bbdc173b308a2344ce2087543723338844ffaa71421770449d4aa12b2f7a1fba85b53024432a347e9a44b051553fc979235841521e479182db63c48e43b7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
ec07253b242b3b496776b4dbdaa02489

SHA1
f470a336ea15c0222ee0db0f974f864e336f1cf8

SHA256
f09140ded8471770409c6951f7b2cd23a25652cba5510e019a96abbecb4d6c10

SHA512
4d89c994f9dc95f309e4616af7896fc76fd78e1f1eb3f7cc8dd9f1b43b6d598298ea2d64466670ff74d455f17ced4897a9f89d85928a1b004eedf2f707d8024f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
fec26eed950e0e65b6c6d676f3d22749

SHA1
c2b609a0af2114e4895f72d1ffe949f6039ea23b

SHA256
c03f26eb95c53796366bb2b1baeb20f34256f2d6a73b02431ec0dc1bf33abf91

SHA512
4c795aa48a63d72d3cfe01e95b8ffee4bf89350b7ec1c4fdfd04fcfeb589da920d4ea40c6fe76aa7f159c3644b5c9f8da65457b8592082fd91adf0d02e0542c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1e5aa70c932f587aa8ab5925dd0d293d

SHA1
ad62add5fb5d8268697b7d003d170ae523d7a3bc

SHA256
471ee97aeb0af17e1bb1d712de126b511a94f4ba0e313785ecb74f765e60a3bf

SHA512
d64dfa983c2016105554fc7306f253ae3b5fe68a3f20ea4843dec4fc9d2a0d9fe083c7581b8661be4629ef7a6e735394b4f88b2fd1435813f92000e4b3f76d92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
607837e5ae0ec06f9181a215068c5b35

SHA1
4db17295cf914d85eeb43f8fca69e490e97caa6f

SHA256
1ad29fc1d8a4cb64ee8a0bcf087ce71656e3d5d7c60478407c166c0b0a7874c5

SHA512
00f26221bc49119bf9aabb95e85de65e10dae9277ba9f998237b14feed42d6ab761a22d61bca7178bc3708480e68220f86ae249b559c368f01b8701314b5ffb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
10fc97670fac70b4f272dfd6ded8b0b1

SHA1
cce12e8401755325e51a600640270233783cf650

SHA256
0aef7e488046574d2ae638ab76731fb7e333ca336834b973bb7e95c1ea0d5dd7

SHA512
234e102f992c78e9af2f17d94e5291c2fea26e5c55060d372125c5da5c20cf86474ad0096f2d76b8b381b52b799152d56a53d6cbedbfd6343c8c34753924f980

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
addd7eb5851a878b6cd6f91739dc2fbc

SHA1
6cd39ee99541f0f7abde5e9d5643c08a93cc9d97

SHA256
08c03bda1fd9f8799713bde5f7d21a7850302c52a5ca070edb3d1896680ca0e8

SHA512
57ccd215035bc13ca405b5c7497e912a85bcf7782affe077ceb254fb5c4f456c8dd9a214f6300929ed90978c453e7dda67ff56acd5d3348c41bc97c395bea5b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
43ba1824b1f9b02a1fb883c0a17c62b8

SHA1
d88933f7400a017b67378ba20ff23f99967ea40f

SHA256
8e29527f967c54d5a829f9cf7a60ee7e4254e5a9fcd39948b3606224dfc955dd

SHA512
612c74c9b26a5d3c3ff9e263694f57b1510b2c421803b902f506168cc59af773c407671f0b66246ec0e5bed0f0dea458d5b71118504db221a6cb116cd1a7084b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
b3963e861c380cfdebb9fe87bbbc7d09

SHA1
4a205674f097333095f5008fa9408059a145f902

SHA256
6253093722f65f023713f43c81f7fdb808275e13f47035952f6409f079688a68

SHA512
d8228f97cd67b2ac5dfbc055bf7a142c3ad29cbc506030e8587a5296da47ffae82fcf0ef86bee861185eab9c25e7d4a5a3eafe4d78eb5c0718084a75b1b1c7d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
460e522162744a70995627721f22ed75

SHA1
74145d6c5b42f22309e337548dc625183edc3a88

SHA256
4e312291b666497b9eacb52ae5271a88aaccc7e70ad9362f462b9541b5a223c8

SHA512
4b5d4c4c7f71ae319d60c6b086d13e0d326bcff5727549093f1fa83305052f1a62109b0e1cef9b15c901b0bcc5194ca2779bb81de47943501a7ad4d06704b914

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
baf802b7bcceadcf42f1c8e002088294

SHA1
a4ba9531644d4ff191496b1d8cf44453f54961e8

SHA256
89da590fa5386aed44a52682364ec012e735bc3be756953a471629ff542740a5

SHA512
7ec58657a9ce7fb71f21eff21520858313dc5c3bc58fbe66c15a2ff12ac5c19bffaa97d9ead5d536de2aedc11370753a1bf42cf74a5af1c58886bc8f95e0105a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fd9e2ba886cfc4f16991db69a6556f6b

SHA1
e8485868af76d580632678b904a89baefc7debd3

SHA256
0be5c25f991e180ec98c791f16767eecb0244ce99c37e7e69ade69154171337d

SHA512
b1650aebcfbce21d121c1386f3efea39e0bb48baf063af64f7d3406a68083d528d63a6cf3b25175dffdc7ca2b86469452ed48bbed5735b0b4a1d06b39353e08f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
9a3d069b46dc50752111903290cc3cf1

SHA1
4e228fa3648c810ac657215bc72de96a488bd38d

SHA256
7d41c255c6db653e0b81332db271fb3c21c10169cd004a1a711646faa87bb66c

SHA512
3719fa8487049a1fe395f043c738b848353936365d1dbcbfbed933311b4e9e7058081aa105498ee46df03c194c5dfd356e9afdbe6cc88d38eec209ce211befc0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
5a77e6be4405d5e71846349736e097be

SHA1
19aa351c0eab5f4eab0b6ed9f796a41a76a63903

SHA256
5d19eacba1283a1821d65d00095765ab5a3ee58c6b7f874de58c14861c9f173b

SHA512
a03bb6a23792077c4c6a7c419349473279e42e05dd799bcb12c425c6e018f1de62e4fd915221a612920e1ca0ecd0a0f53de698d0a3766e28241d48be719db938

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fa2bd603c592d2d54799e2fd67232ba3

SHA1
bfac02ddb4f8ef14ac3f86e4f138c1f56f6cb0f9

SHA256
13000619a2219a724a3d038f46569812702a1f305b539a0cc1aeae1c3874641f

SHA512
8a245b1d11375da3ef5780a81bad7880866dcd82f2be4a327c2fc5d23c4fa11d9e763e47e508e6d5d86986ba0833719150fcc458c2cdd2ea4ed549cf70eeaff8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
a38d13f4ce3f45a177f1fa78c7988eb9

SHA1
3e2acba9bfbb8895309bc21bd15d725b41299598

SHA256
64ef1cc8fa7994c211b57c7a1518c78a65dac680d7729cd8cfe716f37fd96a8d

SHA512
d8adc80a78e9932f2158ee7e626b5453adf43ef0b01942c67712dfda09bab52ff4e81780a34910062b0887189ebba8c0cc46de0520c2cb62356755bf479c30c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
8ca70f7c53c1b8d719f19d591745c483

SHA1
26ad8bc475edd96b0e565ce103c55b64fcec0216

SHA256
1ab24a253597b52a88318ef791ea5f9e0514b3e89e73d9098c0491a1e02c5978

SHA512
d8630dabc9858a6966b3366c4bde339e4d15e98bf8c0d8179058afa4867697cbe248ce8fcd3d3bdeac2e6aeebf6f16e85c7dd3f565e8a6242aa8906b37769ce3

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
22KB

MD5
24479253cf8300bc751fcf1b599b11ff

SHA1
070e03f6a607c07468332189a2af82b1258f611f

SHA256
b7ed09e5141965dd3f058e87513a778d6b76905a98299a44a96303f89f76f877

SHA512
7eab3f61b4dcfcc4e80efb90078b5c306eb5240711ee07379626e77e50009a77aab79feff43a2b85e7bf7f2fc2f62205fc2ce095e99582170aa89134efd7b92c

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
1KB

MD5
4fd72ea7caab0a5701ae754ff971977c

SHA1
6a432aa100f0214cfb0578140882e0a8a6ca473f

SHA256
9ebbdb3a72bc8f74f71559ce9b069f46e362ffb506cef791f1e40bf624856cfd

SHA512
7003d768d51b46c979924e02ebfabdc56b465865751914ae42fa1fcc5e3f25560fc2ed851c5c19a8768f64b9df5949b8c45cde65bee4321227eac1307467a4b7

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
140KB

MD5
493064af94247b271eecca1b9ae654dd

SHA1
95f32d864f6f6913aa435cb53f88016093c53648

SHA256
510b7fb3af6c02f71a20c10fe8be8c2d42054f93cd1bd01a58aee31760655a1a

SHA512
5b3f0643426ef4544e35315affacc1af4da45d9c9d99b61b6ce0a387ecaf6a752f0e7e145698f3f2320fd9a1b53bf99b0661f2d3d852d858d3481cbd790cf496

Download Submit
memory/1124-569-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/1124-561-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/1124-723-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/1124-513-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/3116-558-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/3116-509-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/3116-456-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/3116-719-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/4128-508-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/4128-563-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/4128-718-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/4128-381-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/4176-249-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/4176-12-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5180-43-0x00000000055F0000-0x000000000560B000-memory.dmp

Filesize
108KB

Download
memory/5180-42-0x00000000055F0000-0x000000000560B000-memory.dmp

Filesize
108KB

Download
memory/5180-248-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5180-10-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5180-14-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5180-267-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5180-39-0x00000000055F0000-0x000000000560B000-memory.dmp

Filesize
108KB

Download
memory/5208-308-0x00000000045B0000-0x00000000045CB000-memory.dmp

Filesize
108KB

Download
memory/5208-507-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/5208-562-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/5208-716-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/5208-556-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/5208-289-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/5208-304-0x00000000045B0000-0x00000000045CB000-memory.dmp

Filesize
108KB

Download
memory/5208-307-0x00000000045B0000-0x00000000045CB000-memory.dmp

Filesize
108KB

Download
memory/5208-566-0x00000000000B0000-0x00000000016F2000-memory.dmp

Filesize
22.3MB

Download
memory/5392-375-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5392-259-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5728-246-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5728-265-0x0000000000AB4000-0x0000000001BB6000-memory.dmp

Filesize
17.0MB

Download
memory/5728-264-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5728-1-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5728-247-0x0000000000AB4000-0x0000000001BB6000-memory.dmp

Filesize
17.0MB

Download
memory/5728-250-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5728-7-0x0000000000AB0000-0x00000000020F2000-memory.dmp

Filesize
22.3MB

Download
memory/5728-0-0x0000000000AB4000-0x0000000001BB6000-memory.dmp

Filesize
17.0MB

Download