Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
581s -
max time network
582s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk (1).exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AnyDesk (1).exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
AnyDesk (1).exe
-
Size
5.3MB
-
MD5
0a269c555e15783351e02629502bf141
-
SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d
-
SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
-
SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
-
SSDEEP
98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CA38CF219C8E9782A8CBBD76643D24E4F2D74B03\Blob = 030000000100000014000000ca38cf219c8e9782a8cbbd76643d24e4f2d74b03040000000100000010000000e4e34304f4315a15a0bc0e413363721e0f000000010000002000000092cfeddb8485b879cf9232fde30df21fd200fa56712c8c92908b447e1a1d33af140000000100000014000000573133394358b8d9f870ed67cd50374f92d3ff71190000000100000010000000c87364a1df5cfaa973f544a5206e81945c000000010000000400000000100000180000000100000010000000a344f71a7a52a76ee49b74b1d8816b154b0000000100000044000000380045004300390042003100440030004100420042004400370046003900380042003400300031004400340032003500380032003800380032003800430045005f00000020000000010000007a070000308207763082055ea0030201020210030e330a8ed28347bda3bb478e410d7c300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3234303231323030303030305a170d3235303231323233353935395a307e310b3009060355040613024445311b301906035504080c12426164656e2d57c3bc727474656d626572673112301006035504071309537475747467617274311e301c060355040a1315416e794465736b20536f66747761726520476d6248311e301c06035504031315416e794465736b20536f66747761726520476d624830820222300d06092a864886f70d01010105000382020f003082020a0282020100972d1d652b2ae50cac2c1e499b38c5c561134e6348ecab72337b67dfd1f7bad70054193e2252007751d9ce92967b0454f8a1957870034b465b41f478e60ff6c92c7fd735506ef2b7a81c18acc3729f8ce22cd1caa429bdbe5d5f0ac942344a3ef4bd5fb1048c47ccd25c2c4e315caa2686d3c1c469cd3793f5be068c00b91d7c673741cdaf4a05c1a782e8cc5eee6c09dd927eb31f1eca0c6cab4350196024ab28f5a59f2cbde92850042aaa6798deb5989495ba9224d22b3afe20aa721a379265049ed9d9bc86884dc7c16611e2f784c456d199760ce5d8debd916e68ffcd77c15d71dd1bd4f0ab4aeeafd2e4850c35e6e7109c58dd068e50d5ad9e3d9439e95e007aa2a06222ae6bbebf54f30953f6479fea4d566e4b73ca023ee32cae31f3d59fbeb1f99e218809971def0d1dfd019620c7b251445b6a450137c8831fec87497c7e54533845eb7705a46950a314c78212b079a36dd6353e3b1c1a93b664c2e69f3a1c339dbaaec468c32ac73a48e43daa2d5b66930cfd6ec9ebea031bd3ec04f561ff760bc7d3f713fe9b3e9ec38718750fc452df6ab65548bce5def71ff17c7ed1889165cd03602599f3851b247003f09c896300f23cca788100ce263f66a4ef827e8a718cca76e0d6fcf93e95ce359efc329217f88938b29213a5789bfaa9b471c24b5bc9aab23b68796c185dbbb840b7a074944a6960b134c7b25ed6f50203010001a3820203308201ff301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414573133394358b8d9f870ed67cd50374f92d3ff71303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c30819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63727430090603551d1304023000300d06092a864886f70d01010b050003820201009bc3d91cb63175cffbc813b2b5814e77c9940d5e0c2d10fdac84edc784495ddfcb2e4f2719af9843101e70abe1eb54300a715573ccd0433b0dd8ee13efd79eece380f233e18a82ef7b50c2e4f7cf2167e8122a01a8474bd1d3e93c20193f3a45db0afedf99b51460c0e0e8b62b82d56b57e22b9bba3a07696a2799a3fee38dee6a5308d0d429a7c64d59031e0a0e37d91febb3f2fdfa34c9b931d0ba00aa1c9438db280424c8958ef86297c18093c66fb8ac5a2922a97447eb566195def497706a8650fcd7ca6b58ae2cef3315ad47766b35045f419963564448bf06b90094a691de78716c87d58a366bc8e239066e99a81639c03f99c96c68e54aee17af02052b8e8d399499bc03646b44c675f98cba4e86a1130ddbff1d9a78221d5217c95a9fa3587c43d9fda62693aabd448814380e0c7e8a1a32d0a0d3334d33b86eeac1de3828a8b513f8279984e9aeec85544c0d5a3e9c57dfd5641a0598af756de93089c007744baf14b15bb28265ba9aa8088c3753a9c099daa36d8ce4a304e803e8728c5411dcbd182b7ba9caf83499cf3e0ac836a789f8fb26a543e438ac16b3ed277ceb0df5df6e0d0ec8634d8a4b3bbf30a96da5113c10623122820c6b316fcf6fda942642003cc09e658ce6548d55a719e85f6d76b5152c9df8efdd83f090a7ae5acbe7430ae395dcae7b8dd8e859fb7a48c5556a046bd89e2a9c68c9fe2dba DrvInst.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation AnyDesk (1).exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation AnyDesk (1).exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation AnyDesk (1).exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation AnyDesk.exe -
Drops file in System32 directory 44 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db AnyDesk.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59F5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59F7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\anydeskprintdriver.inf DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db AnyDesk.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59D3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59D3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\AnyDeskPrintDriverRenderFilter.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\AnyDeskPrintDriver.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriverRenderFilter.dll DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db AnyDesk.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver-manifest.ini DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db AnyDesk.exe File created C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59E4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59F6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\AnyDeskPrintDriver.gpd DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59F7.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver.gpd DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db AnyDesk.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59E4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59E5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59F5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\AnyDeskPrintDriver-manifest.ini DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315} DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db AnyDesk.exe File created C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59F6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\anydeskprintdriver.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_c69295146af7a90e\AnyDeskPrintDriver.cat DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db AnyDesk.exe File created C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\SET59E5.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\AnyDesk\AnyDesk.exe AnyDesk (1).exe File created C:\Program Files (x86)\AnyDesk\gcapi.dll AnyDesk.exe File opened for modification C:\Program Files (x86)\AnyDesk\gcapi.dll AnyDesk.exe File created C:\Program Files (x86)\AnyDesk\AnyDesk.exe AnyDesk (1).exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\INF\setupapi.dev.log rundll32.exe -
Executes dropped EXE 5 IoCs
pid Process 2740 AnyDesk.exe 1708 AnyDesk.exe 4468 AnyDesk.exe 2020 AnyDesk.exe 1244 AnyDesk.exe -
Loads dropped DLL 4 IoCs
pid Process 3456 AnyDesk (1).exe 848 AnyDesk (1).exe 1708 AnyDesk.exe 2740 AnyDesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk (1).exe -
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk (1).exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe -
Modifies data under HKEY_USERS 56 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\URL Protocol AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell\open\command AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\"" AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\"" AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0" AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\"" AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\DefaultIcon\ = "AnyDesk.exe,0" AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\shell\open AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist AnyDesk (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\ = "URL:AnyDesk Assist Protocol" AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk-Assist\DefaultIcon AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell AnyDesk (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command AnyDesk (1).exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 1708 AnyDesk.exe 1708 AnyDesk.exe 1980 vlc.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1156 AnyDesk (1).exe 1156 AnyDesk (1).exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 2740 AnyDesk.exe 3332 msedge.exe 3332 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1980 vlc.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeAuditPrivilege 3856 svchost.exe Token: SeSecurityPrivilege 3856 svchost.exe Token: SeDebugPrivilege 2740 AnyDesk.exe Token: SeDebugPrivilege 2740 AnyDesk.exe Token: SeDebugPrivilege 2740 AnyDesk.exe Token: SeAssignPrimaryTokenPrivilege 2740 AnyDesk.exe Token: 33 428 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 428 AUDIODG.EXE Token: 33 4468 AnyDesk.exe Token: SeIncBasePriorityPrivilege 4468 AnyDesk.exe Token: SeDebugPrivilege 2740 AnyDesk.exe Token: SeDebugPrivilege 2740 AnyDesk.exe Token: SeDebugPrivilege 2740 AnyDesk.exe Token: SeAssignPrimaryTokenPrivilege 2740 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1980 vlc.exe 1980 vlc.exe 1980 vlc.exe 1980 vlc.exe 1708 AnyDesk.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 3456 AnyDesk (1).exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1708 AnyDesk.exe 1980 vlc.exe 1980 vlc.exe 1980 vlc.exe 1708 AnyDesk.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2020 AnyDesk.exe 2020 AnyDesk.exe 4468 AnyDesk.exe 1244 AnyDesk.exe 1244 AnyDesk.exe 1980 vlc.exe 4468 AnyDesk.exe 460 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 848 1656 AnyDesk (1).exe 81 PID 1656 wrote to memory of 848 1656 AnyDesk (1).exe 81 PID 1656 wrote to memory of 848 1656 AnyDesk (1).exe 81 PID 1656 wrote to memory of 3456 1656 AnyDesk (1).exe 82 PID 1656 wrote to memory of 3456 1656 AnyDesk (1).exe 82 PID 1656 wrote to memory of 3456 1656 AnyDesk (1).exe 82 PID 1656 wrote to memory of 1156 1656 AnyDesk (1).exe 94 PID 1656 wrote to memory of 1156 1656 AnyDesk (1).exe 94 PID 1656 wrote to memory of 1156 1656 AnyDesk (1).exe 94 PID 1156 wrote to memory of 1792 1156 AnyDesk (1).exe 99 PID 1156 wrote to memory of 1792 1156 AnyDesk (1).exe 99 PID 1156 wrote to memory of 1792 1156 AnyDesk (1).exe 99 PID 1156 wrote to memory of 2112 1156 AnyDesk (1).exe 101 PID 1156 wrote to memory of 2112 1156 AnyDesk (1).exe 101 PID 1156 wrote to memory of 2112 1156 AnyDesk (1).exe 101 PID 3856 wrote to memory of 4000 3856 svchost.exe 104 PID 3856 wrote to memory of 4000 3856 svchost.exe 104 PID 4000 wrote to memory of 3116 4000 DrvInst.exe 105 PID 4000 wrote to memory of 3116 4000 DrvInst.exe 105 PID 2740 wrote to memory of 2020 2740 AnyDesk.exe 108 PID 2740 wrote to memory of 2020 2740 AnyDesk.exe 108 PID 2740 wrote to memory of 2020 2740 AnyDesk.exe 108 PID 2740 wrote to memory of 1244 2740 AnyDesk.exe 110 PID 2740 wrote to memory of 1244 2740 AnyDesk.exe 110 PID 2740 wrote to memory of 1244 2740 AnyDesk.exe 110 PID 3904 wrote to memory of 1588 3904 msedge.exe 125 PID 3904 wrote to memory of 1588 3904 msedge.exe 125 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126 PID 3904 wrote to memory of 3812 3904 msedge.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:848
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\expand.exeexpand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2112
-
-
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend2⤵
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend2⤵
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1244
-
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c134c17a-89e8-6b45-a927-e528834d0caf}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{9da09eef-6e96-6242-81e6-829142af1ac7} Global\{39e43149-28df-b74f-bef2-7182e0c7303d} C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{702c6d55-ed69-444b-8917-bb803b4f2315}\AnyDeskPrintDriver.cat3⤵PID:3116
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2d4 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultef3eb244hab2ah4860ha739h2cb0386987c21⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff85dc346f8,0x7ff85dc34708,0x7ff85dc347182⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16789767142551869129,12729087487687095481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16789767142551869129,12729087487687095481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,16789767142551869129,12729087487687095481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:4216
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3144
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:4780
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3960855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD50a269c555e15783351e02629502bf141
SHA18fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
-
Filesize
2KB
MD5450e1c96a3db5450370622771bd2b949
SHA1805f242226c25eb963fdc2612f02d7b284e9f21a
SHA256ab97c0d091f3c090b2b0e0a35bcaac083dd1cce029be2339c249430a001870fe
SHA5125ccbd3faa3392448b376f0ea3804029c92f23febbe6cbcbd82aeea494004208ea11a6f318bc4168021b3fca25b3dba9338e2d2203391ac3fb8ab2e577a1c0703
-
Filesize
950B
MD5349ca69b63a9d26d55973d8f8c21f416
SHA1e1b7ba78f78e65a97e69264a6fc238f855090443
SHA256a62b3aff18a2c178af34bc8f56fc9a0eaca22fb6b06c58d893ef76e4858a311e
SHA5123f05b3fd2c64575e7e6c3efc303fc0f3db1e7883b4274c1bec5b6b3f24c8076697699748f66d695e88450eac7f026c4c2fc72a6a26f862ff5954c08705604e27
-
Filesize
950B
MD53a8065229e273170801a416168c68d23
SHA1f5d2954e06ba4416f9885f7308f9be74313341df
SHA2560b17244f7f2efb02a851c1d338b13adb33111ad4149621c39a744c8cf6e7a7d9
SHA51233f3b3de79d3baba8056a6a2e396ef99f1257d4078fbcaa48a15caf237ced7edcfe0bc0a77fa90329500217cda6e47e9763bf64ca6aec5bca48726642374ebc7
-
Filesize
950B
MD53e0e37594a28bffcb8d46e5924e6960d
SHA1d23eae218f29c0cea40880f3403a77392a47812b
SHA2560e16c1af5ea9dd909891f00dc95de6ef2cb80499f2dd5e727a9f30a7bcd23176
SHA5122318ebad8ebae2e4b0be720e5cbb6ccf5dc2112570d567d920f32a6fe92920b00df5792d25a6757526abee74745ef74bb0a38f4426631fddf1453e2e8ccb00c8
-
Filesize
942B
MD584310e135bb84beae3e4668ce15a8896
SHA10f9ad4a8a42a1eea9e95306de34e64bbeb476469
SHA2568938ce8d77a7d274b4bf6032bd3397847798f07e06df5401276fd9e9faa82bda
SHA51287a1cfea6a5add51ee570f49ae0f47012c64bf9c214e01233f0f4ffd4cbfef67c06017a29db48fe564fd097deddfe800f526163359656094cf6b6a34581d5ab7
-
Filesize
942B
MD55a3536932ab508e34dfceb520a62fbbd
SHA170c242e908f8bd23c1f89b11c79f1f2a8c180c49
SHA2566726a70587f864dbcad3941f76209d3f20ee6704e1d46dd14494448a1d6aa798
SHA512487c464fa4982f1d6c1115d5b5a964cd340fb62776cd682348a6099a04edcd9201deecd71c8d21bdbe288bab32fac31551ec6e50adbe68b760ba3829815e5a39
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\30d7a268-dd58-4f3a-b350-3f37300806f1.tmp
Filesize5KB
MD5d14b037db048eff52280bdad2efdb3d2
SHA1ff6434dc00afc8fc5e8a12cbc4ffbacbf1bd1a7b
SHA2566ea3d6b3bf7f7ce2be21c2827d94e1e97d6a56ce0c5b7e7cafc669096283221d
SHA5127d323cae845bc513d93bafc914c00f4e1e7b02bcf61a4ff5df92f5a17af3d35ddf5654780434ae9d6b82b8f9573a7a14d407108590bd3809151c99b84a71c150
-
Filesize
8KB
MD5df90040e0b5ddc2fff9f399383ee0e71
SHA12bfeb6d76a9a032db16327d20e8c89d440c8d8a8
SHA25699d762c160e80cc65960a1141ed069a53304ad5be7c19687656597052cb272f6
SHA5122cda64500638cdc17ce793307d03ffd2902a9465bd4e4880a80d13550bd6efc8eff4551b8444c01a70ad1b0865d9db7278c912658a2f460486b60de1d2161239
-
Filesize
256KB
MD51e2c202611b304429423667726774cb7
SHA19b9ebfb38333a7f53d8e8d9c27da65d0bdeb597f
SHA256f6be90507dfddc76d377a493cab51377af79462bbca379f2a251e1ecdebca627
SHA5126a8ed9aed23d58ee3058b4a164d329fc4a546fded672a8aa875f53bebfeb3c5c96e649fd137657e736e00587102177a39ce4c3e871108cfc1177de57a51a2858
-
Filesize
299KB
MD5a4e4b05588899d7dc1d70c651cfce2d2
SHA1c280c7f97e02eb582f09805451e5b17c34d0e119
SHA25676a784f5561994bf302f0d65576efc676866429497a16a611ea38f8fc8939396
SHA512428bd7da6d77af8413227ae3382f707436dbd494e9ead7a3d002a175ba64ceab71f76fcd94581c3f2532809fa69af1eb29a56e48a61d37fe42dfddbe4fef0278
-
Filesize
252B
MD55cda10b02df931ebbad3d0fc9d9509b7
SHA1f04b7885bfac4bee938d047f6703c58d4087facd
SHA256ca33091bbdfd87bb3acca1a3eec96d3948a0830d9bc7bef3c40e15055e4c9a03
SHA51299cfc18278eb4726b44caac07f1cec7f877791290cecd003417f1ab06716c5d4c004f2dea767676895db0e96dfa2023661d44684bfe990d5a97fc03e60dfc6bb
-
Filesize
11KB
MD5ddf4ac6ecd52467516b31e0939b8a030
SHA1bd452adc22223981b67dc4d665e3a0e8cf470c09
SHA256019677297ae01db991a5c122ae582424e51d41ef7bb81fdf26269afaaaf5ae22
SHA512a63b7dc23f8a8ae697aadc564e947fa5a8d3429f319ea72f5b0cbb77c51bd4f7d15450218360d6a742e2f2e3187745eff71f237079bc01fa1fa5cb6fb3c7402b
-
Filesize
9KB
MD5abd2735b1a81ebe2c5d1b97dfcc56edc
SHA114a594054851b1ebe09ba6f39043121c9c82f608
SHA25636890491b77f4dadbb46805c7d309baff2f8a4189bdf65eace5992d6c4fd69e2
SHA5120c1ee52d7f6cb4875f05c72b3e4282d96939adb3cdb776abe8220b98f772ab7b2307875f367015dea06e12617968233e1cc7003144b8db66d20d333182159a98
-
Filesize
7KB
MD5b0517392d28638f7688d767368db3c2a
SHA14967e9918fd43e6c05e72bc810b4c777c92c9a4b
SHA256c204d40325b20f02372708f38fa84296186f6e34887b20c28706caf2fee8f857
SHA5126af2ca32f849fb76567719bf52cfac83a94be1cadd43b4eb3af9ad40b7b75d27bd1bb629756ad9634212714f2b5ac5c844d6d781b74bec73262a6181904e4979
-
Filesize
32KB
MD512cc96d5010e04056d4f01614794303d
SHA1070a9cc5555745e512f825abce887f4cca163f40
SHA2569441f0e64df0801765110225597e180da3be0aa6a44337f6a5cd115c43f235bb
SHA5123234c154cc8aa4e799415dc79523ee52f49429ef62a8dc73e4de1ee9c0785224cf39f49922873c8827410f0c2d8ee28f2409b9a399a46c7cc5742017eccca41f
-
Filesize
47KB
MD549265cbb46b0a2681e001889701cff5e
SHA1bcd812f3ea0ce6a47efb475a16540059b8277e34
SHA25634c534d21a25830bd7e376881c4687e0063b517369981663b64e66126d58a984
SHA51209db52c57b862e331fe539b4c6f38ed8f1db282f42dcac525abceca79bc3e5c3dfcf51a24cddac9a8a48f188ee53f744a9e56eea4dac9bb400634d13f4ed9161
-
Filesize
53KB
MD57f17b7ca0b454708a8d0c9c9dd3a61ee
SHA1648fb37dd6fbd22f84e7a0239851b447a93b1cb0
SHA25615f4fc228336fa05612d0f4a676833d150634271e8ccc3e5b3264f8e4aad590c
SHA512fe86bb8cba7602e1b2fa338cdb94f546481f90a272eaa380326f11aa21120ae2f4080b220986004e0c83122165aa8e38b0685bef5e4b7a9127a1db2c0eb80c7e
-
Filesize
91KB
MD5b4298318e987ce4683d2b66635172d23
SHA195b6bb7bfcf1de48927aa51911e0dff041806afe
SHA256b97e353f76d72a2a5398c9a43a6782b17a5bfb5386e2239511b4afc9de0bebd7
SHA5122e2d3825889e6397eb9187a95e9448bbd4559a06ae9addf5be81db01da927d9d08745accc78b3e45300ceee31265daa24393cfc467bdcf340d4f8d023ac7f079
-
Filesize
2KB
MD5503b327c6942d113de548e6e9709e5bb
SHA15132abafeff99a9e17a6256b98ad5a718a9b9cc8
SHA2565905eb19f8599f209b36cf3d7524e2c48a184a9e95e39c037079fbc3a4658a7a
SHA512ab62d1ebd3adb08e6d658e4f63c4caa54f91259b826121d14bf1c2905c84e330852db7649c0070ba3eb1293d9832a5ced294c1317b63922f160af156a543490b
-
Filesize
2KB
MD54d2b907e40791286048d4f2e97db5643
SHA1e7d4443133d3f246ce389b924be8b1597cf89a57
SHA2562806100b9753997e3dfbf887688f12f2e556d689129e906aa7e0cb1aba172315
SHA5129caac61429dc47c30fd8719aa723534dd1d153e933a8781f3b2ba1d2d4ffcfe9adc58895eee059e060249285818b1ac2146f2fa9a28ea1da601c3a84ed53ccc3
-
Filesize
766B
MD589799c7a41868c838fba91d9b1c251c1
SHA14f00429ca110a2a24b71dc8673cde967841f8065
SHA2564f96c1bd4acfbfdea454c65a790f3fc1f1b73ba0468510e67a60d4b6308beea4
SHA51250442b976db86b01eebcaf29dd172898df48b653556237cd16958ec2a839bc9e57db5d729295b83fa1588069eb9c014470d5af7c0e34417ebf4a675ed1498643
-
Filesize
823B
MD518d0a2c3a20e7a16bf4216fcce72d16b
SHA1a534fe9f281a378514fa162f6686618760e233ca
SHA256ab0c5349d134738f9a15cf7e1b16ca7b245e536fff9bb19164e282f7a4797edb
SHA512d92867d88e1b1b6d6eb97301fc164579522adfb30cf936b7bfe1fa548c09268b6620a82831c8c02b5f63873a97affd44a5667625a1c81f88188376d450346370
-
Filesize
831B
MD5266b1a301274f3d78e5705bd8f98662d
SHA1f5dc66601fe4fa48f84d0bc6a3da120fb9c3a74c
SHA256b5c46e3c6d4321924404e7e9e23c0b4c65646cca41c6efcc103a357730b15a6e
SHA5124eee78231f9263007aadba1de03d3a2565e6e055134622605f5494965a91a8088ba926fddf2532334eee2807e423ae5fed92edfc94369076465d62ef7dec5568
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
831B
MD52584652c9b9752e8b57c048b4f594b6a
SHA147b4256806b0858045fb9f82c9b08cb7cf879cf9
SHA256e0615798e573505b64067a4550a01eace5167d3775a45e98410f65507af03a8a
SHA512a6aab3d5666774cd5c52438eaaa778d7c3eb52f0dcddbd73c91465b3b36b0a363c8988f8b774a8db4f93474921ec748bbdbf5bf556fd8f0c8e52f68c507f4df3
-
Filesize
468B
MD5ec37bf45454c5a3b99d1d4722eb13575
SHA17dfeea15a4534ab735b00b5c3feee2973466033c
SHA2567604c3bb6f52e9c6a659c2dd9de88615b1197404ac891c836930531ec8f7eb6c
SHA512f904e9493eea69ba6c5e6b069a8264a7111d59f253ab1b0999afbec74f8a198ad5fae623cd1749db069b3cf30b6c081faa418b72307d64005500135c941274ca
-
Filesize
468B
MD553c222bcbca9d36c0f75831a51f8837b
SHA16f3d449e21768207f9d933caf66497d046cd6b78
SHA2560f623bd9bd357f810c2b99088dde21e7b4d03be9955faf6431d3c09970af23bf
SHA5123f01985fdb5459f159986200ffd1decd9334582960cf3184c01126825c1c46344626163284612ad6ca117d0b9db8637b3d9fbf76a5f5f5856fab4671cd129eca
-
Filesize
2KB
MD5c0d2853b807e857ae7b1e57fabb66ca1
SHA15b0af7127509c05caee49336b1efc15d59fd28a0
SHA2565fee5819e2a1814e494b107663fb9da57311963e88123837676d17e2c28a58c9
SHA512a7a1d3ccc6734a0b7dd50c9f7e2671c58c8173727808890482f38361cded1b231dc56153dc44756b4559e867bb1bbf92813c60a5f0edba50aa997905da9d0405
-
Filesize
2KB
MD5c47ee1e76e25cab05d6a09977e1d20f4
SHA1daac96aeee5cf0a91d107e09e5c85c22b4b17238
SHA2567a411bd8c67b7469980b175504f4674e086e68f7134d25a71bf02b0bfa756bb4
SHA512f46fd56bac08b0bb5c0165805835fc22a73a1b9743821eb73082de63710cbe7d66b759f831e7bba3b2833b63e61dbe27cb4dc51fbda1b873af1599c1a504953f
-
Filesize
6KB
MD5cd5bb5ae5d4e5ea6241edcb3d4c78f31
SHA13307c9f763d034f85def5a20b8f9514193c1d972
SHA256ca34d80b2303f79034e05ba6c0351cb4448087361dbfd8b618409f076ad60155
SHA512ef509332bc09d1e278dad369da30c588a2eeef4c7b0e4e4667997c6a727e9f25f9bbb85650868c10ad365f5bd491a865d2f6fe1822e79afa7f05639581cb5a0d
-
Filesize
5KB
MD50b2725dd2b7036455d39308ba2bf2040
SHA16f5b694bb19c815e35f3d8dfb127d8089fc8fc45
SHA256fa45298cdec81aa059212e5235cc05faa5bf898ed6d51661e7f73df50fbd73f2
SHA512d4e2494f2e8d52f23e3f95c67e315f9e8942aa28628b5feeac4ff8508fba33355e1c7be1fb16de73c7471f2d206cc8b22e410e06f389f33a4be79d1dd03f30f6
-
Filesize
5KB
MD574c602a0a2eee0874577254d90652198
SHA1171f2d62f69eb2959a2c854e15c1c0b44a6e625b
SHA25671866a3dc49e61b647c0b9e63b1e91b06188a10a4e40b3f42f648adfa224168b
SHA5128ca1c21edec4093ccae68b6b3fadaf47a9002476d45d3054bbe3f643bab032e49973e4f68ad922b564ca7666c9dc6210ce61d9b8ddaaa7c6b0d71adc4704bef9
-
Filesize
5KB
MD55678d8898682aac9f1283178fb56dbea
SHA11359fb65660e0343288189f260e398ef32e18c74
SHA2560ba8fb45825246caa2e42a1ecc6b666793beb1dd1e84d7fa139d3670a7ff7770
SHA51295ebb218598f13a8ecd73ee756e5fe86a953dd3862c08fb8460cce3953f2b7656eed5e78fb77ebf4e06b92d1588e90f57c00df09822be9d48666883198817696
-
Filesize
6KB
MD5ad237a5eb46fed908a8b295d30ceba70
SHA189aa7375d1eee2e74d9e62ce95cee0ac02f3cbcd
SHA256b90fba02ce1db3a24d8c46a465c1719299d2f709281676e488d5e2928e1b4e1f
SHA5121a0dda18562d15715cf4428646cb50a3abdb29603bcd1b04065b00bd2a48571230f37159768fca2faa4537760523c00791525e391d4ba30dd45517c7dbcdc799
-
Filesize
1KB
MD5ab7e5baedd02d3ce83835c5269bb2be6
SHA108a61c8d2f137ce638be2aa47d2c0b3f4f03c9fb
SHA256aecbbdbfcb87ce73cc78d10f1b44f1947e5aabf234dc9aae86db7ed4aeedc0bc
SHA512881978a1401352d40d5d519eb1df6701122da0ef48752f6e3f6f22df2601af5514b41260ef7da9fa05406f490b4d47178bb138c5f1332fe00dbccb2978b7ec45
-
Filesize
6KB
MD598b204d71e270a62795927754965e5d5
SHA1fa405740248af4c95ab95c44b5ea52b39e310c2f
SHA256ef220f3d5762ccb3e5fb9753cb1ed038e0863a5d96111e9c19d68a03978ba745
SHA5124cc884ffd3f1d241d877a0d86b29aabebb9dddd8240c116d6097bc899ccba856b35496ed93a6d6552373ff5a64357ccffac5981d90266a0db85861ee928baf97
-
Filesize
6KB
MD5145802e951878de13ab5bcc741118beb
SHA1f602d8be049e66d306f7a974c45792dd2981dea5
SHA25675243b1c3b20ab7f41b6cea9cebf222f5a578945278ed332071dc558d1278c50
SHA51210b221b1af6668755a5d5ba25bb6f7c40cc5c96f404c3af9d3023b217c607efcf62714f164d4829c0d7f22bb7d2c0680a2a81a762b6701b12df68adf2eafd4c7
-
Filesize
6KB
MD56bbb5c3b0b16cf8dcbe19cbeab71b4c8
SHA12768d122087fe889feb13b07b2e38e45eb442aa8
SHA256fd0f9bb25263099e40f4ee6281975911bec93c465ad2cef00d92adcaa15949aa
SHA512d496c66cba2bd3fa97029d82a564c95f58a361e5f2eb2e93107f748c8dd2212c55d6bbd354e5adca22e4f0280e44f4139ebe4cce31feeae18f62df23a729da71
-
Filesize
5KB
MD56cc89040a5a090cceb654f4fff6f1af2
SHA149bdf1eeddf8bacd3751ce4134136539b2bc175d
SHA2565d142d239db583a63f990161b84a75891a0eccd903a5fc2377cfe0722abff380
SHA512b54e7fbe199107c2b85d6233340b95311af42af71e4678bb3c42bb5ff8d4ab4cf2847f13446efb00007d964f93952053e0c2e49ef124dbf47d2db395a04cf6c2
-
Filesize
5KB
MD527d28c61b008a03265a56aa627552110
SHA109ba0b00b5e606cd0c21ddaf866b8c0b857c0eea
SHA2567b410d42f5955b9e44349222081bc26cc9b96e9f9ac945a553210bb72307a90a
SHA512232be4d881a1fc306809cbd76bef01767fda4c0ed4c0ddee1ff7f2c3c3b7593dd4a9e1a49a27f92a584ac0c4c7ae69ed8988df30d5b14f2e2b6de39a0e170a50
-
Filesize
1KB
MD5dd083f8b915113f331e37ca480bca0a7
SHA13bb67f3294a1337bae7b1e9dc251ea8f51f7566d
SHA256214eeb75be97afd32134e95f46e48c6cab41db1e75da566c843204c4e3e735fa
SHA51262dbc4f7d130be0af5619e0c39aabafcde3d485654086528bd3c73699a7f4a00cfb03f8fa031adb14687163773971abc75a67e4ff2ac72e748b741688f9eaa5d
-
Filesize
5KB
MD5a3902d02869365ee0ca025251cd59bd1
SHA1ba398c3d94d65ef1842dc4d510a1c102c916bb81
SHA25699a2fa40d72043243258e41cf120dcc918413c74abdae805b1640f4354dc7d45
SHA512406b5eff4bc44dbefdb0cac5c8a0d3b283768c49a229ae9cfcf73cc5f1e5b0cfee2d74e85b4610b4e7e792d724e0cd89e3929b08776ab4fc541c00c738e6b453
-
Filesize
6KB
MD524bb930adee78156ee761870849bc43e
SHA1d4505858df7e0d9cf79c34b89774feca503aa1fc
SHA2565db8517b2586f55565ad851eeb58f04fe116d3d180909ba8f81121a055664b62
SHA5125f9e1e40db300381840da58b88eacb97c2afa03d942972265951b0621174f0ac3fe5220cef14701adac55e25b82093ffc74c747b2e5d076c65d20e45b39d7e9c
-
Filesize
6KB
MD592d360eb8777bca10e27e7d42302aaf3
SHA1cc145b7b4b6ad3caefedf2608161c81eac1f4013
SHA256879dcfbcf479514f45087d46910c5fed45a0bf011ac2f7858144e73cd987bff3
SHA512333a097cad167672b8ddc92374ff96cff5f44779046a1feca14ff567fdbbcbe9b379a40ae4854cf26cc7d8b23f8988d0d8ce21a3462f26269e20b772b0cb65f4
-
Filesize
1KB
MD5150ee0f9156c6f5bd173e5da254064fa
SHA1f9f3446db8789466c6b0de0441b033b5dd21813b
SHA256e4f33f4232a6af615241bd6865e1e84735c0a1b81f4565a8f3e7cb5530f45694
SHA512bd4c5f8e6efea6813e6322a0997c1b9e0a79c4b58808639206c175614304cbf7c181d44dd5c6294339c46933178b30cb989933802cdeacf66f34d306a612c004
-
Filesize
1KB
MD566b68682d91e92641318f12bf2df7b1c
SHA1e410683f1bb5568217923c5b157b7deaf8148c49
SHA256822322560d5ca756535683921f1fea589f8557d089f08d4d88c142b30c316f9e
SHA5121fd83641d3830ea49f43199e0f5a6af132275f3841a63f05a4c2a6870143946ce5e0e3d6394403ca3a3180e05bcfa8a546e002c72940b1bba422ea2e5f105b08
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize5KB
MD5e9b6c014432c89eafb4cfda70f8bb2c1
SHA1101a61985bb766abc9c31934a68d2a3e1859d28a
SHA256b4caf5d58a25b4c945df2c84ace029c5554292a1178d1a0a85fd258902dde359
SHA5128f13cd246dae4a6b6ead65624f9479ccf4ae3953b4f8c1048307264bbe1a63e0947dbe9753c4b2d5be69795747946428e658689000f57735a8d005b900c2ce3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize5KB
MD5b7db75cbb9e0ae0ca9821f37349f725f
SHA1db54618fa06221e2ecae8b9060c8564980c73e56
SHA2566ee95511429a47180383e01a9bd1a36a2c27769a2cfd094cbbe660dd1fe2cbf5
SHA5120ab8479c9d71bc6ecaf8148e976532aab6c0c29568ca81f55ca5eb3f7a74387fb7cecb05087fa62f1b9df341f8aa8323decb5715d9a494889697097f76628b2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD59ae1b5eccc36f6a62fd2bc8bf098606e
SHA1947a4af0c3096e2390c3686092f52deb01ca21c4
SHA256fd8424c3020d1385ee1891942934d560bbd7d6b400c2297e534ad40cbf97bc02
SHA51215425803e378f3086e602aa329b7629c44004a26386d5b945e2059e518b26143c8ff62857125e9c1d8b13d291af5aef953b67c932e779a1fe49321d47d08ba95
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD50d781bd5933d553581e0d0195f352636
SHA1b72e8bafbf02813b2f4d6c0ad8ba011ba39bf996
SHA2566f425365606305ec9b949b52d09fffeaab1111a03584cb4578dbbff2b775d792
SHA5120d69adea44887fbb80f64a6ff1a918a18ff6d60716219ec2c177c7ddc18394e08f81c0b509fb65f96b84ad0795090cbba541dbb2a8fd95d9984f3f35fe1ad581
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD58d22fb11679517785846c895d874441b
SHA120e6b3440c6739afb02785ff48ca34fcc05d0555
SHA25631d26175b4502a0f9024c1dda4848269496ebabdd72a6312641401a58eae350d
SHA512a676d9ac1f5ea3aa042544d3048644733fb509ae9576814f232f222ee2833c77f5a5d71628667e397030fa90ce227857df51c982f740fc73e836b12fcb1e4aea
-
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml
Filesize567B
MD58accaa9aa32148aa2bcd72ff14880618
SHA1a1226a1c5c92e41ba22b382debc0f9a754b92c05
SHA256aa0b5f757b3d83d19c973fddc4e82722b530d9aedec51f6a540a91126e4cc0dd
SHA512026e07faf75a5be8c96ae59a93302a487a18b193b5d915aba5822cc27d2fd1f70fafb9239b34df8280b060f85bcf3316d1d4d5f1b21c8557b187affaf490a3bd
-
Filesize
22KB
MD524479253cf8300bc751fcf1b599b11ff
SHA1070e03f6a607c07468332189a2af82b1258f611f
SHA256b7ed09e5141965dd3f058e87513a778d6b76905a98299a44a96303f89f76f877
SHA5127eab3f61b4dcfcc4e80efb90078b5c306eb5240711ee07379626e77e50009a77aab79feff43a2b85e7bf7f2fc2f62205fc2ce095e99582170aa89134efd7b92c
-
Filesize
1KB
MD54fd72ea7caab0a5701ae754ff971977c
SHA16a432aa100f0214cfb0578140882e0a8a6ca473f
SHA2569ebbdb3a72bc8f74f71559ce9b069f46e362ffb506cef791f1e40bf624856cfd
SHA5127003d768d51b46c979924e02ebfabdc56b465865751914ae42fa1fcc5e3f25560fc2ed851c5c19a8768f64b9df5949b8c45cde65bee4321227eac1307467a4b7
-
Filesize
140KB
MD5493064af94247b271eecca1b9ae654dd
SHA195f32d864f6f6913aa435cb53f88016093c53648
SHA256510b7fb3af6c02f71a20c10fe8be8c2d42054f93cd1bd01a58aee31760655a1a
SHA5125b3f0643426ef4544e35315affacc1af4da45d9c9d99b61b6ce0a387ecaf6a752f0e7e145698f3f2320fd9a1b53bf99b0661f2d3d852d858d3481cbd790cf496