First examine the pcap Trace the TCP/HTTP. "tcp.stream eq 1" looks like an obfuscated powershell "tcp.stream eq 2" looks like an execuable "tcp.stream eq 3" shows a traffic which can not understand So far we had an idea that:1. Requested to 147.182.172.189 and received a response with 4A7xH.ps12. Requested to the same IP and received an executable user32.dll3. Requested to the same IP and received the response that we can not understand so far De-obfuscated the PS script leverage pwsh...

Forensic Analysis to Anydesk: Forensic Artifacts and Log Analysis [ENG]We are going to analyze the traces or evidence left by the Anydesk application both in Android and MS Windows