_hot_ — Regedit Anydesk

[HKLM\SOFTWARE\AnyDesk\ID]

Monitor regedit.exe command-line arguments ( /s flag) and AnyDesk registry writes via Sysmon or EDR. regedit anydesk

When investigating a compromised machine, registry keys can show: [HKLM\SOFTWARE\AnyDesk\ID] Monitor regedit