Skip to content


Remote desktop application that can be installed or run as a portable application.

Application specific files

Platform File paths
Windows %APPDATA%\AnyDesk\Logs\
Mac ~/Library/Application Support/AnyDesk/Logs/
Linux ~/.config/AnyDesk/Logs/
Filename Notes Timestamp format
ad.trace history, errors, system notifications. Incoming and outgoing connections YYYY-MM-DD HH:MM:SS.SSS
ad_svc.trace Log AnyDesk service logs - history, errors, system notifications. Incoming and outgoing connections with IP addresses YYYY-MM-DD HH:MM:SS.SSS
connection_trace.txt Incoming connections - Date/Time, status, alias and ID of AnyDesk YYYY-MM-DD, HH:MM
user.conf configuration variables used by AnyDesk,may contain attacker username if file transfer has been attempted [5]
system.conf configuration variables used by AnyDesk
chat log Conversation history named after the AnyDesk ID

ad_svc.trace is only available in installed versions of AnyDesk.[1]

AnyDesk ID is related to the installation - so it's not that useful for tracking.[1]

Log analysis

Log Timezone: UTC

Search term Description
New user data. Client-ID: Client ID based on install.
Connecting to Outgoing connection
Client-ID: Outgoing connection
Connection established. Outgoing connection established
Accept request from Incoming connection
Accepting the connect request. Incoming connection established
Session stopped. End connection
anynet.relay_conn Remote connection
"logged in from" public IP of incoming connection (attacker computer)
app.prepare_task File transfer
the volatile service has been installed Unattended access

Bulk grep:


Analyst notes

GCAPI.DLL is the DLL associated with AnyDesk. You may find this. AnyDesk may be used by admins but it's commonly installed by ransomware operators.