AnyDesk

Remote desktop application that can be installed or run as a portable application.

Application specific files

Platform	File paths
Windows	%APPDATA%\AnyDesk\Logs\
	%ProgramData%\AnyDesk\Logs\
	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\
Mac	~/Library/Application Support/AnyDesk/Logs/
Linux	~/.config/AnyDesk/Logs/

Filename	Notes	Timestamp format
ad.trace	history, errors, system notifications. Incoming and outgoing connections	YYYY-MM-DD HH:MM:SS.SSS
ad_svc.trace Log	AnyDesk service logs - history, errors, system notifications. Incoming and outgoing connections with IP addresses	YYYY-MM-DD HH:MM:SS.SSS
connection_trace.txt	Incoming connections - Date/Time, status, alias and ID of AnyDesk	YYYY-MM-DD, HH:MM
user.conf	configuration variables used by AnyDesk,may contain attacker username if file transfer has been attempted ^[5]
system.conf	configuration variables used by AnyDesk
chat log	Conversation history named after the AnyDesk ID

ad_svc.trace is only available in installed versions of AnyDesk.^[1]

AnyDesk ID is related to the installation - so it's not that useful for tracking.^[1]

Log Timezone: UTC

Search term	Description
New user data. Client-ID:	Client ID based on install.
Connecting to	Outgoing connection
Client-ID:	Outgoing connection
Connection established.	Outgoing connection established
Accept request from	Incoming connection
Accepting the connect request.	Incoming connection established
Session stopped.	End connection
anynet.relay_conn	Remote connection
"logged in from"	public IP of incoming connection (attacker computer)
app.prepare_task	File transfer
the volatile service has been installed	Unattended access

Bulk grep:

GCAPI.DLL is the DLL associated with AnyDesk. You may find this. AnyDesk may be used by admins but it's commonly installed by ransomware operators.