darkylock | 94d40a523f9368e882a2a31d49442682482684f79cda5b66a65f866925091792

Analysis

max time kernel
85s
max time network
65s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/08/2022, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDeskEN.exe
Size

6.1MB
MD5

81a222d0d359ab9104a587a08786abbc
SHA1

4b251260608828f6ce41f4244dcdb8ebe1e5a0b4
SHA256

1a9b00b4d133278901dc941c88bd83708782fa93293b00f775a7ebff4dc8d26a
SHA512

310b05803327b1c1ec343918cff097b1f63c75d7ff704bffa7ee15cd22925fd6d6a5d32f6276e46706d810f656a28868cae3feb0c5d14b87e30ca288d5a81642

Score

10^/10

darkylock evasion ransomware themida trojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note

---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to [email protected] 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ $> Life is too short to be sad. Be not sad, money, it is only paper <$ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!

Emails

[email protected]

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

DarkyLock
Ransomware family first seen in July 2022.
ransomware darkylock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MSSERVICE.EXE

Executes dropped EXE 4 IoCs

pid	Process
1432	ANYDESK.EXE
1368	MSSERVICE.EXE
336	ANYDESK.EXE
1996	ANYDESK.EXE

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\HideInitialize.tiff	MSSERVICE.EXE
File renamed	C:\Users\Admin\Pictures\HideInitialize.tiff => C:\Users\Admin\Pictures\HideInitialize.tiff.darky	MSSERVICE.EXE
File opened for modification	C:\Users\Admin\Pictures\HideInitialize.tiff.darky	MSSERVICE.EXE
File renamed	C:\Users\Admin\Pictures\SaveSync.png => C:\Users\Admin\Pictures\SaveSync.png.darky	MSSERVICE.EXE
File opened for modification	C:\Users\Admin\Pictures\SaveSync.png.darky	MSSERVICE.EXE

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MSSERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MSSERVICE.EXE

Loads dropped DLL 5 IoCs

pid	Process
2000	AnyDeskEN.exe
2000	AnyDeskEN.exe
2000	AnyDeskEN.exe
1432	ANYDESK.EXE
1432	ANYDESK.EXE

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000b0000000122ca-58.dat	themida
behavioral1/files/0x000b0000000122ca-59.dat	themida
behavioral1/files/0x000b0000000122ca-61.dat	themida
behavioral1/memory/1368-63-0x0000000000F30000-0x0000000001595000-memory.dmp	themida
behavioral1/files/0x000b0000000122ca-66.dat	themida
behavioral1/memory/1368-67-0x0000000000F30000-0x0000000001595000-memory.dmp	themida
behavioral1/memory/1368-68-0x0000000000F30000-0x0000000001595000-memory.dmp	themida
behavioral1/memory/1368-71-0x00000000770C0000-0x0000000077240000-memory.dmp	themida
behavioral1/memory/1368-75-0x0000000000F30000-0x0000000001595000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSSERVICE.EXE

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	MSSERVICE.EXE
File opened (read-only)	\??\K:	MSSERVICE.EXE
File opened (read-only)	\??\V:	MSSERVICE.EXE
File opened (read-only)	\??\B:	MSSERVICE.EXE
File opened (read-only)	\??\Q:	MSSERVICE.EXE
File opened (read-only)	\??\W:	MSSERVICE.EXE
File opened (read-only)	\??\E:	MSSERVICE.EXE
File opened (read-only)	\??\J:	MSSERVICE.EXE
File opened (read-only)	\??\N:	MSSERVICE.EXE
File opened (read-only)	\??\T:	MSSERVICE.EXE
File opened (read-only)	\??\I:	MSSERVICE.EXE
File opened (read-only)	\??\O:	MSSERVICE.EXE
File opened (read-only)	\??\Y:	MSSERVICE.EXE
File opened (read-only)	\??\P:	MSSERVICE.EXE
File opened (read-only)	\??\M:	MSSERVICE.EXE
File opened (read-only)	\??\S:	MSSERVICE.EXE
File opened (read-only)	\??\F:	MSSERVICE.EXE
File opened (read-only)	\??\H:	MSSERVICE.EXE
File opened (read-only)	\??\L:	MSSERVICE.EXE
File opened (read-only)	\??\Z:	MSSERVICE.EXE
File opened (read-only)	\??\R:	MSSERVICE.EXE
File opened (read-only)	\??\U:	MSSERVICE.EXE
File opened (read-only)	\??\A:	MSSERVICE.EXE
File opened (read-only)	\??\X:	MSSERVICE.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1368	MSSERVICE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ANYDESK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ANYDESK.EXE

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1860	vssadmin.exe
364	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1368	MSSERVICE.EXE
336	ANYDESK.EXE
1432	ANYDESK.EXE
1996	ANYDESK.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1076	vssvc.exe
Token: SeRestorePrivilege	1076	vssvc.exe
Token: SeAuditPrivilege	1076	vssvc.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1996	ANYDESK.EXE
1996	ANYDESK.EXE
1996	ANYDESK.EXE
1996	ANYDESK.EXE
1996	ANYDESK.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1996	ANYDESK.EXE
1996	ANYDESK.EXE
1996	ANYDESK.EXE
1996	ANYDESK.EXE
1996	ANYDESK.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1432	2000	AnyDeskEN.exe	26
PID 2000 wrote to memory of 1432	2000	AnyDeskEN.exe	26
PID 2000 wrote to memory of 1432	2000	AnyDeskEN.exe	26
PID 2000 wrote to memory of 1432	2000	AnyDeskEN.exe	26
PID 2000 wrote to memory of 1368	2000	AnyDeskEN.exe	27
PID 2000 wrote to memory of 1368	2000	AnyDeskEN.exe	27
PID 2000 wrote to memory of 1368	2000	AnyDeskEN.exe	27
PID 2000 wrote to memory of 1368	2000	AnyDeskEN.exe	27
PID 1368 wrote to memory of 2040	1368	MSSERVICE.EXE	28
PID 1368 wrote to memory of 2040	1368	MSSERVICE.EXE	28
PID 1368 wrote to memory of 2040	1368	MSSERVICE.EXE	28
PID 1368 wrote to memory of 2040	1368	MSSERVICE.EXE	28
PID 2040 wrote to memory of 1860	2040	cmd.exe	30
PID 2040 wrote to memory of 1860	2040	cmd.exe	30
PID 2040 wrote to memory of 1860	2040	cmd.exe	30
PID 1368 wrote to memory of 1156	1368	MSSERVICE.EXE	35
PID 1368 wrote to memory of 1156	1368	MSSERVICE.EXE	35
PID 1368 wrote to memory of 1156	1368	MSSERVICE.EXE	35
PID 1368 wrote to memory of 1156	1368	MSSERVICE.EXE	35
PID 1156 wrote to memory of 364	1156	cmd.exe	36
PID 1156 wrote to memory of 364	1156	cmd.exe	36
PID 1156 wrote to memory of 364	1156	cmd.exe	36
PID 1432 wrote to memory of 336	1432	ANYDESK.EXE	37
PID 1432 wrote to memory of 336	1432	ANYDESK.EXE	37
PID 1432 wrote to memory of 336	1432	ANYDESK.EXE	37
PID 1432 wrote to memory of 336	1432	ANYDESK.EXE	37
PID 1432 wrote to memory of 1996	1432	ANYDESK.EXE	38
PID 1432 wrote to memory of 1996	1432	ANYDESK.EXE	38
PID 1432 wrote to memory of 1996	1432	ANYDESK.EXE	38
PID 1432 wrote to memory of 1996	1432	ANYDESK.EXE	38

C:\Users\Admin\AppData\Local\Temp\AnyDeskEN.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDeskEN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
  "C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
    "C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE" --local-service
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
    "C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE" --local-control
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1996
- C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE
  "C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE

Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE

Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE

Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE

Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE

Filesize
2.4MB

MD5
b6ddc7f40dfad3f93e84d72b458e4061

SHA1
308219cc73f79f02b4558bb5db6833586cffb510

SHA256
565f3fe041df5dcf8e6bb6cbffddcbf691364e5f80514eeb9e5dac2c41dbfd31

SHA512
ca27163dd9805d641001913912559eb1eb6d746bd77c3e74a2dcda48d0ad9152ade824db5c297712fe993fb12c81f250ac639fc74203daaf4a7b190bd0c7bc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE

Filesize
2.4MB

MD5
b6ddc7f40dfad3f93e84d72b458e4061

SHA1
308219cc73f79f02b4558bb5db6833586cffb510

SHA256
565f3fe041df5dcf8e6bb6cbffddcbf691364e5f80514eeb9e5dac2c41dbfd31

SHA512
ca27163dd9805d641001913912559eb1eb6d746bd77c3e74a2dcda48d0ad9152ade824db5c297712fe993fb12c81f250ac639fc74203daaf4a7b190bd0c7bc5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
ce4f40c96bbefdfa2410316b1bcde043

SHA1
a0c738cd6f17120349fd0d48a07d20f0e1f8415c

SHA256
ad9c3304166d2f6afa2e55103fe90e10b72f6a148e91a62061961f9fc3728f41

SHA512
85af268029b01d5b26ae93a2fbca1be4f7f08c73cef0704d2b5f23b06eb8c316f1b1650c25a72105683ea9de82eee566bcc1d4df59d2ed7a56f2f82559c3c07e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
a2e8c50c7160b418feda311b07295f1d

SHA1
58049989156069c8d5daeebf6ad8a33625f7d7d8

SHA256
31e978cd5846b22cf5b5f7a0bc076c27baa25fd27c2ceb0a00b041e5d0ac30d6

SHA512
d5af1c06cb18c071b3a132b184efc933bf2d946646381c2f47288f917e0dacc4e616015be13fa37b916d1cdf282f7db5a7fa3ec503019d279d00599d7418be1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fd9c1c1f7a3da0b558f9e5e3d930ba6c

SHA1
1dd1cefe015b6ce8298ed663ff904d3797845eff

SHA256
e5db04f5f28c8a9a8dbf5a0daab0502fbd6b6fac05bf03d14fd0d5295355de23

SHA512
4140035424e05108ac5deb1c22026da74d790d24ce96400330cb5c2f2fba09d44a31d37dbc069ce404ba0496f889ecd3facfef8ae0a81e9a372e8e91e112d78c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
28f4a09be351e79daa82649025ec9751

SHA1
428bd7a83ea60868f8f995412a3ef8a166018e0f

SHA256
168d0d4fd1dfb5239b3aa0854418e71e2f127bfe1f8d54facb711a21f33373c7

SHA512
a7c3cca654d3030aa1943ebb717585940e7a8ce5f142ea61cf186535b14f807273c72c44a7cac7800407108a68a260e099cbe144d17fb452e9894a00831fe324

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
871e3bab2431ce480303c8d29b5f339b

SHA1
8be1d4d3613d8d3ccbd68a46aaf1dc141ea165f0

SHA256
e2c88d6770ea999aa7bbbdf7d831ac18669df9c035675b64c28bb142b110b608

SHA512
428735927f8a704ca6128385bf0ab7e23f883e4acea62c658aadaa65bee7b837113dbceddab208d577ba05b2a194768702f648f28406e3f336662fb53aa3b522

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
28f4a09be351e79daa82649025ec9751

SHA1
428bd7a83ea60868f8f995412a3ef8a166018e0f

SHA256
168d0d4fd1dfb5239b3aa0854418e71e2f127bfe1f8d54facb711a21f33373c7

SHA512
a7c3cca654d3030aa1943ebb717585940e7a8ce5f142ea61cf186535b14f807273c72c44a7cac7800407108a68a260e099cbe144d17fb452e9894a00831fe324

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
871e3bab2431ce480303c8d29b5f339b

SHA1
8be1d4d3613d8d3ccbd68a46aaf1dc141ea165f0

SHA256
e2c88d6770ea999aa7bbbdf7d831ac18669df9c035675b64c28bb142b110b608

SHA512
428735927f8a704ca6128385bf0ab7e23f883e4acea62c658aadaa65bee7b837113dbceddab208d577ba05b2a194768702f648f28406e3f336662fb53aa3b522

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
28f4a09be351e79daa82649025ec9751

SHA1
428bd7a83ea60868f8f995412a3ef8a166018e0f

SHA256
168d0d4fd1dfb5239b3aa0854418e71e2f127bfe1f8d54facb711a21f33373c7

SHA512
a7c3cca654d3030aa1943ebb717585940e7a8ce5f142ea61cf186535b14f807273c72c44a7cac7800407108a68a260e099cbe144d17fb452e9894a00831fe324

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
871e3bab2431ce480303c8d29b5f339b

SHA1
8be1d4d3613d8d3ccbd68a46aaf1dc141ea165f0

SHA256
e2c88d6770ea999aa7bbbdf7d831ac18669df9c035675b64c28bb142b110b608

SHA512
428735927f8a704ca6128385bf0ab7e23f883e4acea62c658aadaa65bee7b837113dbceddab208d577ba05b2a194768702f648f28406e3f336662fb53aa3b522

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
28f4a09be351e79daa82649025ec9751

SHA1
428bd7a83ea60868f8f995412a3ef8a166018e0f

SHA256
168d0d4fd1dfb5239b3aa0854418e71e2f127bfe1f8d54facb711a21f33373c7

SHA512
a7c3cca654d3030aa1943ebb717585940e7a8ce5f142ea61cf186535b14f807273c72c44a7cac7800407108a68a260e099cbe144d17fb452e9894a00831fe324

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
b26f409e8347543e1daaaebb7a2d93c5

SHA1
837a83f5d89d72018f731c29a09741b0f84429ad

SHA256
fb8349d06d535c9ae8b9454e46d73a9d46fc611442f9e2a5fa265fd1824de0cc

SHA512
ed5aad12c92293d64aa1678aa1b8d3e808720ea724df4cdcc32c5bb8a94114efb8e5439df0c4a21267ad05bb9dbd9d4a368c6e606855621189789996dcb6e39c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8a00335e82630835a648b64b09e0230d

SHA1
ab4c54782e775fd8561f2ebc5fec978201fb445d

SHA256
40edc069fc5119a86cf10bbfe3eacd99d90208b1916eefb572468cda4f104477

SHA512
ccab1a7d99b839a53eeb77ef1e43ef964f3dcf84148a1de59f3aed75b560e63d39818fb13780a2aa917342bb2ef5c3414c7e0277824611fd7864b11a52e2a255

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
60400ae1cceb27c5397d59ac2a81d121

SHA1
56c82b921771107c9bd6d8784e1f6839ee4e0c3f

SHA256
7a0fb2aa169cdaa1551e35b7a9504f9d0d3346acaad62a902fddaf522f7bbbbe

SHA512
17b4ae2ce196545e764cea5d0f8c542cdc285f70d068d41d37cfb72626dc07bdbfba3f29a77224cfb687371c9bd1e34d162a0550c74b5702f7dd4e4a5b8a5c79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e67688bf364e0d7307383e393a2c8897

SHA1
82bfc258a1d7f6d04c87f6b901a52a5f1e3a7a85

SHA256
a6f978a8bd69d50c81ca78b51cc98ec8aa4340a016ae69de96a0653c6d4a4635

SHA512
25265fa4362da62eaf49ead2af591b1cedff81facfe5c9937f23b9ad90730dbbdd42594b8795903684a46bd5b8a225dc3ce94e8a3339b142fd2eee21b0a421c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
02412d8007ea59b05041cbf341b58942

SHA1
6e90882a252d7434911f182c28fde9bc9a198e63

SHA256
9210704d857be21c55fb59377124596c24a2b15045d15e3347b81ddc61ab304d

SHA512
a3322bc92e626eec45294abb9ce64f7170054709b25a3b3b4c0274b80527b18c2b39ccbdfb1d6059e9632cadd64ed60ff0fe13ec930f790ea4328464ecc9e160

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
38ee10b83107014ed12e441fb8a58348

SHA1
1818df276056eaabfbbd180ad9814587e5322e17

SHA256
d5fa6533b95c9f33d53141aa01732a5c6a2c9f22e1bed2d42f1cc5cf879a396a

SHA512
311f27bb426afbba265a70889cc863f2c2cf92386efabfd8de4c00abc583b73a9bcdf227f0190d003e8c1a20cec53ddabc3599f6333e5da706e1bf4dd5de3e4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e8d1ff1183c0811cedd0cb6856ce0993

SHA1
7095ae02aa0c81193669c2343ac4fc1f1d880b97

SHA256
369c409eca44f78ce1fce20c5f8ec8a22667fdb901a36678f29dec2df70f2e26

SHA512
6b9e10580b67b2097a3ed55e48a45fab92bd4985a2360a14c8502e095c5f6f60e43a769d98714f3697cd1e01856e76b3cd00f357bd508751fb564c045875fa60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
0b0081b44251b0e7136ba6410eead602

SHA1
9cbf5f90fe3424c95a34958a440195e6fe4950fc

SHA256
0c63049d917bedb8f555deaa8362d57e97e952493494df44008698aef9b5e2c2

SHA512
59070e0697725848386eceabd6478381db8bd4f089fa2cd86c3210d2ab9a2a1f45e1e5e3fc1c77b6bfa795fe362a20f18f0f1b30e66ea20491fc456623b6c381

Download Submit
\Users\Admin\AppData\Local\Temp\ANYDESK.EXE

Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
\Users\Admin\AppData\Local\Temp\ANYDESK.EXE

Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
\Users\Admin\AppData\Local\Temp\ANYDESK.EXE

Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE

Filesize
2.4MB

MD5
b6ddc7f40dfad3f93e84d72b458e4061

SHA1
308219cc73f79f02b4558bb5db6833586cffb510

SHA256
565f3fe041df5dcf8e6bb6cbffddcbf691364e5f80514eeb9e5dac2c41dbfd31

SHA512
ca27163dd9805d641001913912559eb1eb6d746bd77c3e74a2dcda48d0ad9152ade824db5c297712fe993fb12c81f250ac639fc74203daaf4a7b190bd0c7bc5f

Download Submit
\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE

Filesize
2.4MB

MD5
b6ddc7f40dfad3f93e84d72b458e4061

SHA1
308219cc73f79f02b4558bb5db6833586cffb510

SHA256
565f3fe041df5dcf8e6bb6cbffddcbf691364e5f80514eeb9e5dac2c41dbfd31

SHA512
ca27163dd9805d641001913912559eb1eb6d746bd77c3e74a2dcda48d0ad9152ade824db5c297712fe993fb12c81f250ac639fc74203daaf4a7b190bd0c7bc5f

Download Submit
memory/336-87-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/336-137-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/336-93-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/336-126-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1368-77-0x00000000770C0000-0x0000000077240000-memory.dmp

Filesize
1.5MB

Download
memory/1368-75-0x0000000000F30000-0x0000000001595000-memory.dmp

Filesize
6.4MB

Download
memory/1368-68-0x0000000000F30000-0x0000000001595000-memory.dmp

Filesize
6.4MB

Download
memory/1368-63-0x0000000000F30000-0x0000000001595000-memory.dmp

Filesize
6.4MB

Download
memory/1368-67-0x0000000000F30000-0x0000000001595000-memory.dmp

Filesize
6.4MB

Download
memory/1368-71-0x00000000770C0000-0x0000000077240000-memory.dmp

Filesize
1.5MB

Download
memory/1432-117-0x00000000726E1000-0x00000000726E3000-memory.dmp

Filesize
8KB

Download
memory/1432-136-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1432-69-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1432-78-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1432-65-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1996-127-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1996-95-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1996-90-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/1996-139-0x0000000000BC0000-0x0000000001B53000-memory.dmp

Filesize
15.6MB

Download
memory/2000-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download