darkylock | 94d40a523f9368e882a2a31d49442682482684f79cda5b66a65f866925091792

Analysis

max time kernel
101s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2022 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDeskEN.exe
Size

6.1MB
MD5

81a222d0d359ab9104a587a08786abbc
SHA1

4b251260608828f6ce41f4244dcdb8ebe1e5a0b4
SHA256

1a9b00b4d133278901dc941c88bd83708782fa93293b00f775a7ebff4dc8d26a
SHA512

310b05803327b1c1ec343918cff097b1f63c75d7ff704bffa7ee15cd22925fd6d6a5d32f6276e46706d810f656a28868cae3feb0c5d14b87e30ca288d5a81642

Score

10^/10

darkylock evasion ransomware themida trojan

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note

---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkysupp@tuta.io 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ $> Life is too short to be sad. Be not sad, money, it is only paper <$ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!

Emails

darkysupp@tuta.io

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

DarkyLock
Ransomware family first seen in July 2022.
ransomware darkylock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MSSERVICE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MSSERVICE.EXE
Executes dropped EXE 4 IoCs

Processes:

ANYDESK.EXEMSSERVICE.EXEANYDESK.EXEANYDESK.EXE

pid process

4192 ANYDESK.EXE
3560 MSSERVICE.EXE
4288 ANYDESK.EXE
1708 ANYDESK.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MSSERVICE.EXE

pid	process
4192	ANYDESK.EXE
3560	MSSERVICE.EXE
4288	ANYDESK.EXE
1708	ANYDESK.EXE

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MSSERVICE.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CompareEnable.png.darky	MSSERVICE.EXE
File renamed	C:\Users\Admin\Pictures\LockResize.raw => C:\Users\Admin\Pictures\LockResize.raw.darky	MSSERVICE.EXE
File opened for modification	C:\Users\Admin\Pictures\LockResize.raw.darky	MSSERVICE.EXE
File opened for modification	C:\Users\Admin\Pictures\UnblockSet.tiff	MSSERVICE.EXE
File opened for modification	C:\Users\Admin\Pictures\ProtectRedo.png.darky	MSSERVICE.EXE
File renamed	C:\Users\Admin\Pictures\UnblockSet.tiff => C:\Users\Admin\Pictures\UnblockSet.tiff.darky	MSSERVICE.EXE
File renamed	C:\Users\Admin\Pictures\CompareEnable.png => C:\Users\Admin\Pictures\CompareEnable.png.darky	MSSERVICE.EXE
File renamed	C:\Users\Admin\Pictures\ProtectRedo.png => C:\Users\Admin\Pictures\ProtectRedo.png.darky	MSSERVICE.EXE
File opened for modification	C:\Users\Admin\Pictures\UnblockSet.tiff.darky	MSSERVICE.EXE

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSSERVICE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MSSERVICE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MSSERVICE.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDeskEN.exeMSSERVICE.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AnyDeskEN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	MSSERVICE.EXE

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE	themida
C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE	themida
behavioral2/memory/3560-137-0x00000000004A0000-0x0000000000B05000-memory.dmp	themida
behavioral2/memory/3560-138-0x00000000004A0000-0x0000000000B05000-memory.dmp	themida
behavioral2/memory/3560-141-0x00000000004A0000-0x0000000000B05000-memory.dmp	themida
behavioral2/memory/3560-164-0x00000000004A0000-0x0000000000B05000-memory.dmp	themida
behavioral2/memory/3560-169-0x00000000004A0000-0x0000000000B05000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MSSERVICE.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSSERVICE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSSERVICE.EXE

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MSSERVICE.EXE

description	ioc	process
File opened (read-only)	\??\I:	MSSERVICE.EXE
File opened (read-only)	\??\S:	MSSERVICE.EXE
File opened (read-only)	\??\K:	MSSERVICE.EXE
File opened (read-only)	\??\Q:	MSSERVICE.EXE
File opened (read-only)	\??\E:	MSSERVICE.EXE
File opened (read-only)	\??\R:	MSSERVICE.EXE
File opened (read-only)	\??\Y:	MSSERVICE.EXE
File opened (read-only)	\??\U:	MSSERVICE.EXE
File opened (read-only)	\??\L:	MSSERVICE.EXE
File opened (read-only)	\??\B:	MSSERVICE.EXE
File opened (read-only)	\??\M:	MSSERVICE.EXE
File opened (read-only)	\??\N:	MSSERVICE.EXE
File opened (read-only)	\??\W:	MSSERVICE.EXE
File opened (read-only)	\??\T:	MSSERVICE.EXE
File opened (read-only)	\??\P:	MSSERVICE.EXE
File opened (read-only)	\??\F:	MSSERVICE.EXE
File opened (read-only)	\??\H:	MSSERVICE.EXE
File opened (read-only)	\??\A:	MSSERVICE.EXE
File opened (read-only)	\??\Z:	MSSERVICE.EXE
File opened (read-only)	\??\V:	MSSERVICE.EXE
File opened (read-only)	\??\O:	MSSERVICE.EXE
File opened (read-only)	\??\G:	MSSERVICE.EXE
File opened (read-only)	\??\J:	MSSERVICE.EXE
File opened (read-only)	\??\X:	MSSERVICE.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

MSSERVICE.EXE

pid process

3560 MSSERVICE.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3560	MSSERVICE.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ANYDESK.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ANYDESK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ANYDESK.EXE

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1372 vssadmin.exe
2436 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

MSSERVICE.EXEANYDESK.EXEANYDESK.EXEANYDESK.EXE

pid process

3560 MSSERVICE.EXE
3560 MSSERVICE.EXE
4288 ANYDESK.EXE
4288 ANYDESK.EXE
4192 ANYDESK.EXE
4192 ANYDESK.EXE
1708 ANYDESK.EXE
1708 ANYDESK.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3752 vssvc.exe
Token: SeRestorePrivilege 3752 vssvc.exe
Token: SeAuditPrivilege 3752 vssvc.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

ANYDESK.EXE

pid process

1708 ANYDESK.EXE
1708 ANYDESK.EXE
1708 ANYDESK.EXE
1708 ANYDESK.EXE
1708 ANYDESK.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

ANYDESK.EXE

pid process

1708 ANYDESK.EXE
1708 ANYDESK.EXE
1708 ANYDESK.EXE
1708 ANYDESK.EXE
1708 ANYDESK.EXE

pid	process
1372	vssadmin.exe
2436	vssadmin.exe

pid	process
3560	MSSERVICE.EXE
3560	MSSERVICE.EXE
4288	ANYDESK.EXE
4288	ANYDESK.EXE
4192	ANYDESK.EXE
4192	ANYDESK.EXE
1708	ANYDESK.EXE
1708	ANYDESK.EXE

description	pid	process
Token: SeBackupPrivilege	3752	vssvc.exe
Token: SeRestorePrivilege	3752	vssvc.exe
Token: SeAuditPrivilege	3752	vssvc.exe

pid	process
1708	ANYDESK.EXE
1708	ANYDESK.EXE
1708	ANYDESK.EXE
1708	ANYDESK.EXE
1708	ANYDESK.EXE

pid	process
1708	ANYDESK.EXE
1708	ANYDESK.EXE
1708	ANYDESK.EXE
1708	ANYDESK.EXE
1708	ANYDESK.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

AnyDeskEN.exeMSSERVICE.EXEANYDESK.EXEcmd.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 4192	5044	AnyDeskEN.exe	ANYDESK.EXE
PID 5044 wrote to memory of 4192	5044	AnyDeskEN.exe	ANYDESK.EXE
PID 5044 wrote to memory of 4192	5044	AnyDeskEN.exe	ANYDESK.EXE
PID 5044 wrote to memory of 3560	5044	AnyDeskEN.exe	MSSERVICE.EXE
PID 5044 wrote to memory of 3560	5044	AnyDeskEN.exe	MSSERVICE.EXE
PID 5044 wrote to memory of 3560	5044	AnyDeskEN.exe	MSSERVICE.EXE
PID 3560 wrote to memory of 3944	3560	MSSERVICE.EXE	cmd.exe
PID 3560 wrote to memory of 3944	3560	MSSERVICE.EXE	cmd.exe
PID 4192 wrote to memory of 4288	4192	ANYDESK.EXE	ANYDESK.EXE
PID 4192 wrote to memory of 4288	4192	ANYDESK.EXE	ANYDESK.EXE
PID 4192 wrote to memory of 4288	4192	ANYDESK.EXE	ANYDESK.EXE
PID 4192 wrote to memory of 1708	4192	ANYDESK.EXE	ANYDESK.EXE
PID 4192 wrote to memory of 1708	4192	ANYDESK.EXE	ANYDESK.EXE
PID 4192 wrote to memory of 1708	4192	ANYDESK.EXE	ANYDESK.EXE
PID 3944 wrote to memory of 1372	3944	cmd.exe	vssadmin.exe
PID 3944 wrote to memory of 1372	3944	cmd.exe	vssadmin.exe
PID 3560 wrote to memory of 4724	3560	MSSERVICE.EXE	cmd.exe
PID 3560 wrote to memory of 4724	3560	MSSERVICE.EXE	cmd.exe
PID 4724 wrote to memory of 2436	4724	cmd.exe	vssadmin.exe
PID 4724 wrote to memory of 2436	4724	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\AnyDeskEN.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDeskEN.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
"C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
"C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE" --local-service
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
"C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE" --local-control
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708

C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE
"C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANYDESK.EXE
Filesize
3.7MB

MD5
36d6be2d72171c741e2989a578011cd8

SHA1
a1d46b3c7418d8d29208f352e27f5c9af62006e9

SHA256
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

SHA512
b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE
Filesize
2.4MB

MD5
b6ddc7f40dfad3f93e84d72b458e4061

SHA1
308219cc73f79f02b4558bb5db6833586cffb510

SHA256
565f3fe041df5dcf8e6bb6cbffddcbf691364e5f80514eeb9e5dac2c41dbfd31

SHA512
ca27163dd9805d641001913912559eb1eb6d746bd77c3e74a2dcda48d0ad9152ade824db5c297712fe993fb12c81f250ac639fc74203daaf4a7b190bd0c7bc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSERVICE.EXE
Filesize
2.4MB

MD5
b6ddc7f40dfad3f93e84d72b458e4061

SHA1
308219cc73f79f02b4558bb5db6833586cffb510

SHA256
565f3fe041df5dcf8e6bb6cbffddcbf691364e5f80514eeb9e5dac2c41dbfd31

SHA512
ca27163dd9805d641001913912559eb1eb6d746bd77c3e74a2dcda48d0ad9152ade824db5c297712fe993fb12c81f250ac639fc74203daaf4a7b190bd0c7bc5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
3c879d2c1d89b929e7d9e6acf6d4de2b

SHA1
404631ab3168ed32184265c6ac4a3d91dd0cc83e

SHA256
e292accfa4703588af519cdd0227a64cd9b3e38a1de5e0f9a89546bedf3585d9

SHA512
4d8245a875b332f95a898309fb4bfaf0f36bfb0e1e001c921cb6756409528464612194f66b22a82afbf413fafcf7cee4ccd4109ea6d5f1f52430cae5e9098efe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
3c879d2c1d89b929e7d9e6acf6d4de2b

SHA1
404631ab3168ed32184265c6ac4a3d91dd0cc83e

SHA256
e292accfa4703588af519cdd0227a64cd9b3e38a1de5e0f9a89546bedf3585d9

SHA512
4d8245a875b332f95a898309fb4bfaf0f36bfb0e1e001c921cb6756409528464612194f66b22a82afbf413fafcf7cee4ccd4109ea6d5f1f52430cae5e9098efe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
89b3e17d746b200c79d68832899a5ec4

SHA1
c6c6068f7d6e03f77b4ed830583f3babc1c22ff4

SHA256
4c0fc419d17af78bc1edc0aaac7cd773a2d987d9dc3d4a40802ccf95fb326f98

SHA512
27db4e026f50eb0bd5566620d071132b26be2c109aff059fa2e0a91ca35e03ab86cc17defe814f1b8e0aa669605442f22e6effa1bfd02ab69cfb094935bfb598

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
283B

MD5
979412445e04edddb523bbf64f2d9e25

SHA1
c627de03ba6be7c2e52c4ac0c8494b250f8ea4fb

SHA256
c253a9db55efeb183543baa5965f0d279b0e4ecd7e6211e231e8e8f5c8dfe596

SHA512
f548475ee4e83bfe01c39444c90502f86cf5245eb51335d3d13186b967df0f7cacaf9ce5125f3ce104e08a1f27c215af08bf185afe771d74ee5c0872aa7f4c3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
589d1276990498af2551753383b84d19

SHA1
ab67e458a2ed937f024ee18bdfbfba1679d26bc9

SHA256
b5acfd65239b54ec8ffe57e978c276da761ad6504c178281bfdc626cf3ec8110

SHA512
e8350ea832422bd2aaec9a54e2d2ad74b5c7a404b68574fc4fe79cf192b6e49a660613b2ffb101a15bdc564a757ca56d806313094610dea3994826ab6fdd38f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
0a73628d813dad993f125864e607b17b

SHA1
aa16baa1dba19217bb35ff1be71ea1143240b1f7

SHA256
fdf307056e019cd5131d736124cfbd6900d4761140a5d5c57681802f972785ae

SHA512
a38ca3295ba8d20c86419d3d1a0a6ee269f2659cfee218aa086509353dbdf43cfb67872dd0614671925a102990d3d64d77738bf2d2b71f3d6d807dc0b723f532

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
589d1276990498af2551753383b84d19

SHA1
ab67e458a2ed937f024ee18bdfbfba1679d26bc9

SHA256
b5acfd65239b54ec8ffe57e978c276da761ad6504c178281bfdc626cf3ec8110

SHA512
e8350ea832422bd2aaec9a54e2d2ad74b5c7a404b68574fc4fe79cf192b6e49a660613b2ffb101a15bdc564a757ca56d806313094610dea3994826ab6fdd38f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
0a73628d813dad993f125864e607b17b

SHA1
aa16baa1dba19217bb35ff1be71ea1143240b1f7

SHA256
fdf307056e019cd5131d736124cfbd6900d4761140a5d5c57681802f972785ae

SHA512
a38ca3295ba8d20c86419d3d1a0a6ee269f2659cfee218aa086509353dbdf43cfb67872dd0614671925a102990d3d64d77738bf2d2b71f3d6d807dc0b723f532

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
589d1276990498af2551753383b84d19

SHA1
ab67e458a2ed937f024ee18bdfbfba1679d26bc9

SHA256
b5acfd65239b54ec8ffe57e978c276da761ad6504c178281bfdc626cf3ec8110

SHA512
e8350ea832422bd2aaec9a54e2d2ad74b5c7a404b68574fc4fe79cf192b6e49a660613b2ffb101a15bdc564a757ca56d806313094610dea3994826ab6fdd38f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
0a73628d813dad993f125864e607b17b

SHA1
aa16baa1dba19217bb35ff1be71ea1143240b1f7

SHA256
fdf307056e019cd5131d736124cfbd6900d4761140a5d5c57681802f972785ae

SHA512
a38ca3295ba8d20c86419d3d1a0a6ee269f2659cfee218aa086509353dbdf43cfb67872dd0614671925a102990d3d64d77738bf2d2b71f3d6d807dc0b723f532

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
589d1276990498af2551753383b84d19

SHA1
ab67e458a2ed937f024ee18bdfbfba1679d26bc9

SHA256
b5acfd65239b54ec8ffe57e978c276da761ad6504c178281bfdc626cf3ec8110

SHA512
e8350ea832422bd2aaec9a54e2d2ad74b5c7a404b68574fc4fe79cf192b6e49a660613b2ffb101a15bdc564a757ca56d806313094610dea3994826ab6fdd38f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
395B

MD5
0a73628d813dad993f125864e607b17b

SHA1
aa16baa1dba19217bb35ff1be71ea1143240b1f7

SHA256
fdf307056e019cd5131d736124cfbd6900d4761140a5d5c57681802f972785ae

SHA512
a38ca3295ba8d20c86419d3d1a0a6ee269f2659cfee218aa086509353dbdf43cfb67872dd0614671925a102990d3d64d77738bf2d2b71f3d6d807dc0b723f532

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
53fded862023b056fa0ffc9877b4b68c

SHA1
9853ecdf84b820d06e934988187ddd1272d8e3e8

SHA256
09698a0a0061aef27286209f7677dbae47173cb1851684f86e00f34f07d310b3

SHA512
1fb792afa5ba887e51c1ab1cd035d8a4cead7a43bfa53f6138196ad32a7376ffae951a71202da738eb9b0e9b2ac247f6a6dfa62177da2c6b1abc09b227598cda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
53fded862023b056fa0ffc9877b4b68c

SHA1
9853ecdf84b820d06e934988187ddd1272d8e3e8

SHA256
09698a0a0061aef27286209f7677dbae47173cb1851684f86e00f34f07d310b3

SHA512
1fb792afa5ba887e51c1ab1cd035d8a4cead7a43bfa53f6138196ad32a7376ffae951a71202da738eb9b0e9b2ac247f6a6dfa62177da2c6b1abc09b227598cda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
a4112888f4096790cf1d9e7ac50981cd

SHA1
3b09f7152728e3e5d4f7e7926a528171960938d1

SHA256
570465f082c66ad8f5a089979c86a94bca134ab7ddb67df38dad22b01d794381

SHA512
bd21b566de3ab35ec28629e476e283d3ce61f996e8a38d293f493ff1d232989285c1d4ba904fdf4c6dd9b489e151a3cbc32623c3723e299cf21bc6668163a887

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
0dd5774e92d9924570f2e08ca9009a8e

SHA1
43635d8eae292389c5819f15063c96022890f0c8

SHA256
194f794dc778f22e85b315d388cb68605e24242385a7af749312ea86efe92388

SHA512
9e71dc31ce9373fd4e25ed02b4e10bd63b112aa9df37ce44134e0712c124bd98b2f744681aec3bbfb590e36eed7af74c8aeab2ca23d670e266cee8a4bb520e0b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
8f52ee4c9ded198993e00c0b5cb60906

SHA1
477a7019785632dfa22730107bb3a84e81fc2cfd

SHA256
6ee014ad11f2ac970b0e6dcf9981870acdf69f3e65e6cde948abdeacc6d4b881

SHA512
5a5f1dfe2dbb0f8a9cbf0c5fcbc90ed3de9bd73fbe01ae5fb402e82a5f0ec44fe267c95d9896a989252bd1d941dcfbb1e6e89e1b5da009cea45825b5634e5771

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
c30cd9652c40652e8d8839aff872aeee

SHA1
45ef9b7915123a6b656b8789effe93da74d2c2e9

SHA256
401bc1f3e620d3f4a5b336d071a891867677de152eff59899998e728a4682a45

SHA512
e9b5771cd7686bc991fc5e0bc52d7f7a4e8f5b1f93b9fcd610675274373beab0185c1711d2473f25da3b4d64d654a1a1b17d51065718000035a73dd77ce26f41

Download Submit
memory/1372-154-0x0000000000000000-mapping.dmp

Download
memory/1708-147-0x0000000000000000-mapping.dmp

Download
memory/1708-184-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/1708-172-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/1708-151-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/2436-168-0x0000000000000000-mapping.dmp

Download
memory/3560-138-0x00000000004A0000-0x0000000000B05000-memory.dmp

Filesize
6.4MB

Download
memory/3560-137-0x00000000004A0000-0x0000000000B05000-memory.dmp

Filesize
6.4MB

Download
memory/3560-165-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/3560-169-0x00000000004A0000-0x0000000000B05000-memory.dmp

Filesize
6.4MB

Download
memory/3560-170-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/3560-164-0x00000000004A0000-0x0000000000B05000-memory.dmp

Filesize
6.4MB

Download
memory/3560-134-0x0000000000000000-mapping.dmp

Download
memory/3560-141-0x00000000004A0000-0x0000000000B05000-memory.dmp

Filesize
6.4MB

Download
memory/3560-142-0x0000000077820000-0x00000000779C3000-memory.dmp

Filesize
1.6MB

Download
memory/3944-143-0x0000000000000000-mapping.dmp

Download
memory/4192-179-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/4192-144-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/4192-132-0x0000000000000000-mapping.dmp

Download
memory/4192-139-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/4192-166-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/4288-171-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/4288-182-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/4288-146-0x0000000000000000-mapping.dmp

Download
memory/4288-150-0x0000000000510000-0x00000000014A3000-memory.dmp

Filesize
15.6MB

Download
memory/4724-167-0x0000000000000000-mapping.dmp

Download