njrat | c1ab8db613a0687ed5e80ee5a17f9834c3a3ec8aaae92cd77d095778e0c146a1

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.7MB
MD5

224648bac4d99c8e0c0910f264fa074d
SHA1

2e5647ee2f33fb4d9a3717b79f3193ee71497d8b
SHA256

c1ab8db613a0687ed5e80ee5a17f9834c3a3ec8aaae92cd77d095778e0c146a1
SHA512

0d56ee13d16b3de26b2c363d2c614c702c78bfc22e7a2711a8ed93b1d9a056054c6821846b2716f424ccd5804cb056f786bbee2da6d2b168b36f1007d0a08772
SSDEEP

98304:NHbbpAhshpV10OE3G6WOgttVHrJqHJOkfFunOeyO3W8/WtwsZ1Jb7pXc/3UQIH9B:NH3LVh6FQbtqeOq3W8/GwsVvNc/kL9Kg

Score

10^/10

njrat fucked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

fucked

hakim32.ddns.net:2000

fat-pads.gl.at.ply.gg:35059

Mutex

148a892b37f45e5773518d8932c75e38

Attributes

reg_key
148a892b37f45e5773518d8932c75e38
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2988	netsh.exe
888	netsh.exe
1660	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\148a892b37f45e5773518d8932c75e38Windows Update.exe	.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\148a892b37f45e5773518d8932c75e38Windows Update.exe	.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	.exe

Executes dropped EXE 5 IoCs

pid	Process
2240	AnyDesk (1).exe
3028	App1.exe
2496	AnyDesk (1).exe
2732	AnyDesk (1).exe
3060	.exe

Loads dropped DLL 4 IoCs

pid	Process
2240	AnyDesk (1).exe
2240	AnyDesk (1).exe
2732	AnyDesk (1).exe
2496	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe
3060	.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	App1.exe
Token: SeDebugPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe
Token: 33	3060	.exe
Token: SeIncBasePriorityPrivilege	3060	.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe
2732	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2240	2236	AnyDesk.exe	30
PID 2236 wrote to memory of 2240	2236	AnyDesk.exe	30
PID 2236 wrote to memory of 2240	2236	AnyDesk.exe	30
PID 2236 wrote to memory of 2240	2236	AnyDesk.exe	30
PID 2236 wrote to memory of 3028	2236	AnyDesk.exe	31
PID 2236 wrote to memory of 3028	2236	AnyDesk.exe	31
PID 2236 wrote to memory of 3028	2236	AnyDesk.exe	31
PID 2240 wrote to memory of 2496	2240	AnyDesk (1).exe	32
PID 2240 wrote to memory of 2496	2240	AnyDesk (1).exe	32
PID 2240 wrote to memory of 2496	2240	AnyDesk (1).exe	32
PID 2240 wrote to memory of 2496	2240	AnyDesk (1).exe	32
PID 2240 wrote to memory of 2732	2240	AnyDesk (1).exe	33
PID 2240 wrote to memory of 2732	2240	AnyDesk (1).exe	33
PID 2240 wrote to memory of 2732	2240	AnyDesk (1).exe	33
PID 2240 wrote to memory of 2732	2240	AnyDesk (1).exe	33
PID 3028 wrote to memory of 3060	3028	App1.exe	35
PID 3028 wrote to memory of 3060	3028	App1.exe	35
PID 3028 wrote to memory of 3060	3028	App1.exe	35
PID 3028 wrote to memory of 3060	3028	App1.exe	35
PID 3060 wrote to memory of 2988	3060	.exe	37
PID 3060 wrote to memory of 2988	3060	.exe	37
PID 3060 wrote to memory of 2988	3060	.exe	37
PID 3060 wrote to memory of 2988	3060	.exe	37
PID 3060 wrote to memory of 888	3060	.exe	39
PID 3060 wrote to memory of 888	3060	.exe	39
PID 3060 wrote to memory of 888	3060	.exe	39
PID 3060 wrote to memory of 888	3060	.exe	39
PID 3060 wrote to memory of 1660	3060	.exe	40
PID 3060 wrote to memory of 1660	3060	.exe	40
PID 3060 wrote to memory of 1660	3060	.exe	40
PID 3060 wrote to memory of 1660	3060	.exe	40

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\App1.exe
  "C:\Users\Admin\AppData\Local\Temp\App1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\.exe" ".exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2988
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:888
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\.exe" ".exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
93KB

MD5
f6675a418b2c5a731eb55d098ff4811b

SHA1
2644b64d63915e3fd4bfe24beb310a093d4f441d

SHA256
58f5e810373d4099f4730d5d63ca9bcb9088caa3db3aaa1843fa39230db7abf3

SHA512
d32e4962e6a85e5c9f025561d4a8401bc056e82842e792b3fc2c488692beac92b935d46c6be444ad708898595ab200e88f672bf5ea73ac0380d98c6f4f291bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe

Filesize
5.3MB

MD5
0a269c555e15783351e02629502bf141

SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d

SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\App1.exe

Filesize
395KB

MD5
e01d4d0eabf33649d4a6f52fddc09d28

SHA1
7f7e825edfd722a8b21a03981440ff34e0e016d8

SHA256
fea1d68258ba9774bf3a600aec2ba1a17898053d3e5cc108d56452ad3228770e

SHA512
542653cb7ce6ab1e71054b6012df16163464b30726a3270de6193ef5353fe331bfb5e33fb8baa564a5005e599d0f8cbdd0b6e10102d1579415173d88ec88b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
16cf5a99e07fc90a026870e334e00b59

SHA1
5038f5083330cef925cd9cec254987c91c0f8e48

SHA256
daefa592e8ea6d44d5d01459d7f11498e71119de954bb3e5915c2ccb2605eaa7

SHA512
a7bee21148e28be3e4df169c393b978d887ca4bfde9ac701e94b41b4f0d5f8b9a1e3fc111e546ae0041997d2d696f746c0ee0bf08275f6d6b4d666478075c76a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9a5c93c0af394a45460cc8e15cda856d

SHA1
83de910c968e82d9a0a6e07a62c1d1e676f57d37

SHA256
3e1b85b6e7c66e4bf70d0c5d366c6a5fee97478b783d880229f2d0b0274b56f5

SHA512
02fdcf311dc3481197369e41901b28012fe44a437d5aa6f72c04c5d883a91c0af6d15e211996bc1ccc5d3e8cc4ef9059cc5723ab5025c0fd978efa8f7173fb30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c88da92c0e8c25a0dc13ad3eee7b3a56

SHA1
9fb1038d0ba5baec3533b118a74f3c45a7f65b7c

SHA256
fdc6c2387f82bb761ece36d5ec7cc7a40c799dbf3e54445d0b22180b87375bac

SHA512
ec58e3e4e05e93848fa07444bc2a7d71f108325bcd19db0b4c32cc318f522e8da36fb2b1d1333d50b9f445e528e767d6e3c8dd7cd42b5d153912aaa79222a250

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
d5345ada6f233e73867a44b7ad849124

SHA1
10d06d0eae828b0b1a345129a98f26573e3d1dfd

SHA256
372247676eb31d20e2d9acc46bb3ee5cabfc8ee6c1dd7ac08d11a6cd96405e49

SHA512
36f611ecd29723288d249655398b7cd3ae9ba8312b2fd2b494bdd6e2fad90a167e8f8789c80faf6d117ddf948f47e30024d7d4e5a6f239c5dcf286e8c9acf0ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
49ef306573123026c1aca0dda90d70ec

SHA1
ce58b3bcc051aa7e9b825af9a86d1af1fbfe3c35

SHA256
ebbcd5286f8308dc42a7e04875a31fcbf5724bb8bbac98e91569755a1bfbd215

SHA512
270af06dd3446c5fe5cad2586eb0e42991dad038b247dcad64358133fcc3be410d8218429d91a91c2380be4304ec4b23db6fc6a5c8f3d3c1ef257b8ef209990b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
88710590a0b458f11438770770affd9b

SHA1
68e5a6d7fcbee4bea5b213bf7147d4a83c98dd69

SHA256
932dbe79fef31a9527746e35d453b39d1647920f0ab0a1ab0ff7fea45da8b68d

SHA512
943623804a4be331da6fe01b385d312400fcec7920347e198b92a00f1a9226086461afcc4b0af5ccd584cdd212b553ca541cc7ae9a3dfd45e61f8172a26c36ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
7a31c79b3aeaf63703a8dafaf3862917

SHA1
5b50dd8bc9ec060bd094c6498ebb00e90a53562d

SHA256
8fe0bd075370b18a1d2f7b5eb0ff635b6f70d20d9288bce02a5d0597cf34c27a

SHA512
376577c624694069d502e2c7bb4671306241a0f9143b53d5533b2206044b5601a2d71e1fb6d2d623885974d15b6bf83ac1597d7dcd21788d63ff4efba7fb8971

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
539bab0e63c1e2f614d1ecf2c414161d

SHA1
9b035ff0a2dfdbb10bf4c207f02bf262216e78e9

SHA256
76fba6859523e634318fe47d6895b857cd7a6b5606397c5af4b66ca17814a93a

SHA512
cb5ef026adc6f296751549eb64b768bb518a52d109574bf4af5bb54bab79b6afa06699834b47e91dc2aac84fe9621d45bc49a51dbb26bdf0f2bd55275fe11db6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f794c417c46c3133d556d0fcc1731523

SHA1
81c77c26f1c896021d7bbfffca111b502fd82246

SHA256
512780c794c326eaad27396e059d547fa4183b2a4d22361f337a3b2a676eb5e9

SHA512
a20f468edc9264dda1125d0ca146a8187bca997209414c2f3a527369ca5d215e5eed21f06f3c924843a226b122bb999301dd81ced290405fd7a6de2258d06310

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c8a31636dd294a8bac2c403a3e74576d

SHA1
081f47da7a7b4ea44933f97dcf3c07c91921270d

SHA256
df6144784b2df53587e2ee4f83dd10b10be81a80b51fd65655ea8ef29f9d6e1e

SHA512
fad10172e5f6bb04cb19a9996bab7895aab5e6e9846f3ee103982e4958305c55f75c40fe32f977f62fe5f37f24ef1ec5dbb513649af0d1af3c85b7d393b22780

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8478228af088f75e2f9422113416b395

SHA1
7b027530c121be0886635cb6ff0becc7c15c02ed

SHA256
972edf3d9e1514a9f060e4022812c86184ec096f935ca8e2e4710f2fed361f0f

SHA512
e34ef429cf3230792c32ab4300856789e468fb08ebf1647366ccf8de805e7ed979dfa5b92b8ec034f342cf9258ac58bdcbabe68619501194e6591cd2cde8450c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9013f94e6da07c8a3526da82dcd8e601

SHA1
00ed68b8ff92d85a049ef3e6775fe362f4dcabf4

SHA256
1756c26976415f1d52210f8f7c557cb0d9c77e7ad18d594c3e7ce219b048b68c

SHA512
5f0fa10c196e015d04c5538689df03e59ef8aa1eec7b3675b8994a3b0733a5764c4f226ab21ac1c8ceb512601245b70ee48a43f700e4f18b2ec6ffdf39c56a5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f7b84066628c9da69321a3ff24a5d2f4

SHA1
2c499f34d03595965cc18a82b4d144cd29478c93

SHA256
16e378d2d50d7194ead9e5ff819c3844e0dd76d8d812748305ace9444da64bba

SHA512
88bf2b256cecaa8ae2d77678400769a6d18ee76ca1a78726e6d698aa09ac018b34c8e4b164586f8807f8da0299bafc1df1a60e2299b0bb9c01ee8b2f877d3e35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
07133b4c7f804845193659e924593d86

SHA1
360dd3fe7ed8e0c7cc50083e25f1c171f38b6389

SHA256
bc4a23ad4204239d147ba085fa6e0301271dbf9a4f19dae349e56c3f91591af5

SHA512
addbb7881c31012b148db2b2e495d66cb42e5d67b819314a2f3d3f7c4874b3bba0b5579b40718df4bc43c129aaa6d6aaf094c8870abc5a7979bb2e391f483c37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a33d469c90f7df31f5dbc0f28712cac5

SHA1
79a16b059555aaba59f39c753e689dd57da32357

SHA256
eb8e2d3c0e7c0e58452fada49525cc8b9025b640a931e4643b11f57bb576aa0f

SHA512
4576a42f5b1bf3ea612f195b9af82d94283031e0d7428857711efcb39e546f4ba674e3197c689c52bd7acd0a22879ea11c2e6e78c8fa83325ba5c416b99595c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c44c9e8362428a082ac9643f56ec94df

SHA1
506c16ad47e093b2ab7ac760c6d7fdd14d7094b8

SHA256
78e99fe81565cac46fff19ecec9aebbc707b45d93b5f883d347ef7376041b32e

SHA512
0f5bcacee9b4e4faacd1f38f8050b6f1cff5393e67e23c65d27cd2383e0617bd30ad0148db7928fe990032e4c5d04e5b19cf0673279523bb7e8778d237c9db1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10bdaf0237466f631406cad342058546

SHA1
3f04214a9c2bd2f918b44f513b95efd5e49881d2

SHA256
33fee0604134426c12640e07e96228de418e5985ce9118f27d7d296d557d3adc

SHA512
48aa8862ce56deb06e663cf1a6e9313386ca530965a4757542ec7d29a41608886ef58b7715a004014bea37fe4d0c66158ded20fd89c43d7be60d16ddc2790250

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/2236-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000A20000-0x0000000000FD0000-memory.dmp

Filesize
5.7MB

Download
memory/2240-13-0x0000000000820000-0x0000000001E62000-memory.dmp

Filesize
22.3MB

Download
memory/2240-315-0x0000000000820000-0x0000000001E62000-memory.dmp

Filesize
22.3MB

Download
memory/2496-27-0x0000000000820000-0x0000000001E62000-memory.dmp

Filesize
22.3MB

Download
memory/2496-317-0x0000000000820000-0x0000000001E62000-memory.dmp

Filesize
22.3MB

Download
memory/2732-28-0x0000000000820000-0x0000000001E62000-memory.dmp

Filesize
22.3MB

Download
memory/2732-318-0x0000000000820000-0x0000000001E62000-memory.dmp

Filesize
22.3MB

Download
memory/3028-12-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/3028-316-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download