c1ab8db613a0687ed5e80ee5a17f9834c3a3ec8aaae92cd77d095778e0c146a1

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.7MB
MD5

224648bac4d99c8e0c0910f264fa074d
SHA1

2e5647ee2f33fb4d9a3717b79f3193ee71497d8b
SHA256

c1ab8db613a0687ed5e80ee5a17f9834c3a3ec8aaae92cd77d095778e0c146a1
SHA512

0d56ee13d16b3de26b2c363d2c614c702c78bfc22e7a2711a8ed93b1d9a056054c6821846b2716f424ccd5804cb056f786bbee2da6d2b168b36f1007d0a08772
SSDEEP

98304:NHbbpAhshpV10OE3G6WOgttVHrJqHJOkfFunOeyO3W8/WtwsZ1Jb7pXc/3UQIH9B:NH3LVh6FQbtqeOq3W8/GwsVvNc/kL9Kg

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
440	netsh.exe
4272	netsh.exe
5032	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	App1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\148a892b37f45e5773518d8932c75e38Windows Update.exe	.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\148a892b37f45e5773518d8932c75e38Windows Update.exe	.exe

Executes dropped EXE 5 IoCs

pid	Process
2524	AnyDesk (1).exe
3984	App1.exe
1128	.exe
5108	AnyDesk (1).exe
1168	AnyDesk (1).exe

Loads dropped DLL 2 IoCs

pid	Process
1168	AnyDesk (1).exe
5108	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe
1128	.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1128	.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	App1.exe
Token: SeDebugPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe
Token: 33	1128	.exe
Token: SeIncBasePriorityPrivilege	1128	.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe
1168	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 2524	4684	AnyDesk.exe	82
PID 4684 wrote to memory of 2524	4684	AnyDesk.exe	82
PID 4684 wrote to memory of 2524	4684	AnyDesk.exe	82
PID 4684 wrote to memory of 3984	4684	AnyDesk.exe	83
PID 4684 wrote to memory of 3984	4684	AnyDesk.exe	83
PID 3984 wrote to memory of 1128	3984	App1.exe	84
PID 3984 wrote to memory of 1128	3984	App1.exe	84
PID 3984 wrote to memory of 1128	3984	App1.exe	84
PID 2524 wrote to memory of 5108	2524	AnyDesk (1).exe	85
PID 2524 wrote to memory of 5108	2524	AnyDesk (1).exe	85
PID 2524 wrote to memory of 5108	2524	AnyDesk (1).exe	85
PID 2524 wrote to memory of 1168	2524	AnyDesk (1).exe	86
PID 2524 wrote to memory of 1168	2524	AnyDesk (1).exe	86
PID 2524 wrote to memory of 1168	2524	AnyDesk (1).exe	86
PID 1128 wrote to memory of 440	1128	.exe	87
PID 1128 wrote to memory of 440	1128	.exe	87
PID 1128 wrote to memory of 440	1128	.exe	87
PID 1128 wrote to memory of 4272	1128	.exe	90
PID 1128 wrote to memory of 4272	1128	.exe	90
PID 1128 wrote to memory of 4272	1128	.exe	90
PID 1128 wrote to memory of 5032	1128	.exe	91
PID 1128 wrote to memory of 5032	1128	.exe	91
PID 1128 wrote to memory of 5032	1128	.exe	91

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1168
- C:\Users\Admin\AppData\Local\Temp\App1.exe
  "C:\Users\Admin\AppData\Local\Temp\App1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\.exe" ".exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:440
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4272
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\.exe" ".exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
93KB

MD5
f6675a418b2c5a731eb55d098ff4811b

SHA1
2644b64d63915e3fd4bfe24beb310a093d4f441d

SHA256
58f5e810373d4099f4730d5d63ca9bcb9088caa3db3aaa1843fa39230db7abf3

SHA512
d32e4962e6a85e5c9f025561d4a8401bc056e82842e792b3fc2c488692beac92b935d46c6be444ad708898595ab200e88f672bf5ea73ac0380d98c6f4f291bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe

Filesize
5.3MB

MD5
0a269c555e15783351e02629502bf141

SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d

SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\App1.exe

Filesize
395KB

MD5
e01d4d0eabf33649d4a6f52fddc09d28

SHA1
7f7e825edfd722a8b21a03981440ff34e0e016d8

SHA256
fea1d68258ba9774bf3a600aec2ba1a17898053d3e5cc108d56452ad3228770e

SHA512
542653cb7ce6ab1e71054b6012df16163464b30726a3270de6193ef5353fe331bfb5e33fb8baa564a5005e599d0f8cbdd0b6e10102d1579415173d88ec88b67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
cf54705cb1e77bc834cc9a6e3eb81d5c

SHA1
cebab7d4b5cc7272e4de72fe06ce9d714dfb1014

SHA256
a0daa7ba96813004746f1b91b0a9786dcbfef6db35717e766e22eb3bc0871408

SHA512
43ce101892d84c25cf10efba23ec515e0b768e2d40e395384b38c7fababe2938c2769235d331456c9908b0fe4d802a4ad20b947448768e1b1a8a9e764b8d219e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
08cb40f987b6f07d0a03d510145e7660

SHA1
da214a17f9c129702009e7356c985885e05992c2

SHA256
f4334adbfd8fa244d141da665d1ae2af18cd7588732c5f761b2c00ab4635f335

SHA512
ccd4a48bbe8adea24a72e151586032436a5624937545b6f1c587ed31b22164e9159f3155bc2e36c05f67ec20e31b2b4eefc0d36aef429b367c8819edd7df47ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
83e709bc29391fd43ffa6b5bfbd862fb

SHA1
a89919d7053bec495043316a15b92156c8e45dbe

SHA256
11f075c9fe2df50132eca7f4e0d70b841f8c723f07464b2e5fe2c40b7ec6eca3

SHA512
da23f0bd097b1c2e2a41bad79c3cf609418e6083a8b627c6b1e2d56936de1c3c60d12fc32de61fe363a9f116111dd8d02fa805a7e06bc5e444ae84e40fddce57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
559e93879c6b18cdbafa1895a9fff11f

SHA1
207e4f8e2437e4f66c02be23092eb75bf867e7ed

SHA256
9108311fb54599aa053c796d7945b6bb7dda6f110c987ac69f4accb0b1c0f8c1

SHA512
2ffac89ec817c9ce5ecb433de311f7b4bdcbd90c7f54f36b009b536f8a5d129dfceb91a2d8d25962b931d1addff277d362b85a550cc31a647fa7fee842768be6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
59bfe53f7ef5c08b943a5e5ccbaa9d52

SHA1
37015dc1053641746e45b144a294f687349d333c

SHA256
8c5acf3b490ae587f09a7aa0195f95699f1c9ba8048ce2ffae2971b029e2e856

SHA512
f9cdb26d06bb86457de2594f2e9bc6efbc76b30f930e1e3644eb891e07e45645e2c21036e2fcc847bf7c9991888e571c22eb2d937f311eca3ab991a827c64243

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
697B

MD5
a7e601a32167d3e1086a429bb448c35b

SHA1
ad90a814d0f299a40c13e8f177b8460bbba0acac

SHA256
731bcf280be4ffa031ed94d3345bddfe2f11ead8ec96843fcf2097d42793bd6f

SHA512
b73ad18ad9f3fd21a29a16d3f8fbef798c94ec767dac79360cc771df139da327af0a502a2c63408fafa8012d0b52307625b09212589b0290bd61cefa46fdcaef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
754B

MD5
ec2d937c4fd8723590d96880e5b0460d

SHA1
372d711a1c299a7ba2331caeecc1431879081b1b

SHA256
130db4257c07287bb5436dc5f5110fab32e261a7e7e8439d202f25f05cabd605

SHA512
e3ff29f113329caeffdff26f41ae4d96e19f49a36189ae16b78657afba4048d2e687b2728f2e10dd8921f2a15897eca3a08be83e3006b42a3de0eff12b842b82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
5c12f1d5c0269458929c9b27e4b1c438

SHA1
9f857b9ca7398a4397df3a7f23255f0586bebdad

SHA256
91429477dd86a6bd7afacdf912796d6a6f339cb94480b5b975723248908e50aa

SHA512
d58cbdd30371826f0276aafa07a3d6ecbd3f81c3fc8b43f75c93a46fee3f686f622c182d981d7f27f074563ff208c1a7ff57e48423c911239f8d9ff81cf07771

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
35e1aa6326a3b1d95df784e0fb4a113a

SHA1
d0ac4bc4458c380abb86de219eb1a63e5d621591

SHA256
96f92698e73dcf115d7a8b2f7a49790a1b4b05eb9b3369770dccc292c7cb01e7

SHA512
ec206de975f7fbb2d60713b203fd7822a7cb67204e95f73ac8d6775228aa0d43f4fa7806cb111d5624aef98f61aa628c06867d9ba32a8d28f3c02ce04d38edb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
978debcfacccd0069b558fd67d87bb94

SHA1
1739655dc356c932d4834deaedffb1705d1ae84e

SHA256
1ae232da8e41769b5cfdc0f9e95f76ced9b45acd2dfabbe59940b964ab0800b2

SHA512
885cd3232460eec096480eb7fb6dc076c4fa2c8f2794bc01de552e2269728ad6290065ce109570ad22a910f2517a27264e97754010e0d26a0ca636e785bb9114

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b405d687c73e34858fed182e73d4bc48

SHA1
1ee16276d99b2d70b375e63a4e6c0c03f0a1d022

SHA256
416fa185cc50413cf41c0036eb3eb1535061f8002f54cd4ac452c631bbd5a57a

SHA512
32359f7ccafb7decae7c1017fb825c1109a06dd766d75d3d80cb5f93d174449a4a62cf26a63f7304b2c650b41e4a37e5c7b0997deeae06c729c8190ee767f4e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bde40834babfbc7913c6588ef91984b2

SHA1
30a5fcc542faab074b0aae683c9835107fe922a3

SHA256
c2c5a46d69c6f98c879092ec76e6049ca2f052cfb42406236d153d8379ed6bca

SHA512
fa5df53d97169fedaa9b53412260c26ff267a0906af87aff79e369949cb5927cc2ed49ac686d1fc456a9462b16dcdd10c7494c96a01aa74bdd44112ab21a82d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0b89ddd952dbf759c23cb71f9e743331

SHA1
c7a590fc76754b71d50884a2658b4127839bd03e

SHA256
b9647d38d3319d8650c7d3af4d8bb9ee8f6cc42ceb6205d75eca330430bbba75

SHA512
ffe007c36513d4e8dca5073c2e59565ec5285845c4b947a0486b755ba631cc7d5f89ea0a056def3801a8b39e84d4e18857c14b567868e185348d4e85939e884e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9df31f959629e66d40b9293353d70b0d

SHA1
c77909aaa36686a3305d3ec7070fb1cd1a338f51

SHA256
c1a387ed234d18e1b9e3ebc7211abe2fa4c24aa9e088a38a580c4888f6e1c00b

SHA512
dcdb8096fddf3d42d22889542dd3d9fb807091ff6101adb766f2dc4ece59829b9f90029487e7b0ac0ee3b545eb0e7f85bf5a99a11c87db62d666f67a306e9ce7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
12a2c636f0bd9bfe354ccbbdef85daf4

SHA1
3c0617df15f0a5210914a73fe8f5d8eb08eebddc

SHA256
26c2b08ef91d289b84294bc6fd205aa9809b6badc9d551574c07ee6ac31c08de

SHA512
af5dd94f54b3d056736f92096f2ad481351dde15037ab5de614ebc062bb689625b485fe9c371ef65c379ff300d394b00542a76b838bf1a68207d3c6bc577c600

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
834bf5badda74f6836ab2240a9183437

SHA1
b999eec42a5c8f29d5a016e0b74b9e2a7c6836f5

SHA256
4633a56852cc7b7ecbd157bbdc6279a0b24037c7c3c36b6c75638f14c307ba75

SHA512
567e882a9f4e473684aeab40331f5ccc66b71e5b174eb4750a238541f02e7b67cf97bd67b5c7e8507349c528d469f68127b57157e118a37bcfd5cbb1fa3e0709

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
089358dd4c30d4d8e21b5f9d87f9bc6b

SHA1
7fd96384c626bc25204c536d3fd4edac44b7da75

SHA256
c2346b5855d6a50a840150588e0d74c962c6bb879611150b3be9b03bee28228b

SHA512
9fd09188dc8774b7f4bb8a0d48d3f70a1bd1340cf2558598a3688733279739f6612e4a2dacc8644e4cf326416cd111f2551125980e2d594895643504e9a88000

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dd96a77870373e0ffe93ef5c287817f9

SHA1
10648bbcb81c55cf83607bcc6246eb203acdb6bc

SHA256
b560e898867eeaf2c29de3ebcd9439840fd738641b5035ce6edb7a89016e0d09

SHA512
be9c84517a9df14200c9119a37f02d851d83a464795b66b6d16c7222b84e602f8de34aa41b7d8afd9ed21f565d696c273b4ac4aa0e030f48550fccaf9e808c5f

Download Submit
memory/1168-51-0x0000000000290000-0x00000000018D2000-memory.dmp

Filesize
22.3MB

Download
memory/1168-287-0x0000000000290000-0x00000000018D2000-memory.dmp

Filesize
22.3MB

Download
memory/2524-26-0x0000000000290000-0x00000000018D2000-memory.dmp

Filesize
22.3MB

Download
memory/2524-285-0x0000000000290000-0x00000000018D2000-memory.dmp

Filesize
22.3MB

Download
memory/3984-25-0x00007FFC0A900000-0x00007FFC0B2A1000-memory.dmp

Filesize
9.6MB

Download
memory/3984-283-0x00007FFC0ABB5000-0x00007FFC0ABB6000-memory.dmp

Filesize
4KB

Download
memory/3984-284-0x00007FFC0A900000-0x00007FFC0B2A1000-memory.dmp

Filesize
9.6MB

Download
memory/3984-24-0x00007FFC0ABB5000-0x00007FFC0ABB6000-memory.dmp

Filesize
4KB

Download
memory/3984-28-0x000000001BF40000-0x000000001BFE6000-memory.dmp

Filesize
664KB

Download
memory/3984-34-0x000000001BFF0000-0x000000001C08C000-memory.dmp

Filesize
624KB

Download
memory/3984-33-0x000000001DB80000-0x000000001E04E000-memory.dmp

Filesize
4.8MB

Download
memory/4684-1-0x00000000009C0000-0x0000000000F70000-memory.dmp

Filesize
5.7MB

Download
memory/4684-0-0x00007FFC0E1E3000-0x00007FFC0E1E5000-memory.dmp

Filesize
8KB

Download
memory/5108-80-0x0000000005590000-0x00000000055AB000-memory.dmp

Filesize
108KB

Download
memory/5108-76-0x0000000005590000-0x00000000055AB000-memory.dmp

Filesize
108KB

Download
memory/5108-79-0x0000000005590000-0x00000000055AB000-memory.dmp

Filesize
108KB

Download
memory/5108-286-0x0000000000290000-0x00000000018D2000-memory.dmp

Filesize
22.3MB

Download
memory/5108-49-0x0000000000290000-0x00000000018D2000-memory.dmp

Filesize
22.3MB

Download
memory/5108-293-0x0000000000290000-0x00000000018D2000-memory.dmp

Filesize
22.3MB

Download