xred | 92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09

Analysis

max time kernel
120s
max time network
115s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Size

4.6MB
MD5

c9545d7339b175dac87f4b5288a9a130
SHA1

f357c97cbd461541dfe8976eae770f851f60b1d6
SHA256

92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09
SHA512

ed719b845257bea67f4c6aece147ae849ee92199c537f343c82b60065358e32e956112d25f2c47ed5af1127b237c8a55b58fbdbebd08f85f153eb0f6a01e00b2
SSDEEP

98304:9nsmtk2aPOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRF6:hLBmZb0bEds4XFR0OiC/GT6

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2720	Synaptics.exe
1532	._cache_Synaptics.exe
2144	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2888	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Loads dropped DLL 7 IoCs

pid	Process
2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2720	Synaptics.exe
2720	Synaptics.exe
2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2140	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2144	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2888	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2888	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2888	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2888	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2888	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
2888	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2140	EXCEL.EXE
1532	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2784	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	30
PID 2192 wrote to memory of 2784	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	30
PID 2192 wrote to memory of 2784	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	30
PID 2192 wrote to memory of 2784	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	30
PID 2192 wrote to memory of 2720	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	31
PID 2192 wrote to memory of 2720	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	31
PID 2192 wrote to memory of 2720	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	31
PID 2192 wrote to memory of 2720	2192	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	31
PID 2720 wrote to memory of 1532	2720	Synaptics.exe	32
PID 2720 wrote to memory of 1532	2720	Synaptics.exe	32
PID 2720 wrote to memory of 1532	2720	Synaptics.exe	32
PID 2720 wrote to memory of 1532	2720	Synaptics.exe	32
PID 2784 wrote to memory of 2144	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	34
PID 2784 wrote to memory of 2144	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	34
PID 2784 wrote to memory of 2144	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	34
PID 2784 wrote to memory of 2144	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	34
PID 2784 wrote to memory of 2888	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	35
PID 2784 wrote to memory of 2888	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	35
PID 2784 wrote to memory of 2888	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	35
PID 2784 wrote to memory of 2888	2784	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	35

C:\Users\Admin\AppData\Local\Temp\92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
"C:\Users\Admin\AppData\Local\Temp\92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe" --local-service
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe" --local-control
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2888
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1532

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
c9545d7339b175dac87f4b5288a9a130

SHA1
f357c97cbd461541dfe8976eae770f851f60b1d6

SHA256
92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09

SHA512
ed719b845257bea67f4c6aece147ae849ee92199c537f343c82b60065358e32e956112d25f2c47ed5af1127b237c8a55b58fbdbebd08f85f153eb0f6a01e00b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYLUSLJ2.xlsm

Filesize
22KB

MD5
be14f50406d7f15b0081667df0fcd06d

SHA1
6ca59e9c5223dc593eec4227eafb94da9a3a7f6e

SHA256
4eb3ca5b50ff24fcfbb2577a85287732f6f43807c3a85d9833227b5d659797f6

SHA512
90e993f2b5196d0a7bd2f95137559eb633b6b5caae0085aed2b68db0e3af962bf02c9b3b7cf2660f2ad7496918d9426c0774feb9f4531f0433a7ad68404b75c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYLUSLJ2.xlsm

Filesize
30KB

MD5
149687184c3773ebe55157fb88412271

SHA1
ffc29baffe2efb6ffff52edd1127722ff39985b5

SHA256
9987afe8f5da0f8741214a9db7889038a620367e6e2fcab6ae5b6486b522876f

SHA512
ba0a26f1a81a54741da3a8035d9cc7bf3838d0aa684aac4bd782bdfa97ac1d66c1c8a594b4c7a51f3758d311a97a85d4073dab21bee964115304aa3e957222e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYLUSLJ2.xlsm

Filesize
25KB

MD5
693ff79e09648d3cbf88cc48c7ea8322

SHA1
6f4308f9247cd8c689c31decbf4ce0de6f727665

SHA256
18505fcd2a822aebc0fba44278a249d6b31f3c9c16072e1311553cb7bddcacf9

SHA512
0ce85ce32767ba9bdfed5118f9167874ded54fbbe84cbad51752a3f8a99dddb2dd48af7f922fc34552de4306acb6b52c813034a3e47966b9d911d24c0dab3a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYLUSLJ2.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYLUSLJ2.xlsm

Filesize
27KB

MD5
befb6be139cb5274e5ccebf788d46863

SHA1
5c2517c01961a497722de4335f1adc78b461d817

SHA256
c0ad5715eb83203f48e7f2a5edc0eca1e1b8a4901826905af11e6fbc23f23c4f

SHA512
fbfcfee38c99f13cf0efa5d2f885917b646ee6f12a9a89f97ce66010a157f592990eca00e9230497b230f3c67668ecad4f03f01b0975b4bc080a3fc234fe1d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$BYLUSLJ2.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
25KB

MD5
49d16b764abf68f897c37a297913b6a6

SHA1
84545e4ecb2a33b8d7237049521d4f641097e146

SHA256
94c358232928dde5296f1323e64f2b067a1fc789d84a1bdc54b154619e1b5b28

SHA512
bc9469af4eb91c35b3c2fd5f71b5f580e1a0fd979a23ea1c2ac45332e0d24de9be9f4e0b77e5e771cc7dfdc2755d07e2f512c98f6ad803ae8b4a8b740f115f4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c82324894db273c5bfc5cf49f405eef1

SHA1
fa419847eec2f145628e1b1c5cabf98ee5f85867

SHA256
6c1baa36db696b4d6d8dbe5fd28b48197cbc176a689113eb59516e2d8bc1690d

SHA512
2cfe79e8f9545326492eaab2cce83277fd54e91bc867618aeb49256b56af677b0b252f9646fcb66ef288edfa520fe25709db0e92ab1bc6b53d5dfabf15886377

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
3769a5b35a6b43454c5aa107725724af

SHA1
718256eab10f55739d0fcc210723d94ae7d9bc08

SHA256
0e3789c4dea49cf64d8553d17fe596ae9831568dbca416eccea23967196beb26

SHA512
5dd10510cb22a509dee027b4e8e9ed43270042f2489d9b17f92c6c960a90d962f24ee23013a349b7aa7ea5b28a83971bacbc77f156f82370cce78f838f3674b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
669B

MD5
b62c8743cef62c76b62d1134588989c4

SHA1
af12e69147b60f78ac27c0991eee02b1c99b623f

SHA256
da63c549350bae90043c929db1a677bf475bb01bfce72815c244b96f353e296f

SHA512
ce177a5ab7d5830155291aa5c4df38ead8c7666dbad81e94e8f94d420fcb7007421e3a50aab744c6fd2f9f93a0e79400ba90f7274f83cee73deb83ee78b5a542

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
716B

MD5
6cfb7e2dadbbc29f906a0e3b6ef65f53

SHA1
69bf2203a8c30cd1ffb310e9d47b24576dfe8628

SHA256
c4f17f465f6f422836817f2cca3719cd3992bdf26a5938e4fcb033ed7de13cbe

SHA512
23b4ba124baf9f2736d798cf8550a2657bce32e3b8a95caf480794383b8bea2a9bbbc7a855b508cb2a0eb435c5b53ecb8646765dac83fcad4cb13d9103f72e2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
af07bce6a8f0cca20ce2c388acd16571

SHA1
a1f69d14429e024cffe456aa92e0262d04438531

SHA256
966c4e38669eeaa8ef2854f33bff4ced22667a66285cbe2950be03fcbbaa0729

SHA512
2a57c6c0cb2a5f62f81aa86d24a93af3c1b715e2117e4b3f824e0db4d1ab769aee28becf373f9cc33205edc6579a3da435fe33adb01ffa37f7eb4add7bfd5e99

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e4378e67a404755c9a74bf87bde5ff06

SHA1
cc50460980d46891ce21b53bfb15568addfb5f7b

SHA256
0202872dca6e7ea60e174722e698863b1f1f033791734eb490f6d370483d7f37

SHA512
4a3321f24724d5f296274f2050ddfaf2723f44b9ac2aa424aa4015df9a84389fb37e7ee1e61e3f497ef605a596c2377bf806f15e4c01973d163ab0905cf817b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
79b8a788b64f2c8ae8ad1fb42aecca43

SHA1
49eb9cef34a5ef2e592d3e722cd46b7e0d6256a5

SHA256
fd4a8bf44a543f8aacc470d5147ac663a9a22616cdbec72bfe72250b6539ad3e

SHA512
41f1a6a72700553bdcc1c619e789a813c5282a2e2e2dc38bef7d60913256245ff9175253052d421a2562ef7129e34ab94bc5dd608316cf490922106d039a62b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4ade9ebcb784958e90630218000fb0cb

SHA1
1eb23f1675285d9e98d5f94abb84015c2aee9fd0

SHA256
a5a12f52c5f0995ee5dbc7b569a699aab60f555b3b3058c9141368d550242d36

SHA512
8cf00b7020fe336c17e67ba33af28cb4b9f9691e5ea192cee5315fe58793825cb646b694e17a660ee84fa19755303b01ec0a76477106461dcd7a9107fe4937cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
6979e585759db62ccb1f02df4c5a9b31

SHA1
fe8a6a35935e0cef957f7886e1c149db47beee4c

SHA256
ce80497c5392dba0bf12a041f6cc65612787bcdad40501e5ddcfb273453366a9

SHA512
c8094d15f35c6394e42c7c8011c262d1978253fd79676e6addbd59c9b3142ca7f5abe442c293ca9753f085ae6b888b66d9dc013a2facb2e4c87b470baebbc075

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
1788da190bae90a5567903e75d109689

SHA1
5f3f16fd74798e52787c869061ef51a308499e9b

SHA256
d7f53b089b9ef1f741c881bfe20c4fbdbde07505f21efedbe1073581cb5d5d81

SHA512
88a1e45ad7ee18ab6df9022e07cae9c3374d4bfd90c26d3607e0130228b21c2714729ac1a2b0861484ad70bb2ee46f6397c1601c5f47d75330fbbcea6d8fceae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
75557c9086ee9baa236ca0ea011addee

SHA1
e32d0d84775229a218eee636a1558c0ffcd479ff

SHA256
73dfdcee3f7b2b2aca725da6abf9af48ce3d4a63a13594ad03098023b4ef487b

SHA512
2a5b863192405e81d12cc7f79e7b3c9aced3e4a16285df8624b14d9436ee345cb946debf8029ded09b54a9280175be294b670a469d8f1ed779b2fcbcb7edcbf6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
41d4060786c4b06e2dfe76d4a0e4284e

SHA1
68a288fc86669a6c60a1b4fbfeb8e17a2ed67ab9

SHA256
e941350c83bf0d26357cb0a11217b55c31cc53c3436c3dc1c8a3dc2a81922a39

SHA512
2c7f70912bb4c3e590354dfdbad8eb974ee021643a41a0f72269f76f79b667c25122d4a9e612940bd2ffd9a645016a92b02fe0148b22a250065790c79d7278b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3a877deb225b06fa1000e8dc07e47d60

SHA1
24365fd92b0571fe4aae62118946bd9d175d1199

SHA256
4742df2474015d9c699b8b4d1566c3407126799680c2cd212477bec1bdbcf793

SHA512
254e450bdf644dae46fa064ed3be0790bf33663c12a89f735400394844268166dc6dc3bf9052a4d2e14364aa90e283d662752c8c36b4d2998081d0c5202162d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
8d555429911c28a2788c8e36d5460cd2

SHA1
82c7ce582fba5242071528c0aa932c74f2d6125b

SHA256
526e89c731b7f2dcd38a5fb0502a4cb4bc99a57a8b3f0573cd88d33d1de976eb

SHA512
e554d884a053aea86b53d2e379780b34afbbf4b7cb843d4610a9bc26d45cdb8fbd99567cd3675d7900454d6d8f885e3473bb7251fc797a2b41cd94e4ef8ccedc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
0a390eb88539492a5354f42ec4eb54be

SHA1
b4f80fdcb96af982f9b91d01dc17552b9416ef3d

SHA256
47eb48894724715693fe5d5a9fc0a733528cf804473037ed1666ed51e1a4cd3f

SHA512
ac96a92396437da89c9abcc5e77d9004431d703e66872c74891c01cb98748cfe4af5d4713ce4632148d8f0a744fd624113a95b7b2cf58715b9526439efcec09a

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Filesize
3.9MB

MD5
30c9c57aa570088d745fac7bfd05b805

SHA1
d579d18848859614e219afa6332d410e0ca71fc3

SHA256
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

SHA512
182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

Download Submit
memory/1532-52-0x0000000000210000-0x0000000001295000-memory.dmp

Filesize
16.5MB

Download
memory/1532-543-0x0000000000210000-0x0000000001295000-memory.dmp

Filesize
16.5MB

Download
memory/1532-412-0x0000000000210000-0x0000000001295000-memory.dmp

Filesize
16.5MB

Download
memory/2140-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2140-427-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2144-56-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2144-544-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2144-431-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2144-421-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2192-0-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2192-5-0x00000000043D0000-0x00000000043E0000-memory.dmp

Filesize
64KB

Download
memory/2192-32-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2192-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2192-29-0x0000000005DA0000-0x000000000624F000-memory.dmp

Filesize
4.7MB

Download
memory/2192-30-0x0000000005DA0000-0x000000000624F000-memory.dmp

Filesize
4.7MB

Download
memory/2720-411-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-409-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-575-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-429-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-413-0x0000000004270000-0x0000000004280000-memory.dmp

Filesize
64KB

Download
memory/2720-41-0x0000000004270000-0x0000000004280000-memory.dmp

Filesize
64KB

Download
memory/2720-434-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2720-31-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2784-408-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2784-19-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2784-541-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2888-432-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2888-57-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2888-545-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download
memory/2888-425-0x0000000000040000-0x00000000010C5000-memory.dmp

Filesize
16.5MB

Download