xred | 92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09

Analysis

max time kernel
113s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Size

4.6MB
MD5

c9545d7339b175dac87f4b5288a9a130
SHA1

f357c97cbd461541dfe8976eae770f851f60b1d6
SHA256

92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09
SHA512

ed719b845257bea67f4c6aece147ae849ee92199c537f343c82b60065358e32e956112d25f2c47ed5af1127b237c8a55b58fbdbebd08f85f153eb0f6a01e00b2
SSDEEP

98304:9nsmtk2aPOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRF6:hLBmZb0bEds4XFR0OiC/GT6

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral2/files/0x00020000000229a3-349.dat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
3668	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
5116	Synaptics.exe
1456	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
4900	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
4444	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4632	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1456	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
1456	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4900	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
4900	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
4900	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4900	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
4900	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
4900	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4444	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3668	2904	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	84
PID 2904 wrote to memory of 3668	2904	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	84
PID 2904 wrote to memory of 3668	2904	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	84
PID 2904 wrote to memory of 5116	2904	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	85
PID 2904 wrote to memory of 5116	2904	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	85
PID 2904 wrote to memory of 5116	2904	92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	85
PID 3668 wrote to memory of 1456	3668	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	86
PID 3668 wrote to memory of 1456	3668	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	86
PID 3668 wrote to memory of 1456	3668	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	86
PID 3668 wrote to memory of 4900	3668	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	87
PID 3668 wrote to memory of 4900	3668	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	87
PID 3668 wrote to memory of 4900	3668	._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe	87
PID 5116 wrote to memory of 4444	5116	Synaptics.exe	88
PID 5116 wrote to memory of 4444	5116	Synaptics.exe	88
PID 5116 wrote to memory of 4444	5116	Synaptics.exe	88

C:\Users\Admin\AppData\Local\Temp\92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
"C:\Users\Admin\AppData\Local\Temp\92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe" --local-service
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe" --local-control
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4900
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:4444

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
c9545d7339b175dac87f4b5288a9a130

SHA1
f357c97cbd461541dfe8976eae770f851f60b1d6

SHA256
92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09

SHA512
ed719b845257bea67f4c6aece147ae849ee92199c537f343c82b60065358e32e956112d25f2c47ed5af1127b237c8a55b58fbdbebd08f85f153eb0f6a01e00b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_92c2a6e1a304efe77cc9bafb80c73fabe4261763f7ff13741e13396feef8fb09N.exe

Filesize
3.9MB

MD5
30c9c57aa570088d745fac7bfd05b805

SHA1
d579d18848859614e219afa6332d410e0ca71fc3

SHA256
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

SHA512
182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fR9iTmKJ.xlsm

Filesize
21KB

MD5
a622c2fbb664b2fb208e8713a5729e34

SHA1
83f2a5a598ab2ddced3c1955b8cf6ef16c38baaf

SHA256
5dd23bd8a9f6738af43e3bced20b6b53380e247c4e3f7ac8017d1aa23b140e37

SHA512
a58c0b913d0d7bde0c0a5624c19f449f49d0b27d70cd6c2a9fdb3f630e6cdfc4e71955c47c28f32398f8c499288af0e6290bb3283c4b675c24384cc0ad516ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fR9iTmKJ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
46a03a922a448fc93409c5e855a74148

SHA1
e5a3840926e0129b01c36778b76a5f05f1d0f6d8

SHA256
d7404536b293df49a9c336d0b2d7de07c3e25febb5e107229afd875221ffe898

SHA512
d7fe70c3523f860d276a51c29e8ea81eb887a45079d24fdff9dce8f09576d4a4169440eac632a51988ad78f2ffc39740a4e1d10f3d82ffdcf4694e37bd341bff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
13KB

MD5
8f932ae48015e3a958cae3d7b075d0a8

SHA1
19cd6861b09ba394ea1a28e3c04d89681ec5a6cb

SHA256
4fd7610e81944663759fdd1ccd3afeddb2b181bf577db0a5b016f06be6b7d118

SHA512
bfcef798718f42a9f0c4671c263901c813ccf95cf1cbb5e5c40ff742e3daf285a140b236656f384efbbfbb0db03d0a8a392b2bc8f584cb777dc7144a994fa70a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
24KB

MD5
6f7e136be8eb5a8a509d3a40e0f840a9

SHA1
e00280a85f3f886aed3a37fe6fbcd4a1f5317fbb

SHA256
87b3311a7d189222f276a3bdf9e5b9ada5cd16f356048c2b7c0b067343338970

SHA512
a68c81921b16f74320c8438e0f1b7fd67eacf6e1208ed57ac6b8c5e506263ce18601be61fc28bb6fbd65fe7e363dbb880aae989bc4ef50d04f3bd28aa402057d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9b122099e0f38c4ac0b2a7d26ee6e09d

SHA1
5008176593fffb01dd170bf39bf7e8ae25bc5b5c

SHA256
cf25d371918e770acacfc9cdded57f1198c44157c67d447ab4226ef50c09d558

SHA512
0a61061762a39ff03a644e90b5bcc68cb3f11f5a01a135fa1947847bc965cf2ac4f74c54df2574a29137a70260c67ae883eabaf8cf00f609b6c07dc7a04e4f62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
99cd62532a9569de98e0ea513d488644

SHA1
77d53d56a24c3e44552878741dde450d5d0d5400

SHA256
127375d20f84e507dd33230ec8932b16faa35e869976ab58074905de65c0f142

SHA512
afb6e7eed4efba51f84948bb644583c768d7c541e05ed87fc6b7b6ab504383eae85dd9f190b3f1f8e9edd6706cec40d81bfb3efc86c011516f9b09a60d8e4029

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
734a8b81e154277f931e0db670ba68bd

SHA1
8c9cdea33cab7eabc0eb196ef7eec79095f93a0d

SHA256
ba3bf8e72d32e186f0d51f630a1bbd541ecccdfc5dca34f53eddfa72eed51d56

SHA512
bed41522851fd1fc916b53d662614d88a5ef95ac6901a90ae5ee58c0c769f323b21fc748feb0c6e2617a69857ef90e15d7996a4a5b1b6614490c3419ca2a3b82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
ccaf4142553637fa0f287e7a08c23385

SHA1
e6cca0e5ed47ea17be729c49550667b7b79a00b5

SHA256
f7f1ee61551082c82ed07c8fdc1e8544c9572095bcc51cbff7345568bdc68bd8

SHA512
0fd9520573ce42aaf5c83821e6133481ffd1b2e4ef136584f4f89c5abf83c37c89bc6348e2a7cce0b6f0c7a87b142e4addc96dccc3a074a0a13ab6300b0b10e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
737B

MD5
f1127efae3728c0d4c9bb399dfeaf6da

SHA1
204cd34c2e0756a4b4c944067e9b758329502060

SHA256
9d86ad3e9593c059b8ae4bdbf4fc3e123e4143d9e75f624ac2ace5de1f26b1e9

SHA512
8b482f6ab0ee8adb17c4b121231a916678a0d25f5578a7d839441fd6106d6b37322afc91a712f3090246c35c97cc2d3a82331a3ec0b8b73812a5da160fd4549c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bef17365cf4f893d7ecde0da1bfb2da3

SHA1
589d05aa4de8c19e3d1eab01bf33e982ad962f7a

SHA256
063703bac722bbcaefe02e47e5d9221a53648c8ca50d689dd431064cd4e7b783

SHA512
489a5ca82bf3e9fcc71cfc41f6b88eae2dd95045ffb7bca7c5c35344c970ab4fc101416ecd1a559bf21ebde47cf064da55894b560aa308cf7290913bec278d85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b5669645660e2b30aa80190ca2006d06

SHA1
51b97592433c17dfcf308c8f9c19aca3daf39fdb

SHA256
c3ee493c1a6489314998cae6d754df1068e827f0bb474944b8c958bb49874b7f

SHA512
7689355cf844bd93a1f1a4f61bb729920f07d1930a1062e229c319df712a73b764dfd1e203ec4db660735b5d6481c263ce2bdb0845c662eb94dbb5fa0b94cb72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a9710253e50a184305034a84dbad8c27

SHA1
7d5545d6943bbee49c449369e16ef338df341dbe

SHA256
def8b65cba4833bd2e40835592237619491871681b730519c1095ec63f8b0868

SHA512
b424022a1831755d4a54a462f0e8a1e4fbd3af8b5ad64f19a89fe4323eae06d4845b322b4cbb95b7f48837b6f81be5a506bd4d8b6dd783cd26f1285de9f2acff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
19c9aac0cbc426ee3d1e98060c2b6aff

SHA1
6db88185b6bd73204d42cf33c0ed7ce586d55944

SHA256
91fddaba54cef7fbb8212a03efc811c32c20f1d0d965c2836b5c55d6c630a84c

SHA512
f6cba3e843ace6f95d2d65afc7d7331b89ad72bece6d5bb2f49f244ba5a3aba5a471e25ca46ec80dc47397e526e44e10d5d7a050a6855df580e6157081d90f05

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
6ad8c674eb5590fb4d0a27dbfeeac2e0

SHA1
e080258310ac20c855d95bbac700f945ac25de06

SHA256
df9c51d768084ba1c0feda6e8d30d9d5298f8494d1b4fd7841f271901cab8dff

SHA512
a11cad98d2171570e5c67990e1064466df69f9d5790e35a80beb80d56f18ec253b946c142e8ade3e428cbc3b67957b717e06fc19f8c4b3db54be291266aa2cb3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ae98e46613931e77ed814688c1825530

SHA1
a8beff48f1365e26506708c85398e68277df0f13

SHA256
ffb451ef385d847389bf51043ccd403b3d50aa087c8a002a87ec7e491ca4764c

SHA512
daf623c267a74adf00cd5da8a00e80de2e17128934eb7b31db6736a92e991f5f3d3d771533e8efa1b2eefe28d345f26b4b665d6fcef418a2a8c9b352f19af609

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
d355a5c759db134d81e17e8ece4ddb17

SHA1
671912fc98ce95d5c72e6007b443cd4b186e7061

SHA256
960f4cca2f79c1a85e82ab8ca9418a9bbd5eda8f8bd3e856365f7811d22d2c60

SHA512
7a02fe9539692832d70e8b14005f5edb1b0ef003838aa78a14693bd54d179519748b8994f38b013f5bdfaad5ae1fb908cad608d03aab8d952e598d18acdaf120

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
a7284611a10c951bbd25454ce506877b

SHA1
3e4935aa5a3a742f45e815bef084e65f21dc9efb

SHA256
f4027695435a7726f40a2101f564f141480a34b7ccba6acc5810126e4102934f

SHA512
bc201044d649e3a720e8b0468d86be7148b08b42def44a7846020450c9e20bb47cac7d0fbe2e4e3dd0e160f58af5372ed1e615eaa5adcc2b95a4d2da1d523eb6

Download Submit
memory/1456-523-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/1456-204-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/1456-531-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/2904-0-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2904-1-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2904-130-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/3668-521-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/3668-136-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/3668-134-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/4444-525-0x0000000000C40000-0x0000000001CC5000-memory.dmp

Filesize
16.5MB

Download
memory/4444-227-0x0000000000C40000-0x0000000001CC5000-memory.dmp

Filesize
16.5MB

Download
memory/4632-225-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/4632-216-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/4632-240-0x00007FFE347B0000-0x00007FFE347C0000-memory.dmp

Filesize
64KB

Download
memory/4632-214-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/4632-226-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/4632-286-0x00007FFE347B0000-0x00007FFE347C0000-memory.dmp

Filesize
64KB

Download
memory/4632-215-0x00007FFE36B50000-0x00007FFE36B60000-memory.dmp

Filesize
64KB

Download
memory/4900-524-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/4900-200-0x0000000000260000-0x00000000012E5000-memory.dmp

Filesize
16.5MB

Download
memory/5116-520-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/5116-133-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/5116-402-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/5116-129-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/5116-581-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download