xred | 6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

Analysis

max time kernel
112s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Size

4.6MB
MD5

951ea841732871d4dd799fdf1fdf57d1
SHA1

70d47ead9a8e584a2b0f6b872847bb4d90c7fa62
SHA256

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7
SHA512

57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1
SSDEEP

98304:9nsmtk2aPOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRFu:hLBmZb0bEds4XFR0OiC/GTu

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
1036	Synaptics.exe
2580	._cache_Synaptics.exe
700	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
476	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Loads dropped DLL 7 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
1036	Synaptics.exe
1036	Synaptics.exe
2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid process

700 ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
700	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
476	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
476	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
476	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
476	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
476	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
476	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

._cache_Synaptics.exe

pid process

2580 ._cache_Synaptics.exe

pid	process
2580	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
"C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-service
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-control
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:476
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
951ea841732871d4dd799fdf1fdf57d1

SHA1
70d47ead9a8e584a2b0f6b872847bb4d90c7fa62

SHA256
6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

SHA512
57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
11KB

MD5
c9f163f6f3b8c1847a6f8844bee642a2

SHA1
0d08be9f454db29ee551af757515990dcb211d13

SHA256
1515e097bfcaab782d6e27014a10c315b8631f69d40ca7b8c0dea524bdc60ac4

SHA512
252c5efa45a26b25dbf7b831f89a89c8acc85bda72171bf982711400f9553ce6fb60a1ccaa5d9d7d9e33fa2270f58178466a5be7bbbf4d8afeef9a3c1d470c5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
16KB

MD5
23db9bf3a546bedb0991ee052cf4c50f

SHA1
e78e1db9b035edbee8c3541e02582919677c3454

SHA256
387d106345b7a71584d89072031047c3afd1dead13d215c0bd46c1abfa63563f

SHA512
e11a6f94a4a8c3c45507225e3535e1803b5dc1a502f3507ec26f89538589714eddfa52227ff27ed224391c588728fb893089b208d8c4028b3edb1ad9e19f9676

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a86dba1f3c05deda0a9569f173661255

SHA1
5129e5d0a2b900a36c137f9d8b155fc804e9cf11

SHA256
033ddff090df0472e5eaeb937e10fee8a8a5302f1f1f07c22f3defc26c6d2454

SHA512
2a1827ad55c77d7c6aa5df68b264bbe56261d34f9be3b0f0e47b4639ed0b04327bdd92fd7756c206c52948b1c6c0d17fd4c2b6d26b78acb12ed28dd81e840e12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
324561c3792ec3fdd717b56ac2f84fb3

SHA1
5700e6aa27b0d9ee77fbdb51d74d2ca50dc7d553

SHA256
cbb774d492bffb042690fe409b0ca31637777aadcd00735468faa5e08647e027

SHA512
5f95417c044cbf17c5e986042d2df0c48c900b4859580f3fd0407580decd5b5dcb0e0129715cfd45441f29075d50dcbd8aa6e3cafca99c78ec90cc53dcc9dcbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f14201ec501193a70cd8dbb59204c171

SHA1
7aa2e006798778ed764aaa719c845b010a3f8dc8

SHA256
824d3e1ce01e9e3276d1eedceb43e7730096405930278675e4908da3aab4df1d

SHA512
4d4f2d67757b3375da96b06ae5979544f5c56561865f957828af4863b36d10decb49edd97c5eca0180796fa00a6d8816f9e7f355fbb2b8f9e63484060afa04a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
96961276c967931016b1dc6e9ba5401f

SHA1
16cb834ac46006a389f24e1e360af2d958a34a2c

SHA256
9df305c92ab99c8c439925c17c483a6208e56e4ab4021dd240580799f36a4ab9

SHA512
333a01a93bd650929b5343a1a0ec92f297001bba63ac67f66458c222516e470eaedb3c7118b6013521adb6abfb18e7c1d8632537d9c342dbba648ae9e74b996a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
8d807e3cc0f50cbced4f6bcf5737b130

SHA1
db6fcb44cf2caa48d7f044e4bcfac79839d7ffe5

SHA256
18a16c4a30d4d17364ae7337e853b5183c897cd2c8e64ae3c51ea15967bb4cb7

SHA512
8c13490fe5f37e2e346efcfada824160edadcdaf6c3abdff2799f9d33a7362e2fa10c193923efdac7ba8f209f8a6a1255152ce12bca1c08a5b34e808d5d02f56

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d84cc2f8d6e25df957879b85af2ec283

SHA1
b60bbab5a72d2ac12f1a83000d17b7719d621849

SHA256
0804d956b9846adc2322b14e630a1f953c0b8df25f6ea08c85682203ffc77a6d

SHA512
3b1c635748b0ef6e737596366ca7667d017d08d81e02215a44a24c3b3f433d102d305eec33da2ba5d09b9975b0de35279de470aa2ca7701b6188aead217828b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f8417f449b6b7bde2126969d7d8f7da3

SHA1
f5f1b2eb56f983058638d6fda2da517358ecf9d5

SHA256
f0a8191a0cef05aeeb78784c38b71c4502cebb57be3304dc5d698e41b6f3b27b

SHA512
3d2c69d12266a6f3344d0726653d1aecd28a5aac377f3305161b7e2e02ed63e61d0f91d7ba2ddf66020752b90edb0e0f8a1109f2e4000a607925aab3ff0b0a89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b575d13757d81294f75ce346a81297f0

SHA1
2034c0dc63fe50a61c3496e21f06232da2af6b10

SHA256
a265c250e65e008b4865f323ac7d552590198beb956b78006bee6bce871a62c6

SHA512
882b51ce7348e5e7251bf55d020b19d00c717737c103762ca9860ca85e6c5a5bf075233e87ac10faf4e781ab5316ad060be589e26968fc132fdb85c190ded0c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e3b5dbf1ea44d1440687f1bad7f8f18

SHA1
f39b71aa2570cdb58904e3862478c2e912e5ecab

SHA256
766d23a1e2e4bd153202138fb18ebef88494c14a75acbbeed37f3f7949627854

SHA512
b20c3f844702c61a732114366ce28476fc0bec088fcda21115bcf983e4f6a1248c0e0c35aaaf9f63795bef8b984da066f2a837cb1b43d05cea65feac9f35df1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
aeffcfc0c63a4e9ec63b21900e79e5ad

SHA1
dee0fd9e1da0a71743b0305890ef416b86798e29

SHA256
ab88c6c9c81c2e7aee1fe9ca5c9b5ed3d931c71fc322addf6f10bd0f20041b1c

SHA512
2dd36ff76c4f8e5e4e24701b0b41be64c7db77b1b94b79b17a769f87fa6030eb2f5dfb5c755536d70fdc91cc5463df4bac89e3d6f8ae4e8a189869d688936708

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
02b5d3f3d4a217b632b7cd5c298d9d24

SHA1
d9c12a7f28f18ab071614d091c73079f0e932adf

SHA256
5c5d3faa849575fdecc45e9ee9dfb3f73a9640c961eb31b43f8d6d60cca269ea

SHA512
146af7280cf0830f6b25a9b6c9368ba8487195fcfa2c142069105bbc041479b1453a4bbb5104a09ec29090634463fc2f37c4152777edd38bf6ac4ca795d85646

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f50966a8d6252d8f38668346929b58f5

SHA1
486a01d31f0aaec69059845f693f1598442d4880

SHA256
e1843b812f2fee20d2636341df36009936f643a92e15d58f05d9d0e227faf594

SHA512
1923c8cd836e7f5934facea8931f7baa3f8778a7b1798c8e09b17c5f60b799fc1ec193e9e11496c0e69b255c0741ac9ae969ee63ae6f30a60116fb9ced6ff98e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a8cfaf0394391749d14eca094e0cd3c7

SHA1
62f0628b2c8b633bbe94d6ea91827efa573c8194

SHA256
c2c5d9e4a36b5c4767db752409edb1f70b1fced923f117e088007dad6bcc88ca

SHA512
b4259e8b26534b130b7e9f338045e5d3137b328dadc141b7d83164951d93823a0480f0ff6e4b72e954974c07e5f48fd7a6eb7784263f8e54a03c2c1775ce4a96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
22bd3facb017d67c15811f44565a975c

SHA1
5e9f1545f21b3d4c4876c2f5e6d1866d08d82f2c

SHA256
8671c7ab3b967e3ed9b72125a62aaca331cf8dfcbfbc50e50e2abf24253cb590

SHA512
6df8db7b25e00d6914b56c002a81ddde123351cf84b60efab3a7b188209f1e3a1e6e69056a47609100c5ff62cf50ec492133a6b6b274b5c2c999aeb8af01a4d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
69255c581013d87c23c33de6d503bf28

SHA1
04822d5a658edb17d6bc2f362ec58e425591e4e0

SHA256
6fa2aeaa8c33f75882f0904391f4e25f6f46a5957a71ecb51b5008694c88728e

SHA512
3b691810d5f4ffb702a085bbd25075a00a22164de392d55c2841d844a5c4ea6d504eceb8c5a04225686f5df8bbc84240af589f53a2b4b46a41ab46dc30d80918

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
8febb2792c9ba00775ef2d720de948c9

SHA1
620bcab18a899fb0e5fbe816d36f17d02e506213

SHA256
1c6f926a9e9cf63d85d6d1c687323435f729a1a2a454ebb20124114124198c8b

SHA512
d1a0d950ffe8c196ca73b6d239bc55713b83c0c63b180221c3242de7a4b4d1ca9bc17dacaf367b86386094d089040b1a7c07ab402e3eff4d85510efd4e45b7d0

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Filesize
3.9MB

MD5
30c9c57aa570088d745fac7bfd05b805

SHA1
d579d18848859614e219afa6332d410e0ca71fc3

SHA256
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

SHA512
182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

Download Submit
memory/476-56-0x0000000000A00000-0x0000000001A85000-memory.dmp

Filesize
16.5MB

Download
memory/476-362-0x0000000000A00000-0x0000000001A85000-memory.dmp

Filesize
16.5MB

Download
memory/700-59-0x0000000000A00000-0x0000000001A85000-memory.dmp

Filesize
16.5MB

Download
memory/700-361-0x0000000000A00000-0x0000000001A85000-memory.dmp

Filesize
16.5MB

Download
memory/1036-44-0x00000000043D0000-0x00000000043E0000-memory.dmp

Filesize
64KB

Download
memory/1036-356-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/1036-423-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/1036-33-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/1036-358-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/1036-360-0x00000000043D0000-0x00000000043E0000-memory.dmp

Filesize
64KB

Download
memory/2432-34-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2432-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2432-5-0x00000000043D0000-0x00000000043E0000-memory.dmp

Filesize
64KB

Download
memory/2432-29-0x0000000005BE0000-0x000000000608F000-memory.dmp

Filesize
4.7MB

Download
memory/2432-2-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-359-0x00000000003D0000-0x0000000001455000-memory.dmp

Filesize
16.5MB

Download
memory/2580-54-0x00000000003D0000-0x0000000001455000-memory.dmp

Filesize
16.5MB

Download
memory/2772-357-0x0000000000A00000-0x0000000001A85000-memory.dmp

Filesize
16.5MB

Download
memory/2772-23-0x0000000000A00000-0x0000000001A85000-memory.dmp

Filesize
16.5MB

Download

description	pid	process	target process
PID 2432 wrote to memory of 2772	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2432 wrote to memory of 2772	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2432 wrote to memory of 2772	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2432 wrote to memory of 2772	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2432 wrote to memory of 1036	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 2432 wrote to memory of 1036	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 2432 wrote to memory of 1036	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 2432 wrote to memory of 1036	2432	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 1036 wrote to memory of 2580	1036	Synaptics.exe	._cache_Synaptics.exe
PID 1036 wrote to memory of 2580	1036	Synaptics.exe	._cache_Synaptics.exe
PID 1036 wrote to memory of 2580	1036	Synaptics.exe	._cache_Synaptics.exe
PID 1036 wrote to memory of 2580	1036	Synaptics.exe	._cache_Synaptics.exe
PID 2772 wrote to memory of 700	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2772 wrote to memory of 700	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2772 wrote to memory of 700	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2772 wrote to memory of 700	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2772 wrote to memory of 476	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2772 wrote to memory of 476	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2772 wrote to memory of 476	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2772 wrote to memory of 476	2772	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe