xred | 6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

Analysis

max time kernel
113s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Size

4.6MB
MD5

951ea841732871d4dd799fdf1fdf57d1
SHA1

70d47ead9a8e584a2b0f6b872847bb4d90c7fa62
SHA256

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7
SHA512

57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1
SSDEEP

98304:9nsmtk2aPOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRFu:hLBmZb0bEds4XFR0OiC/GTu

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
1216	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
4516	Synaptics.exe
1424	._cache_Synaptics.exe
2340	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2632	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2404 EXCEL.EXE

pid	process
2404	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
2340	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2340	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
2632	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2632	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2632	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
2632	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2632	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2632	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

._cache_Synaptics.exeEXCEL.EXE

pid process

1424 ._cache_Synaptics.exe
2404 EXCEL.EXE
2404 EXCEL.EXE
2404 EXCEL.EXE
2404 EXCEL.EXE
2404 EXCEL.EXE
2404 EXCEL.EXE
2404 EXCEL.EXE
2404 EXCEL.EXE

pid	process
1424	._cache_Synaptics.exe
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
"C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-service
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-control
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2632
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1424

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
951ea841732871d4dd799fdf1fdf57d1

SHA1
70d47ead9a8e584a2b0f6b872847bb4d90c7fa62

SHA256
6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

SHA512
57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Filesize
3.9MB

MD5
30c9c57aa570088d745fac7bfd05b805

SHA1
d579d18848859614e219afa6332d410e0ca71fc3

SHA256
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

SHA512
182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14A75E00

Filesize
21KB

MD5
269fb3e43f092f1e35044aedec7f4adc

SHA1
e6a1160582ba583babc3df8503042e0ce6b3a3bb

SHA256
0f96f3541b7d05beccfe48cfc9f0ec09f30830c7b2d00db6251c5aec1b8c8cc4

SHA512
052e0b72da5db8b208b7fcccf22f1b9f13ede291f472c0fc8cdf9961335be21ddfe089146be751227c72372e2775c88c3267db87a143cf29fad5683fdfb42a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
0e22f6afdce420cf2ad67d5b901da154

SHA1
dddbece61e799554d90328ba244327e36ed1c1f3

SHA256
fcaefa99b6eaacf1981d6ff7826ab605b67d90436526c454b9bc9222dd0420a1

SHA512
dc791dd0de7b5badd52acf97d18ef54c9ecd950355d4b4836529bdd0b67ad6714632e021f55a7c8440d472dd3cbd81d09c79df0bcdb370cca21fe31b3218af77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
66b5caa202ec2349c1f83f2b7a921dd6

SHA1
ee9d60c55862fb46dde5ac2c9f156bfec44c466f

SHA256
c8367fb19a3ef05ce60b7d725af3a194ad47caf51801e16cdcd8639f5933e0f3

SHA512
a7d82b4600229fcf5dde263fc320b45edb16097c6b4d7cfca509061a9d13a81264089a9f17d4c072435c07095da48d2689b27189f1b4eef0eafe05cc1341cf73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
12KB

MD5
6de7837b137d60c4ea92ada98816abf5

SHA1
863bc674c3d60354d38d28bc198c9d4387df313d

SHA256
ffd36f0f345df577700c6720dad3ac2adcdddb977b4cdf5ad4c2a983047b384a

SHA512
0ee984a845feaa4feb15f15bd649843ce79395ad7c18e68b67cb164f99f9ee3bf51a41da3e3ceb010119f703a9b0072924243eb31c864c5dab811746b7952b3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
588ea4d70a4cb9a04d8ded06b75a657f

SHA1
ba2a409f0727198ce65b1da7f4a9f4281ec4c3a3

SHA256
2cb75e9fe8a566eb596688d6531c19a3f94ec21fb0ba3a0f73b7da4a0e1225d2

SHA512
b30f44fde0913b239169f1abeccadabb7f70fc9fcbb4ac514cb107cec3a69896b81a30960d82771f2ece85d5f55d365067613c6bb90bfa52dad693731dd3c0e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
36d9caff928c3cba31e56305a41df02d

SHA1
0972acc9cdc53d0ed4a7e9bd583d6b8bd11d0b8d

SHA256
716750aa0f041f83851fd4711b93d7afc476320954991b17d6cc23708d8759d3

SHA512
ffae657d3146f7943970600b6c257ef4fd2c4d09d2ebd3a801ebe21cdb460eea91a02b5ebc19fa0b56f25a6bb9c105306b7ae4cd54fefd8147f8d60db972dcfb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
11d8e1bb0e697349bd09f3d3912e9075

SHA1
14e4b668eb1ca0a9fac57ba5909247cc4d2bd011

SHA256
03c7109286e84f8e03933197a97a4b4a66228b1c64f8319a6b4b1b3308e77630

SHA512
35154f1f0653a8dd59950056bc4fb1108750aeb90c1ef10ec06945695270211ae863f5b10dff74916ced91b01d3e4d6f47ed122464699eaaa88952198f438069

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
5cd400d09b0462cf0a73416279776440

SHA1
f3d4573bdb83b55598b29437662667b5235c546a

SHA256
8c9a0943c071ea09bc9bff353e2627a9d54f340d18149246b9274fd0b4aa2cf0

SHA512
651cd59928f255443c8a03c04a22b547d7dd6a2a22584ff91b557b527e4f6c49b11de62b6acccf638e7b76b04dba5d01ac7dd9d412718d38b06290ea9fb67108

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
b7a5c23ab905401ca4be8c44aa281724

SHA1
1940d7b970b1b1839447867e6384cc715d5c8535

SHA256
0c807eef8f493b781bc006b9d1562cc6b407c2a4adbceb85844daa39ccc64028

SHA512
e8bf0c2d1ace5e6d8c808a8e5dc88bdfed42e2bc42ece474dbf7cda33efefb6c938e6639cf6a325dbed46a5ad4a31f372c5d121b4da2561db4856070917a6972

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
bce6f2ceb7bd5b5c96599e01ebc31d21

SHA1
0e46e6c1283b698f2e661a581a469b27e61e7b13

SHA256
891929a211cec397e0d22a0c3d470634769fb779396f8941678fbc40b17a4035

SHA512
6d108744ba2899b90bd3ea0d6d8ccb79d0997a6df5db332d1753f37c52297e0e1273ebb3867db89fb792b414775b2e5bc740529d84cd9475317d9ce039a92fd8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
a3b44a0d2827d1799870b20d5c452767

SHA1
9a4d5ea58ecb4afe014b1fbebab057efe31ca050

SHA256
efbbd1f823b37dd6fe7c9c90e71237426a8abe0a4833bd18d07ae2c995a34d3c

SHA512
042542d6c53d8bd0ab01bb4675b147929aaa1d6463e15b9b2dff89dfd585972f49053b36eeba68a5f9fc97fe46194139a886370e671992ffede39f80a3ce1fdd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2dadc817ba70aebae93b5b8bd881ad29

SHA1
ddab43f7307c9af94f054e84ac40074fe2b0145b

SHA256
5056eea27357d38a0392c256c63985f02ed685c5074cfafacec4cb8c80255ccf

SHA512
be41e8928e7579b05c510d7e82e23dc2ab7953a3be80172cdc3406e62793d93f804aa922d0fc0bcf636d2f6a4ac956d1e4bbc166e46648591375bb4740c1ed04

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e5c8862f8702caf6594c107f9ea8552a

SHA1
16229fd4b2e9007bcb40d01563389f8f8c9fe0e5

SHA256
cfe362235f276ae6467ea5f23d4ecbec17c870aec1909e51e4ab949f45de2ca1

SHA512
17cde7c1a33516f164b77b7757c690eb5f598834e655cc673c21b9c4fe992f4700cb201f9e539251ca4eebb338f3de948b992a35f65045263be02477ba35bf24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
af011606af8edc7d6c79f8e372640e7c

SHA1
fcf12243be52274f281780968640b2bbc1b7d52b

SHA256
209d04e2c2ccf9a3c845a0ab76c0b81997e5c7bda75ebdec4b4113539d242f0e

SHA512
82392d043eeb0a453c653e54540566194e0440b2d10558e981018836066303a00f088f08a4ba35c13547c82527d346c85f3d9814348dd457e0f7ebd87f625703

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
89b0d888049c74519f3d47b945f7c096

SHA1
dbcfbeb4cb1a1b0f5fe13bd5f6dfee255b5e03fb

SHA256
834bba5b8679cced44c29f19bb1058d32469d8bd4a80209ea054877d83eec10f

SHA512
a52e7862701a6fc43053a723ddd6e66f5a376d29ac8ca34db1c855661ba034527617f11802ad32a67e06be288d0f39d481a06b847428ddba6f2cc9a6bae14df7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1320215729b776d28a9dd683609ff2a7

SHA1
84c77a8ab68a39783617e720ac525701e894ec75

SHA256
8eea2233282271376065d7cd6881167c1aa59ce4e54feaeb22c87736e2e9b15b

SHA512
49d1d730b4c96f1c9aaab0b397a4f2b8d39122110a54a2210b0958299d53342e3f521f6a3e09bf3c255a9fc731c38884173912265445a1e4a7f062fb31183007

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7aecb866efa84cc793822c1a06ee725e

SHA1
084d2aa78abe0a284c89f71060c1528f2f05ad32

SHA256
89ae88d48ba8f66e884a0e76abc27c3be9546e86e4f73d3b10e84b8f672d7d6f

SHA512
8c7c28780b2923f888cb590d4bdb2ad192baf3dc85733f1188ead582d9a46248f6f61c67cc1f436bdcc90ca45f3378e0a4b57e3d0525152385c37a20fa68959f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2138a7554d6f3b6f85685f33e3eac635

SHA1
5c0a4d57e274f5864f59f705d75ce627081e7179

SHA256
eba65898febe7024b15cc7dada2ac486600c4f276d7a546c64c89772c9543099

SHA512
db43b77fd928afb4af68d6cb1e52d1a5a3ad7891308e0a651d77a57d306331482e4f6e2f5c661734a1f9705ef82e2e2286b8670aac52c6f54f4db8e0337d9161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
5720108bb36d5c9029ef2f88e652e373

SHA1
fcc35ff9fcfc52876869a31dcbb5a0e286f7f1b1

SHA256
5ce4601ea7d8dfe030048af8ccf96b8d06ef95f7e4ab074ef13c421977c3332d

SHA512
c080b9b732b8da6198bb94b4e534dd680235c05b840488f1836ec5477fd1c93c9fa5d002a935ae736fe7df4a18a4d3abf679c9d3b2c030e81c7f92eef6be7d25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
7e48019b4cd30a1d9c477609b7f1576d

SHA1
2668dc75c9c1bddf6773f94fbd943eb90bbef8d1

SHA256
f62c45d5950194592f8b8891fba403a3aa06c8bb87e7c7317afcb428de00c53d

SHA512
b7c3225c609b6240cc0fa7ccc36f43f440ae138338b16c10cf089627a752be738b1e07fa33c162f0ad27ea50a923e1be9c9847a82ed95d60ca64a57dbc3019a4

Download Submit
memory/840-129-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/840-1-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/840-0-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/1216-499-0x00000000000E0000-0x0000000001165000-memory.dmp

Filesize
16.5MB

Download
memory/1216-184-0x00000000000E0000-0x0000000001165000-memory.dmp

Filesize
16.5MB

Download
memory/1216-164-0x00000000000E0000-0x0000000001165000-memory.dmp

Filesize
16.5MB

Download
memory/1424-498-0x0000000000D20000-0x0000000001DA5000-memory.dmp

Filesize
16.5MB

Download
memory/1424-202-0x0000000000D20000-0x0000000001DA5000-memory.dmp

Filesize
16.5MB

Download
memory/2340-212-0x00000000000E0000-0x0000000001165000-memory.dmp

Filesize
16.5MB

Download
memory/2340-500-0x00000000000E0000-0x0000000001165000-memory.dmp

Filesize
16.5MB

Download
memory/2404-507-0x00007FF8BE370000-0x00007FF8BE380000-memory.dmp

Filesize
64KB

Download
memory/2404-503-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

Filesize
64KB

Download
memory/2404-508-0x00007FF8BE370000-0x00007FF8BE380000-memory.dmp

Filesize
64KB

Download
memory/2404-502-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

Filesize
64KB

Download
memory/2404-506-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

Filesize
64KB

Download
memory/2404-505-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

Filesize
64KB

Download
memory/2404-504-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

Filesize
64KB

Download
memory/2632-210-0x00000000000E0000-0x0000000001165000-memory.dmp

Filesize
16.5MB

Download
memory/2632-501-0x00000000000E0000-0x0000000001165000-memory.dmp

Filesize
16.5MB

Download
memory/4516-130-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4516-495-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4516-131-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4516-554-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4516-613-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download

description	pid	process	target process
PID 840 wrote to memory of 1216	840	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 840 wrote to memory of 1216	840	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 840 wrote to memory of 1216	840	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 840 wrote to memory of 4516	840	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 840 wrote to memory of 4516	840	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 840 wrote to memory of 4516	840	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 4516 wrote to memory of 1424	4516	Synaptics.exe	._cache_Synaptics.exe
PID 4516 wrote to memory of 1424	4516	Synaptics.exe	._cache_Synaptics.exe
PID 4516 wrote to memory of 1424	4516	Synaptics.exe	._cache_Synaptics.exe
PID 1216 wrote to memory of 2340	1216	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1216 wrote to memory of 2340	1216	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1216 wrote to memory of 2340	1216	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1216 wrote to memory of 2632	1216	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1216 wrote to memory of 2632	1216	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1216 wrote to memory of 2632	1216	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe