Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    113s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2024, 08:52 UTC

General

  • Target

    6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

  • Size

    4.6MB

  • MD5

    951ea841732871d4dd799fdf1fdf57d1

  • SHA1

    70d47ead9a8e584a2b0f6b872847bb4d90c7fa62

  • SHA256

    6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

  • SHA512

    57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1

  • SSDEEP

    98304:9nsmtk2aPOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRFu:hLBmZb0bEds4XFR0OiC/GTu

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-service
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2340
      • C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-control
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2632
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of SetWindowsHookEx
        PID:1424
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2404

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    boot.net.anydesk.com
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    Remote address:
    8.8.8.8:53
    Request
    boot.net.anydesk.com
    IN A
    Response
    boot.net.anydesk.com
    IN A
    15.235.218.149
  • flag-us
    DNS
    149.218.235.15.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.218.235.15.in-addr.arpa
    IN PTR
    Response
    149.218.235.15.in-addr.arpa
    IN PTR
    ns5027926 ip-15-235-218net
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    relay-0135ac48.net.anydesk.com
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    Remote address:
    8.8.8.8:53
    Request
    relay-0135ac48.net.anydesk.com
    IN A
    Response
    relay-0135ac48.net.anydesk.com
    IN A
    57.128.141.165
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    165.141.128.57.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    165.141.128.57.in-addr.arpa
    IN PTR
    Response
    165.141.128.57.in-addr.arpa
    IN PTR
    relay-0135ac48netanydeskcom
  • flag-us
    DNS
    InjUpdate
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    Remote address:
    1.1.1.1:53
    Request
    InjUpdate
    IN A
    Response
  • flag-us
    DNS
    97.32.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.32.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    xred.mooo.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    xred.mooo.com
    IN A
    Response
  • flag-us
    DNS
    freedns.afraid.org
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    freedns.afraid.org
    IN A
    Response
    freedns.afraid.org
    IN A
    69.42.215.252
  • flag-us
    GET
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    Synaptics.exe
    Remote address:
    69.42.215.252:80
    Request
    GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
    User-Agent: MyApp
    Host: freedns.afraid.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 25 Nov 2024 08:52:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Cache: MISS
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    docs.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    142.250.187.206
  • flag-gb
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 08:53:22 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'report-sample' 'nonce-oaOBhuMrT3dEGot6-GpaQA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=519=heqGYqOa8mH4tkMLvwyH8BUJYmfLBnZawMb5PqrqVtYPq44CpU7IslDgJn825Uie5YBZt289Q-BUE5e12cE5OmdVPK2Pan_j15s4e-5SgiBWgIIgUuQtZum0weqkLoito7ozCxlIm70b8WN7E-rjWhlsTYKnLiD-k26Ztaew3MPH3lrp
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 08:53:23 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'report-sample' 'nonce-TDhdXFPEKE32_ConAzVc6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-gb
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=519=heqGYqOa8mH4tkMLvwyH8BUJYmfLBnZawMb5PqrqVtYPq44CpU7IslDgJn825Uie5YBZt289Q-BUE5e12cE5OmdVPK2Pan_j15s4e-5SgiBWgIIgUuQtZum0weqkLoito7ozCxlIm70b8WN7E-rjWhlsTYKnLiD-k26Ztaew3MPH3lrp
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 08:53:24 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'report-sample' 'nonce-dyYyHYrgkcdEH0w8rq1Pog' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.3
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Synaptics.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 25 Nov 2024 08:52:04 GMT
    Expires: Mon, 25 Nov 2024 09:42:04 GMT
    Cache-Control: public, max-age=3000
    Age: 78
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.200.3
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D
    Synaptics.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Mon, 25 Nov 2024 08:11:49 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 2493
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
    Synaptics.exe
    Remote address:
    142.250.200.3:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Mon, 25 Nov 2024 08:30:31 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 1372
  • flag-us
    DNS
    206.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.187.250.142.in-addr.arpa
    IN PTR
    Response
    206.187.250.142.in-addr.arpa
    IN PTR
    lhr25s33-in-f141e100net
  • flag-us
    DNS
    drive.usercontent.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.179.225
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 08:53:23 GMT
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: script-src 'report-sample' 'nonce-QkDgIba27SCks32_gzPzoA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Content-Length: 1652
    X-GUploader-UploadID: AFiumC5UwiFuqEbpft9pm6XcS_0gkVsRlLJJNbjC_ajO0b7i5g715i8pOdipfLVIfkzLc3ywtsU
    Server: UploadServer
    Set-Cookie: NID=519=heqGYqOa8mH4tkMLvwyH8BUJYmfLBnZawMb5PqrqVtYPq44CpU7IslDgJn825Uie5YBZt289Q-BUE5e12cE5OmdVPK2Pan_j15s4e-5SgiBWgIIgUuQtZum0weqkLoito7ozCxlIm70b8WN7E-rjWhlsTYKnLiD-k26Ztaew3MPH3lrp; expires=Tue, 27-May-2025 08:53:23 GMT; path=/; domain=.google.com; HttpOnly
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=519=heqGYqOa8mH4tkMLvwyH8BUJYmfLBnZawMb5PqrqVtYPq44CpU7IslDgJn825Uie5YBZt289Q-BUE5e12cE5OmdVPK2Pan_j15s4e-5SgiBWgIIgUuQtZum0weqkLoito7ozCxlIm70b8WN7E-rjWhlsTYKnLiD-k26Ztaew3MPH3lrp
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 08:53:23 GMT
    Content-Security-Policy: script-src 'report-sample' 'nonce-FWnv2yAzjGHjlgSycEMKlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Length: 1652
    X-GUploader-UploadID: AFiumC6P8aqYHkb_05sjd8ZBc80e-fjyjcxvIgjXlHRap9R1kAcg4iqicMVtIHx6XBF84iJWQh4Nms6HJQ
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.179.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=519=heqGYqOa8mH4tkMLvwyH8BUJYmfLBnZawMb5PqrqVtYPq44CpU7IslDgJn825Uie5YBZt289Q-BUE5e12cE5OmdVPK2Pan_j15s4e-5SgiBWgIIgUuQtZum0weqkLoito7ozCxlIm70b8WN7E-rjWhlsTYKnLiD-k26Ztaew3MPH3lrp
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Mon, 25 Nov 2024 08:53:24 GMT
    Content-Security-Policy: script-src 'report-sample' 'nonce-mEkJYGmqDdd6Qo1uSm7t_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Content-Length: 1652
    X-GUploader-UploadID: AFiumC53SnmJkaJxetC1PD1adLnI59f7D8Zp8P-sK1s6YkwJ1w5wNOUmamzmDHLzNm8E-PQnQh4sfjPowA
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-us
    DNS
    225.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.179.250.142.in-addr.arpa
    IN PTR
    Response
    225.179.250.142.in-addr.arpa
    IN PTR
    lhr25s31-in-f11e100net
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 15.235.218.149:443
    boot.net.anydesk.com
    tls
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    1.8kB
    1.9kB
    8
    8
  • 57.128.141.165:443
    relay-0135ac48.net.anydesk.com
    tls
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    33.6kB
    823.2kB
    593
    663
  • 69.42.215.252:80
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    http
    Synaptics.exe
    430 B
    415 B
    6
    4

    HTTP Request

    GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    HTTP Response

    200
  • 142.250.187.206:443
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    1.9kB
    11.3kB
    16
    14

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303
  • 142.250.200.3:80
    http://c.pki.goog/r/r1.crl
    http
    Synaptics.exe
    303 B
    1.7kB
    4
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.200.3:80
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
    http
    Synaptics.exe
    738 B
    1.6kB
    6
    4

    HTTP Request

    GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

    HTTP Response

    200
  • 142.250.179.225:443
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    2.4kB
    14.7kB
    23
    21

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    boot.net.anydesk.com
    dns
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    66 B
    82 B
    1
    1

    DNS Request

    boot.net.anydesk.com

    DNS Response

    15.235.218.149

  • 8.8.8.8:53
    149.218.235.15.in-addr.arpa
    dns
    73 B
    114 B
    1
    1

    DNS Request

    149.218.235.15.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    relay-0135ac48.net.anydesk.com
    dns
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    76 B
    92 B
    1
    1

    DNS Request

    relay-0135ac48.net.anydesk.com

    DNS Response

    57.128.141.165

  • 224.0.0.251:5353
    358 B
    6
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    165.141.128.57.in-addr.arpa
    dns
    73 B
    117 B
    1
    1

    DNS Request

    165.141.128.57.in-addr.arpa

  • 1.1.1.1:53
    InjUpdate
    dns
    ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    55 B
    130 B
    1
    1

    DNS Request

    InjUpdate

  • 8.8.8.8:53
    97.32.109.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.32.109.52.in-addr.arpa

  • 8.8.8.8:53
    xred.mooo.com
    dns
    Synaptics.exe
    59 B
    118 B
    1
    1

    DNS Request

    xred.mooo.com

  • 8.8.8.8:53
    freedns.afraid.org
    dns
    Synaptics.exe
    64 B
    80 B
    1
    1

    DNS Request

    freedns.afraid.org

    DNS Response

    69.42.215.252

  • 8.8.8.8:53
    252.215.42.69.in-addr.arpa
    dns
    144 B
    144 B
    2
    2

    DNS Request

    252.215.42.69.in-addr.arpa

    DNS Request

    252.215.42.69.in-addr.arpa

  • 8.8.8.8:53
    28.173.189.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    docs.google.com
    dns
    Synaptics.exe
    61 B
    77 B
    1
    1

    DNS Request

    docs.google.com

    DNS Response

    142.250.187.206

  • 8.8.8.8:53
    c.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.200.3

  • 8.8.8.8:53
    o.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.200.3

  • 8.8.8.8:53
    206.187.250.142.in-addr.arpa
    dns
    74 B
    113 B
    1
    1

    DNS Request

    206.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    Synaptics.exe
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.179.225

  • 8.8.8.8:53
    225.179.250.142.in-addr.arpa
    dns
    74 B
    112 B
    1
    1

    DNS Request

    225.179.250.142.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    4.6MB

    MD5

    951ea841732871d4dd799fdf1fdf57d1

    SHA1

    70d47ead9a8e584a2b0f6b872847bb4d90c7fa62

    SHA256

    6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

    SHA512

    57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1

  • C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

    Filesize

    3.9MB

    MD5

    30c9c57aa570088d745fac7bfd05b805

    SHA1

    d579d18848859614e219afa6332d410e0ca71fc3

    SHA256

    8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

    SHA512

    182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

  • C:\Users\Admin\AppData\Local\Temp\14A75E00

    Filesize

    21KB

    MD5

    269fb3e43f092f1e35044aedec7f4adc

    SHA1

    e6a1160582ba583babc3df8503042e0ce6b3a3bb

    SHA256

    0f96f3541b7d05beccfe48cfc9f0ec09f30830c7b2d00db6251c5aec1b8c8cc4

    SHA512

    052e0b72da5db8b208b7fcccf22f1b9f13ede291f472c0fc8cdf9961335be21ddfe089146be751227c72372e2775c88c3267db87a143cf29fad5683fdfb42a64

  • C:\Users\Admin\AppData\Local\Temp\gcapi.dll

    Filesize

    385KB

    MD5

    1ce7d5a1566c8c449d0f6772a8c27900

    SHA1

    60854185f6338e1bfc7497fd41aa44c5c00d8f85

    SHA256

    73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

    SHA512

    7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

  • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

    Filesize

    6KB

    MD5

    0e22f6afdce420cf2ad67d5b901da154

    SHA1

    dddbece61e799554d90328ba244327e36ed1c1f3

    SHA256

    fcaefa99b6eaacf1981d6ff7826ab605b67d90436526c454b9bc9222dd0420a1

    SHA512

    dc791dd0de7b5badd52acf97d18ef54c9ecd950355d4b4836529bdd0b67ad6714632e021f55a7c8440d472dd3cbd81d09c79df0bcdb370cca21fe31b3218af77

  • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

    Filesize

    9KB

    MD5

    66b5caa202ec2349c1f83f2b7a921dd6

    SHA1

    ee9d60c55862fb46dde5ac2c9f156bfec44c466f

    SHA256

    c8367fb19a3ef05ce60b7d725af3a194ad47caf51801e16cdcd8639f5933e0f3

    SHA512

    a7d82b4600229fcf5dde263fc320b45edb16097c6b4d7cfca509061a9d13a81264089a9f17d4c072435c07095da48d2689b27189f1b4eef0eafe05cc1341cf73

  • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

    Filesize

    12KB

    MD5

    6de7837b137d60c4ea92ada98816abf5

    SHA1

    863bc674c3d60354d38d28bc198c9d4387df313d

    SHA256

    ffd36f0f345df577700c6720dad3ac2adcdddb977b4cdf5ad4c2a983047b384a

    SHA512

    0ee984a845feaa4feb15f15bd649843ce79395ad7c18e68b67cb164f99f9ee3bf51a41da3e3ceb010119f703a9b0072924243eb31c864c5dab811746b7952b3c

  • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

    Filesize

    2KB

    MD5

    588ea4d70a4cb9a04d8ded06b75a657f

    SHA1

    ba2a409f0727198ce65b1da7f4a9f4281ec4c3a3

    SHA256

    2cb75e9fe8a566eb596688d6531c19a3f94ec21fb0ba3a0f73b7da4a0e1225d2

    SHA512

    b30f44fde0913b239169f1abeccadabb7f70fc9fcbb4ac514cb107cec3a69896b81a30960d82771f2ece85d5f55d365067613c6bb90bfa52dad693731dd3c0e1

  • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

    Filesize

    2KB

    MD5

    36d9caff928c3cba31e56305a41df02d

    SHA1

    0972acc9cdc53d0ed4a7e9bd583d6b8bd11d0b8d

    SHA256

    716750aa0f041f83851fd4711b93d7afc476320954991b17d6cc23708d8759d3

    SHA512

    ffae657d3146f7943970600b6c257ef4fd2c4d09d2ebd3a801ebe21cdb460eea91a02b5ebc19fa0b56f25a6bb9c105306b7ae4cd54fefd8147f8d60db972dcfb

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    312B

    MD5

    0c04ad1083dc5c7c45e3ee2cd344ae38

    SHA1

    f1cf190f8ca93000e56d49732e9e827e2554c46f

    SHA256

    6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

    SHA512

    6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    424B

    MD5

    11d8e1bb0e697349bd09f3d3912e9075

    SHA1

    14e4b668eb1ca0a9fac57ba5909247cc4d2bd011

    SHA256

    03c7109286e84f8e03933197a97a4b4a66228b1c64f8319a6b4b1b3308e77630

    SHA512

    35154f1f0653a8dd59950056bc4fb1108750aeb90c1ef10ec06945695270211ae863f5b10dff74916ced91b01d3e4d6f47ed122464699eaaa88952198f438069

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    681B

    MD5

    5cd400d09b0462cf0a73416279776440

    SHA1

    f3d4573bdb83b55598b29437662667b5235c546a

    SHA256

    8c9a0943c071ea09bc9bff353e2627a9d54f340d18149246b9274fd0b4aa2cf0

    SHA512

    651cd59928f255443c8a03c04a22b547d7dd6a2a22584ff91b557b527e4f6c49b11de62b6acccf638e7b76b04dba5d01ac7dd9d412718d38b06290ea9fb67108

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    738B

    MD5

    b7a5c23ab905401ca4be8c44aa281724

    SHA1

    1940d7b970b1b1839447867e6384cc715d5c8535

    SHA256

    0c807eef8f493b781bc006b9d1562cc6b407c2a4adbceb85844daa39ccc64028

    SHA512

    e8bf0c2d1ace5e6d8c808a8e5dc88bdfed42e2bc42ece474dbf7cda33efefb6c938e6639cf6a325dbed46a5ad4a31f372c5d121b4da2561db4856070917a6972

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    785B

    MD5

    bce6f2ceb7bd5b5c96599e01ebc31d21

    SHA1

    0e46e6c1283b698f2e661a581a469b27e61e7b13

    SHA256

    891929a211cec397e0d22a0c3d470634769fb779396f8941678fbc40b17a4035

    SHA512

    6d108744ba2899b90bd3ea0d6d8ccb79d0997a6df5db332d1753f37c52297e0e1273ebb3867db89fb792b414775b2e5bc740529d84cd9475317d9ce039a92fd8

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1003B

    MD5

    a3b44a0d2827d1799870b20d5c452767

    SHA1

    9a4d5ea58ecb4afe014b1fbebab057efe31ca050

    SHA256

    efbbd1f823b37dd6fe7c9c90e71237426a8abe0a4833bd18d07ae2c995a34d3c

    SHA512

    042542d6c53d8bd0ab01bb4675b147929aaa1d6463e15b9b2dff89dfd585972f49053b36eeba68a5f9fc97fe46194139a886370e671992ffede39f80a3ce1fdd

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1KB

    MD5

    2dadc817ba70aebae93b5b8bd881ad29

    SHA1

    ddab43f7307c9af94f054e84ac40074fe2b0145b

    SHA256

    5056eea27357d38a0392c256c63985f02ed685c5074cfafacec4cb8c80255ccf

    SHA512

    be41e8928e7579b05c510d7e82e23dc2ab7953a3be80172cdc3406e62793d93f804aa922d0fc0bcf636d2f6a4ac956d1e4bbc166e46648591375bb4740c1ed04

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1KB

    MD5

    e5c8862f8702caf6594c107f9ea8552a

    SHA1

    16229fd4b2e9007bcb40d01563389f8f8c9fe0e5

    SHA256

    cfe362235f276ae6467ea5f23d4ecbec17c870aec1909e51e4ab949f45de2ca1

    SHA512

    17cde7c1a33516f164b77b7757c690eb5f598834e655cc673c21b9c4fe992f4700cb201f9e539251ca4eebb338f3de948b992a35f65045263be02477ba35bf24

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1KB

    MD5

    af011606af8edc7d6c79f8e372640e7c

    SHA1

    fcf12243be52274f281780968640b2bbc1b7d52b

    SHA256

    209d04e2c2ccf9a3c845a0ab76c0b81997e5c7bda75ebdec4b4113539d242f0e

    SHA512

    82392d043eeb0a453c653e54540566194e0440b2d10558e981018836066303a00f088f08a4ba35c13547c82527d346c85f3d9814348dd457e0f7ebd87f625703

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    6KB

    MD5

    89b0d888049c74519f3d47b945f7c096

    SHA1

    dbcfbeb4cb1a1b0f5fe13bd5f6dfee255b5e03fb

    SHA256

    834bba5b8679cced44c29f19bb1058d32469d8bd4a80209ea054877d83eec10f

    SHA512

    a52e7862701a6fc43053a723ddd6e66f5a376d29ac8ca34db1c855661ba034527617f11802ad32a67e06be288d0f39d481a06b847428ddba6f2cc9a6bae14df7

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    6KB

    MD5

    1320215729b776d28a9dd683609ff2a7

    SHA1

    84c77a8ab68a39783617e720ac525701e894ec75

    SHA256

    8eea2233282271376065d7cd6881167c1aa59ce4e54feaeb22c87736e2e9b15b

    SHA512

    49d1d730b4c96f1c9aaab0b397a4f2b8d39122110a54a2210b0958299d53342e3f521f6a3e09bf3c255a9fc731c38884173912265445a1e4a7f062fb31183007

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    6KB

    MD5

    7aecb866efa84cc793822c1a06ee725e

    SHA1

    084d2aa78abe0a284c89f71060c1528f2f05ad32

    SHA256

    89ae88d48ba8f66e884a0e76abc27c3be9546e86e4f73d3b10e84b8f672d7d6f

    SHA512

    8c7c28780b2923f888cb590d4bdb2ad192baf3dc85733f1188ead582d9a46248f6f61c67cc1f436bdcc90ca45f3378e0a4b57e3d0525152385c37a20fa68959f

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    6KB

    MD5

    2138a7554d6f3b6f85685f33e3eac635

    SHA1

    5c0a4d57e274f5864f59f705d75ce627081e7179

    SHA256

    eba65898febe7024b15cc7dada2ac486600c4f276d7a546c64c89772c9543099

    SHA512

    db43b77fd928afb4af68d6cb1e52d1a5a3ad7891308e0a651d77a57d306331482e4f6e2f5c661734a1f9705ef82e2e2286b8670aac52c6f54f4db8e0337d9161

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

    Filesize

    4KB

    MD5

    5720108bb36d5c9029ef2f88e652e373

    SHA1

    fcc35ff9fcfc52876869a31dcbb5a0e286f7f1b1

    SHA256

    5ce4601ea7d8dfe030048af8ccf96b8d06ef95f7e4ab074ef13c421977c3332d

    SHA512

    c080b9b732b8da6198bb94b4e534dd680235c05b840488f1836ec5477fd1c93c9fa5d002a935ae736fe7df4a18a4d3abf679c9d3b2c030e81c7f92eef6be7d25

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

    Filesize

    3KB

    MD5

    7e48019b4cd30a1d9c477609b7f1576d

    SHA1

    2668dc75c9c1bddf6773f94fbd943eb90bbef8d1

    SHA256

    f62c45d5950194592f8b8891fba403a3aa06c8bb87e7c7317afcb428de00c53d

    SHA512

    b7c3225c609b6240cc0fa7ccc36f43f440ae138338b16c10cf089627a752be738b1e07fa33c162f0ad27ea50a923e1be9c9847a82ed95d60ca64a57dbc3019a4

  • memory/840-129-0x0000000000400000-0x00000000008AF000-memory.dmp

    Filesize

    4.7MB

  • memory/840-1-0x0000000002750000-0x0000000002751000-memory.dmp

    Filesize

    4KB

  • memory/840-0-0x0000000000400000-0x00000000008AF000-memory.dmp

    Filesize

    4.7MB

  • memory/1216-499-0x00000000000E0000-0x0000000001165000-memory.dmp

    Filesize

    16.5MB

  • memory/1216-184-0x00000000000E0000-0x0000000001165000-memory.dmp

    Filesize

    16.5MB

  • memory/1216-164-0x00000000000E0000-0x0000000001165000-memory.dmp

    Filesize

    16.5MB

  • memory/1424-498-0x0000000000D20000-0x0000000001DA5000-memory.dmp

    Filesize

    16.5MB

  • memory/1424-202-0x0000000000D20000-0x0000000001DA5000-memory.dmp

    Filesize

    16.5MB

  • memory/2340-212-0x00000000000E0000-0x0000000001165000-memory.dmp

    Filesize

    16.5MB

  • memory/2340-500-0x00000000000E0000-0x0000000001165000-memory.dmp

    Filesize

    16.5MB

  • memory/2404-507-0x00007FF8BE370000-0x00007FF8BE380000-memory.dmp

    Filesize

    64KB

  • memory/2404-503-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

    Filesize

    64KB

  • memory/2404-508-0x00007FF8BE370000-0x00007FF8BE380000-memory.dmp

    Filesize

    64KB

  • memory/2404-502-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

    Filesize

    64KB

  • memory/2404-506-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

    Filesize

    64KB

  • memory/2404-505-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

    Filesize

    64KB

  • memory/2404-504-0x00007FF8C0CD0000-0x00007FF8C0CE0000-memory.dmp

    Filesize

    64KB

  • memory/2632-210-0x00000000000E0000-0x0000000001165000-memory.dmp

    Filesize

    16.5MB

  • memory/2632-501-0x00000000000E0000-0x0000000001165000-memory.dmp

    Filesize

    16.5MB

  • memory/4516-130-0x0000000000400000-0x00000000008AF000-memory.dmp

    Filesize

    4.7MB

  • memory/4516-495-0x0000000000400000-0x00000000008AF000-memory.dmp

    Filesize

    4.7MB

  • memory/4516-131-0x0000000000A50000-0x0000000000A51000-memory.dmp

    Filesize

    4KB

  • memory/4516-554-0x0000000000400000-0x00000000008AF000-memory.dmp

    Filesize

    4.7MB

  • memory/4516-613-0x0000000000400000-0x00000000008AF000-memory.dmp

    Filesize

    4.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.