xred | 6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Size

4.6MB
MD5

951ea841732871d4dd799fdf1fdf57d1
SHA1

70d47ead9a8e584a2b0f6b872847bb4d90c7fa62
SHA256

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7
SHA512

57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1
SSDEEP

98304:9nsmtk2aPOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRFu:hLBmZb0bEds4XFR0OiC/GTu

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm

Executes dropped EXE 5 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2844	Synaptics.exe
3032	._cache_Synaptics.exe
1820	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
1904	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Loads dropped DLL 7 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
2844	Synaptics.exe
2844	Synaptics.exe
988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeEXCEL.EXE._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1020 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid process

1904 ._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1020	EXCEL.EXE

pid	process
1904	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
1820	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
1820	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
1820	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
1820	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
1820	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
1820	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

EXCEL.EXE._cache_Synaptics.exe

pid process

1020 EXCEL.EXE
3032 ._cache_Synaptics.exe

pid	process
1020	EXCEL.EXE
3032	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
"C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-service
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-control
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1820
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:3032

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
951ea841732871d4dd799fdf1fdf57d1

SHA1
70d47ead9a8e584a2b0f6b872847bb4d90c7fa62

SHA256
6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

SHA512
57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm

Filesize
20KB

MD5
59e97b84e33611c524c53bc6175989ba

SHA1
33cdabe3416b15334233a912efeacab4db8fb80c

SHA256
2ec185b5099ba8d9cd08bb3b69093e2574d66af56cb80df680ac16f18cc47028

SHA512
c22201b4ecf26a50bf969e23fedf36a85f7968181b5b09273e9fd28173ce42ad44df715890fd6ccbd025375dbcf1584aa101b5eba2041a334872df4da6960444

Download Submit
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm

Filesize
26KB

MD5
2104ae399166afaf65e4579f1cf04284

SHA1
0ceea342b09de94b0fbf1ea1a8a7bad3007e52ee

SHA256
594fb63eef5429e64309c35dc0c0fa3944be4ca0a5ff90941345bf8e200aeada

SHA512
ec57c93cbac678ad4058b9eac15e70dbcc3be3e9114aa29e1d44f968aeb0ff19fad37361235e5d407ad5900b991e7c1d977a64a4b18c1474a365e65207738f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm

Filesize
22KB

MD5
f771ca86e46bbc9236228acc67996acf

SHA1
1ae1c302fb9f918091e71ae95cda8f5aa9a9d289

SHA256
a9fced4cf328f14bf258ad0df6d8ad56601449c654e366abb495edd9af89716e

SHA512
12358fd53eba82dba2f2b0328879ebc68d180d1731f6ebde991e6345642de671ebb0f35d5ed35c0b66e2bcdd7486d13ed103101e22237136d077fbdbf9ca85aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JPzzS4ZE.xlsm

Filesize
25KB

MD5
261eab26acf60cc6fb2b0926d2da0f8e

SHA1
6f02c3fd1ac472add55804ddb0d5ebaf45be683c

SHA256
9f15a57f72859eb67adde09574df06142303ebbc7d59b13ebb35730d5b10d633

SHA512
bb3e23852add254a5e4ce44a3c336e1bb0d489e65f48a06f23b4c1622fc5942623f6293267c852a03f8a5c4b6720294a5ea88ae15b755685fcfb79d88d8339ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$JPzzS4ZE.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
16KB

MD5
1192a7222f183782e0cf2aab21d8cce3

SHA1
1498642d77c49d30f6841d9d7cd8d686f9987927

SHA256
a52d33bf285c76aa31dba1650af14074ee16608fbbd2a87775117cbc460fc5e2

SHA512
ab8e614e40f79df2b83b3bf76ec39e34fa36d72d14d5068abe5206a27a91d63a4bdb2af3836ccb369fcca368ebe5349598678c576935e378b6b5f00728660abf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
b241787aaef8f620916d152bbc32d8da

SHA1
e431ee398129f5159c288004a4a6cb6f3943f5ff

SHA256
9055376496d0311e040f1dfefbd442c5b17ba2852ea2efd3d40659c9ff145ecb

SHA512
026644bc0a15b11d363c933e6327036a767ca9f5bbc96b72ef94d0821c8c5d4e2dc2df013d61e18965d90ae14fc8c507ce61ef03d5fa653d7726e94822c596ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ace8892d403b930ca9d24b06ba1212e9

SHA1
21ee9e61cad68f3bcc009883be0963aa9e9e2b09

SHA256
8b1e346adfda894db928ca7f239715cb49471417d79fed7bba7609f321caffd0

SHA512
3a1f1c3df1881e741dd74d85a5ceed77103a75610d6d2b4f707d277460a047d1012762e58a4bc67602a909341f644f87a99d56fc5238290e8658251fa84e279d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
faeb634d18c6c5568160f7e105133a47

SHA1
b6daf625290806b623c4f3f226c4a2d45d893fb3

SHA256
5fe6e354e559c4b45c7c445b97ee35dacf0918ae215e27b9a8e35b19bd2cdbd0

SHA512
4b9a87311f72ee623896b5dcba2daa88173fdca72255ff0e969091c16fea44b87892a4f72f8d2f217703d1c31aa77e465a5d4db19745f4695447e44487a36f8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f5080ae5ec9d1ecb9ea66be6e733026e

SHA1
a36a9e6c32fbc629c0b497f9a6e6bf6655a948d6

SHA256
445aa6a43bb5da16ace7a1c8ffc979c690adaadb15817b5f5ac8bb3228c23dab

SHA512
0f719c8b5d9706196088c52f53deab17a140ebbae638b40329c5038180bfbbafa2fb627f83d6ebc700566e2029ed4bcb503b3ed4486771fe0c09459934d870aa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
d1c4ad4142e61252cf64afae99e54632

SHA1
b8cf77041a598afdf8437ced38dbba9300d9da78

SHA256
5609cb6c21af6960d56c99572ee6200db1eee7f1786f91291ee3cd61aa4c5fb8

SHA512
773985df5a9a6de6b405a31df93b6c6e10eab88d8802fe0414a72b8857da47655a77123719d8c47506ba9f494c880d464337c70a06ffc06f0696a85868713ae5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
26821da90ba318b0eff6f7ce04a1c0ed

SHA1
a130c57661344efa355f77840e5d19347c935c9a

SHA256
1d6c646b7d0136f980cf5dc7f7d15581cefd17869a34bac6170a8a0b1997381e

SHA512
aaf8479a06ad007f205d4daeb2e137a90c80357977c4698b9b54b05f7866d364b93878c8618570cd1c27e44dcd7ff98dea1effde78a13365c91e6ead20b9dd4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
85fee9e6cc9e64ef06c80a0adcdc9a58

SHA1
c4729b089792d4ced30deb14abeb2ed3c264848a

SHA256
856304ad89d978b9e6d199cebff2a36894f41dca8b063c76ec5db75dbf15881f

SHA512
99cbe9722a9df652b4b5e03fab69157375f5b4897dea38ca2bc149734574ea218ce0490f6a100ef34a949e83f06376f435c71363221501de79645f0abb5506ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bcd16edc098dcd86c164493b65e58862

SHA1
154a473dcd34b898d61f95c525e3b3d533173e37

SHA256
66816b329046ad66c745fcdbe2ae2dd6696b9de28a3ce57503cf5972ccd34edf

SHA512
10df1ebeffbb1b1f811382b08091bb73add16ae84ca18555743c42e7a2030f5e13fe51a420c4e3edd6af01ab429699c796fa9caeec419dbd4b8b9fa82822f18e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
66311a02b28edcd8bf8c2ff89bad4880

SHA1
b81504dcb94fc1b3428ba5b3c993ed830070c4e4

SHA256
f7f76a2b3710e1fc3323ffdb63226ea411730d3e2b3e6fc87bd52f7585397b22

SHA512
2399b602b7668e361d2cbdab6c8b7ff589c4675758ff1c886c19bcbf7b12089f09c22a78185f88975d3895a5e48324717651c68fd18b90f504df97b837577740

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e0de2764a9dc43d6888a33071f307676

SHA1
163eebc26e9376e5c9c3df56e23878c2cacd0eaa

SHA256
1b97517a03922d4febd0ad643f8ab0830e9ef5d3082532a952afd5a32b127fcb

SHA512
c55ba636a733818c0ea7e64acf62fefce78f6d5f724a146d8d4442905ef75a6f092afd43811365427e69a880677c9e8c112c60d6dbb8ea94d05d21c53552d61d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2ac9b4d7fa6a430d21f7e22b77ad9097

SHA1
c2630fe53654a43cc9e0047d02cebf2827caca31

SHA256
d55c19b54be1717ffe0860327133412fb61442ec73681d6824a0fc472a6e9c3a

SHA512
e8832c3169f66ee8a7e00be01378e6c3c296babbb942add8fddd13f3d82f0239f56d53838535f6e63694aea827c1735470553672dff8249e091fe012cd02306c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e901acd1228496a9419fe56b80402da

SHA1
407df16dcc63265b8061f0d1d750dc16e6b4cbc7

SHA256
69303e9e3687d3c5e095b85e0bdcd877c8d6d500b3b9cad218c7c71744138951

SHA512
904ce57d8b9d0a752bf104d7f8781a43d4f94aee77e65fe6779e6ce56b7da59be5057d266a45d5038bf44df09ecef26c33088e85099b7fdd823f3a9bffa0d7fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
07ba4a733670d5cbd7252cfd8b7131c2

SHA1
102f33644cfca7446d196716c0d8a3ed6580a60f

SHA256
dd9b65e7f05244a0b01ef84b16e043b347a6a63fb9c8ceff0e8a137089d15072

SHA512
76d3011b39b61e550b554e7174ccd40c0d26e8a50f65ea02cebfff358a73a26582efe1a05c9efdcc2dfb3ed3e1f161c30e0213b6e2f71181a50a627a360dc6b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0e0e509b17acf62ceecdc95a6390e1ad

SHA1
1a4c1c2043968e2cc186f8c321e3679803982dc9

SHA256
aace0a31294ca726a6c1e4404e13f9e3f47b895476ad39225c737757a9527b13

SHA512
b5bdd96a4e473d1994a738517e64bfc153693b37fabc6073360f07c4034de1783da2211c65bd501184d019ac10c236e280b66bae26e273d7d76cf0df887f4fa0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
522882f602d847a999cf712cd7d300f7

SHA1
9a11d3fb1149f56238b0e49cc0d5c95c2c3e9a0b

SHA256
217800075b432e2a7befedab7ba40b52cd3679c8b92a444ffd9ba154a8017855

SHA512
50a36fbe91c17f62f751311e486bc59ec965330bc9fab320d94979af941a73f72a08966923e1cf578f0239e234c2d49318617261238dd831840dfa14c1c2672f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d6a23f1c119170b9f28458bc25e364b6

SHA1
45f4488255f47094ced8009eafb9afbc51e6819f

SHA256
38137aba75b3529fa463f9bf34faaead126f4052be00e222287c286cf083cc70

SHA512
37b78a6950bd5c75ea7b02606a5d4fb57593b1620b4004b9d7ed046e850eae0b19fd6357c06b9b2a6b0130d6d8d6d8bfb6c285dc23d24e7e5a7f8c9a506ba18f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
ac78937f85dd51109e5416e4b0673e91

SHA1
3be9b5e4152c3d513a8d66f01712d45f7e21a165

SHA256
da0cf852f4c5ebf177a6ac5e17cd11e5b565c4be7c11a27c3879b7a81c7b2dba

SHA512
e5de1ca29dca0ebe6f57a99ec7fea8d4d51d896dd6e693f8345c85f7a295cd432167e1f4c34a9416114d5e84cf19006a7083d6460a8cb8e3ea1a8881e8ac99ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
b4057423a1728d4ed9615b54e9a04115

SHA1
9b2f05f6e9c6a5e606ed48c7cb381f1b055788ec

SHA256
b3d6a48f6ff1aaae4a94950eb17b926d4737814ffc8f2efd0e4fa89185d214b1

SHA512
72fcb9963e6859092f50ebfe3b0306b631b96301e5d529c9a3a269c5d05981bda317c063c576ed812ffa51b4a9cb7bbf2ac5d36df923fffeedf63b8b70083a80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
cfd109807346e34c7ce61fbc8550b7ab

SHA1
28dcf7be4b65cc920ddb9491968d3523c7bc9b1e

SHA256
d625ef67bbc9eb7d3acf2ba6c2cc1f92862ea8379a6b700c14073671c3824f22

SHA512
ab9ebdda2c07b1c3f5740aa728559e26baf043c6178ccbea40277ea2129a9602d8de1df111c176ebc6d79cf7a705210a0ee4f36b7442e8a36325d2add006f904

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Filesize
3.9MB

MD5
30c9c57aa570088d745fac7bfd05b805

SHA1
d579d18848859614e219afa6332d410e0ca71fc3

SHA256
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

SHA512
182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

Download Submit
memory/988-34-0x0000000000130000-0x00000000011B5000-memory.dmp

Filesize
16.5MB

Download
memory/988-446-0x0000000000130000-0x00000000011B5000-memory.dmp

Filesize
16.5MB

Download
memory/1020-180-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1020-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1820-86-0x0000000000130000-0x00000000011B5000-memory.dmp

Filesize
16.5MB

Download
memory/1820-459-0x0000000000130000-0x00000000011B5000-memory.dmp

Filesize
16.5MB

Download
memory/1904-458-0x0000000000130000-0x00000000011B5000-memory.dmp

Filesize
16.5MB

Download
memory/1904-101-0x0000000000130000-0x00000000011B5000-memory.dmp

Filesize
16.5MB

Download
memory/2684-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2684-27-0x0000000005AA0000-0x0000000005F4F000-memory.dmp

Filesize
4.7MB

Download
memory/2684-2-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2684-5-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download
memory/2684-29-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download
memory/2684-28-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2844-447-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2844-31-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2844-457-0x0000000004380000-0x0000000004390000-memory.dmp

Filesize
64KB

Download
memory/2844-39-0x0000000004380000-0x0000000004390000-memory.dmp

Filesize
64KB

Download
memory/2844-461-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/2844-520-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/3032-456-0x00000000000D0000-0x0000000001155000-memory.dmp

Filesize
16.5MB

Download
memory/3032-46-0x00000000000D0000-0x0000000001155000-memory.dmp

Filesize
16.5MB

Download

description	pid	process	target process
PID 2684 wrote to memory of 988	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2684 wrote to memory of 988	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2684 wrote to memory of 988	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2684 wrote to memory of 988	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 2684 wrote to memory of 2844	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 2684 wrote to memory of 2844	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 2684 wrote to memory of 2844	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 2684 wrote to memory of 2844	2684	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 2844 wrote to memory of 3032	2844	Synaptics.exe	._cache_Synaptics.exe
PID 2844 wrote to memory of 3032	2844	Synaptics.exe	._cache_Synaptics.exe
PID 2844 wrote to memory of 3032	2844	Synaptics.exe	._cache_Synaptics.exe
PID 2844 wrote to memory of 3032	2844	Synaptics.exe	._cache_Synaptics.exe
PID 988 wrote to memory of 1904	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 988 wrote to memory of 1904	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 988 wrote to memory of 1904	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 988 wrote to memory of 1904	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 988 wrote to memory of 1820	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 988 wrote to memory of 1820	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 988 wrote to memory of 1820	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 988 wrote to memory of 1820	988	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe