xred | 6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Size

4.6MB
MD5

951ea841732871d4dd799fdf1fdf57d1
SHA1

70d47ead9a8e584a2b0f6b872847bb4d90c7fa62
SHA256

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7
SHA512

57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1
SSDEEP

98304:9nsmtk2aPOmZb0bHkeaRs4WpcF8uztWOiiROB4/Oo1sRFu:hLBmZb0bEds4XFR0OiC/GTu

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
1748	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
4628	Synaptics.exe
1480	._cache_Synaptics.exe
3724	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
4504	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE._cache_Synaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4020 EXCEL.EXE

pid	process
4020	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
3724	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
3724	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
4504	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
4504	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
4504	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

pid	process
4504	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
4504	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
4504	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXE._cache_Synaptics.exe

pid process

4020 EXCEL.EXE
4020 EXCEL.EXE
1480 ._cache_Synaptics.exe
4020 EXCEL.EXE
4020 EXCEL.EXE
4020 EXCEL.EXE
4020 EXCEL.EXE
4020 EXCEL.EXE
4020 EXCEL.EXE

pid	process
4020	EXCEL.EXE
4020	EXCEL.EXE
1480	._cache_Synaptics.exe
4020	EXCEL.EXE
4020	EXCEL.EXE
4020	EXCEL.EXE
4020	EXCEL.EXE
4020	EXCEL.EXE
4020	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exeSynaptics.exe._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
"C:\Users\Admin\AppData\Local\Temp\6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-service
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3724
- - C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe" --local-control
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4504
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:1480

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
951ea841732871d4dd799fdf1fdf57d1

SHA1
70d47ead9a8e584a2b0f6b872847bb4d90c7fa62

SHA256
6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7

SHA512
57526b4da9f9172ae96bf122d635f871f8f24e653500d2c10ca6bdd6502c6db8b1b40252e0d4c4624383453aea719e34309294bd3547e45e6af08678fa2e7dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe

Filesize
3.9MB

MD5
30c9c57aa570088d745fac7bfd05b805

SHA1
d579d18848859614e219afa6332d410e0ca71fc3

SHA256
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383

SHA512
182dc736cf09e8b4e063b29c839999ab28506a71e22173484f9dbc9bf9472456406aa0c8de542d85436200317175f9e32d65f1bb1e567b8c717860348fd3b52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6D75E00

Filesize
22KB

MD5
638b0cb9fa5a088254b5cef2f9bde402

SHA1
59fc7523be9eda8995dec5b6e2d35610950ce3bc

SHA256
211a2bb23a6e15a8207b751dc130a7c164b5edbda44c0f1242a77880a61a9306

SHA512
5c6bf2abec98df34063ebbbf31092e7ac7ef28506a4173538e0f3916a218f29ca29f80970cbc02816bf25b5a82a3e7863e98fbc341ce27415d9500c4f63ef35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
12KB

MD5
5585a968af0efd1639388aa9bfdeb407

SHA1
b2f0a1598ff9b38f14a42301a833d0910a9acc8a

SHA256
3aaaab06668b11c0ea9e8c37390bd038ebd8a1239b6dd51ba1d7534001b8bd07

SHA512
695bf190c14cab000a0351ad4fc332d1395c5bc88ccbb9334301bcd3a1a48e3a50a0920ef487ac9cfe9cada1f9162acbb905540969ee7b84d78166b8d7b4edc7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
16KB

MD5
530e258d5c366f5c2ff46c828d418175

SHA1
e2e8da21d6bd3c9ae44640c931409de0e1d2b505

SHA256
1231e793220c186e6bc527757ee31960704cdc00ad1c27f6e0e249cb46fcf40f

SHA512
3dcd85c1d3ed5aa3e6f610fd865f046a1e6bc088f3041a5062d068f20114c45448597e6f52e003a016234d2ffdc644b29a0aa82562189fc1637bc9719905fee1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f8dcd07b5f253fb6a6afc86e8bf08485

SHA1
d86a192bd40ca36c917ecf06d108228fdd71d9ae

SHA256
d57a45c6cfc29aec39396275cb399373789ff16526bc0b932683b65cf9dffcc3

SHA512
d167971fbb91d3829b2c1f9a2e99b0882c2bc52d7259743056c1995b2c8acd980fdee6f190a3895a7e47caa00760ea1970c61ffdc7124762eca66108f51b9461

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8c51c9c10e47a8963e6bbe969afa21b6

SHA1
4f44a50f6990cf31201e3dec06f0c6deef24db79

SHA256
516bb81f0152154914f0450dd540eae67c9b048eaff808c75ed5ad44dd35408b

SHA512
fcdf1bb3b19d15c645b16d5cd10947eea035d02e49dce90907ea62d53bfb48025eb687d09262d7028c7994537fbc31adbfd5f6a817053d1c046fbda2f8279ae5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c4afde1e097eb7e44883f48684f49a6e

SHA1
a87b72532d32be99494a02e7457314c231059e28

SHA256
d430a9822825ccb5dde1bd8110f3e4478aad91d578cef184c4eb41ba544d31de

SHA512
fa1380848c7b7dc7e744a476326f65c2921ff3aeb041340d325aad2a3ddb05e9e9a5f0e20d964434df52e2d715f8893d09b6b7ea538b9ccd8048e61134a9bced

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
b35425e037ef557bc18195861978d870

SHA1
d3aa45cba4e8760dbdff24a7e877144337685ced

SHA256
210881fb460b04ec46e35cc04801b0fce22855f6c9d7fd09dcb60d587549ad5c

SHA512
2273b0d686a7f52555552cb36a8d55b8cd46a8c60db4e29951db07b7b16519423b6a034d292eacc8bd1cc95990ccb197aad5a3840f7681daddeec6b01976ff9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
669B

MD5
df13613c7ace6a37657e90cc7057ec0c

SHA1
4b19c93dd41657cea9b3a0b8b38b63e32b1b3df9

SHA256
fff2c2ec23ef7e5e13644401f9094a3b4b0b47fddd149325040f6c3c5f89315a

SHA512
cb19b8fa7b40b1c7e0d93a8da35688b17ce2d43f23393d1f9a2c288fe7a899d6e0ec6689386924e43f516f63f69cb1ba0a50a42d45c783812a18c2738938e157

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
716B

MD5
ea5fa1c06268ba2309b96b90d00dc269

SHA1
0972001f0920187bae502a475174abecfad07f7c

SHA256
eced5221cadbe7e4ebec7250a157c33bbdd9fb4c3b44133e96f6255183dfbda3

SHA512
720d0d7fe16adbf48a4611a7eccffeeef563ddb65d3873033ce5f14838cd8aac3bbac7244719209333cd204dc3fe09a9950ca6a196fdede7aac77cc58bb18a2d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
8b7ba7f4e7706f7b7b72c98f0739e332

SHA1
3da1b4bda4ae5a752bcd766d594e12e1a1ebff83

SHA256
eb56d2d4db14073a07119bb1bfa9b1df10310013e5e2e72b09f175699c0cecfe

SHA512
800be09dc5f36852dde839437d74c4c9455bc64e27ae66aff5bb777418225daaab3df63b3ab90be0086dbcf76ea2bf9eea27c05670e6c3bc74931ca38f1d4863

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
820bcd77789ee73ba2f47b0d3efa6b1c

SHA1
72e3366f2b831aa89451d473db387d38f00551f6

SHA256
542012b5d1a09802adc9e347852613151aa7354a63d7904d0212a4331df7f785

SHA512
17ec7d2e3c32cdf774474d98663b172499e96114ed9d485180a3125a6fae4e4c6d6edff25c5941cab82cf63b8a32e26541c640de1af153e5aaeac7092c803b92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
98e903881ab8ac85fcba6d00d8e05107

SHA1
9edcb0182f374710b81f713b4fa78db8db9ff2f6

SHA256
2118e5ae23fa20fd733843da45bc10d4b6fc8cfceb3e3eab52a73b815ac1550b

SHA512
479f0f9f6f0d87dd0c74455404dca8824da9a4f9e9accfd75841919dcbfdda247e16436746705c7179a20b6551ed36bdd1ce90f57d009d4974e79972b5675bda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
128d916cf907efc6ef71505324c0ca30

SHA1
4578795ae8d58a9fd964a57821397b55618fdebd

SHA256
7cdedd7d145d1d8bc32276bfe22e68d99d7a1499881417fa7accb3674830edc8

SHA512
16f2ff91093ff15ee7095b5f00be9cb2f28efa81ac8ac3998dbbe437f6b6834b9515bf1cf37fb7626be69d8f9812f540e78146eebb89a344ea7981937088da09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2205149969034e3089fccc393ebc3376

SHA1
58095fa2dbb72b098e90934f4bac5a64ed072d41

SHA256
f1fff9eee81859c5ae7acd8922fd9f3a94fff7c4434ee082ea53c6e60da0b674

SHA512
b5090b319ef60554b2cce8272af15d0fc8d28596035ae0bd0fd0148b6a3f40f2c618496d7e87e8c4a5cea3ea69abc3c248530a9c8935c36736c5827b078b148e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
69e0f8db527b21b0e2d4e29ee14b1560

SHA1
14e17a37cd431a7f024fe2dd192a394af2847e38

SHA256
2ab1031935d26daf206c46c2547491a402bfa4a9b59c184161b3becbad5c2d74

SHA512
dc18be913fd7db7de00929b9749f40d8343e2898be556d4000bfbab5db993ecc9a16fdd6679a0bc2d371c15324827a202a919c9846be26682953e201d4f940b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
a8eccecf0868c484fe0617db7c11cd71

SHA1
71729168a40604c9775efcfe23d8658faab895aa

SHA256
64b7f0d8e6f34c452e1398b3fd52d7e190c07b6413101c18d0bd8fffb3d3b9a4

SHA512
9de9eba26e990dd42948ad580ea3ed2a431cd4f257af0fbadc8709719bef49cd9afd4bd02fdbeff550f50b8ecf981c6038b1d164a8e8fe31023d947f5b100428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
068338b8ee4f4ec508d547c9ee9f8079

SHA1
d7b71c9df9744b8de083802056b837c5d6e2d80d

SHA256
5f2ce3fcdf1861f381090e583d0defe40cb0a13ee154445d43afdb2e397e09fe

SHA512
e8b14f2ca7342bb8a255b1fc85bc31632606a3a83fb72a84d2327a22ca38a57bfb50e12b33142e2ad9d8a262a06ab9b445e4a8697912646d610df1eb2e00778c

Download Submit
memory/1480-207-0x0000000000030000-0x00000000010B5000-memory.dmp

Filesize
16.5MB

Download
memory/1480-554-0x0000000000030000-0x00000000010B5000-memory.dmp

Filesize
16.5MB

Download
memory/1748-551-0x0000000000980000-0x0000000001A05000-memory.dmp

Filesize
16.5MB

Download
memory/1748-182-0x0000000000980000-0x0000000001A05000-memory.dmp

Filesize
16.5MB

Download
memory/1748-184-0x0000000000980000-0x0000000001A05000-memory.dmp

Filesize
16.5MB

Download
memory/3724-210-0x0000000000980000-0x0000000001A05000-memory.dmp

Filesize
16.5MB

Download
memory/3724-555-0x0000000000980000-0x0000000001A05000-memory.dmp

Filesize
16.5MB

Download
memory/4020-203-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/4020-220-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp

Filesize
64KB

Download
memory/4020-209-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp

Filesize
64KB

Download
memory/4020-200-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/4020-201-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/4020-204-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/4020-202-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/4504-212-0x0000000000980000-0x0000000001A05000-memory.dmp

Filesize
16.5MB

Download
memory/4504-556-0x0000000000980000-0x0000000001A05000-memory.dmp

Filesize
16.5MB

Download
memory/4628-131-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4628-552-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4628-553-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4628-130-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4628-557-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4628-562-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/4628-613-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/5060-129-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/5060-0-0x0000000000400000-0x00000000008AF000-memory.dmp

Filesize
4.7MB

Download
memory/5060-1-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 5060 wrote to memory of 1748	5060	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 5060 wrote to memory of 1748	5060	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 5060 wrote to memory of 1748	5060	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 5060 wrote to memory of 4628	5060	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 5060 wrote to memory of 4628	5060	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 5060 wrote to memory of 4628	5060	6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	Synaptics.exe
PID 4628 wrote to memory of 1480	4628	Synaptics.exe	._cache_Synaptics.exe
PID 4628 wrote to memory of 1480	4628	Synaptics.exe	._cache_Synaptics.exe
PID 4628 wrote to memory of 1480	4628	Synaptics.exe	._cache_Synaptics.exe
PID 1748 wrote to memory of 3724	1748	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1748 wrote to memory of 3724	1748	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1748 wrote to memory of 3724	1748	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1748 wrote to memory of 4504	1748	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1748 wrote to memory of 4504	1748	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe
PID 1748 wrote to memory of 4504	1748	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe	._cache_6f2eab739a2daf67221a8b4f99201f2265bb4f1d39343f3be58454dbba5665c7.exe