xred | 0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17-02-2025 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
Size

10.9MB
MD5

f7e1cfc6c7f7ff4dd762af36588cda54
SHA1

583e0bfed1a770d4d60fcdb3ed9abe701b7f0f49
SHA256

0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe
SHA512

77f775a2a001a2cbf2146d1c0200f158a7217cf96bc796678b3d1879f0705115239c72c5530cbf930aed57eed18080c7d7dfb784e3d17799f9578cd911530820
SSDEEP

196608:y0I9SsDPwSQZmqFcfpckEi3+9Yq2AyqRZ6VkdLko5pxK13gmli:y0I9HDPwjZ3FAbEdm1qRdlWBgmli

Score

10^/10

xred backdoor discovery persistence upx vmprotect

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 12 IoCs

pid	Process
2832	csrss1.exe
2196	csrss2.exe
632	csrss3.exe
2700	svchost.exe
2100	svchost.exe
2984	._cache_csrss1.exe
2856	._cache_csrss3.exe
536	WinStore.Ap.exe
2484	svchost.exe
2284	svchost.exe
1180	Synaptics.exe
1528	._cache_Synaptics.exe

Loads dropped DLL 24 IoCs

pid	Process
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2832	csrss1.exe
632	csrss3.exe
632	csrss3.exe
632	csrss3.exe
2832	csrss1.exe
2832	csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
632	csrss3.exe
632	csrss3.exe
1180	Synaptics.exe
1180	Synaptics.exe
1180	Synaptics.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe
2060	WerFault.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2936-46-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect
behavioral1/memory/2936-48-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect
behavioral1/memory/2936-110-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	csrss3.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001202c-40.dat	upx
behavioral1/memory/2832-53-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral1/memory/2832-115-0x0000000000400000-0x00000000009E4000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	csrss2.exe
File opened for modification	C:\Windows\svchost.exe	csrss2.exe
File opened for modification	C:\Windows\svchost.exe	WinStore.Ap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2600	2700	WerFault.exe	33
2176	2484	WerFault.exe	39
2060	2984	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_csrss3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinStore.Ap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_csrss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1500	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2856	._cache_csrss3.exe
2856	._cache_csrss3.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
2984	._cache_csrss1.exe
1528	._cache_Synaptics.exe
1528	._cache_Synaptics.exe
1500	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2832	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	30
PID 2936 wrote to memory of 2832	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	30
PID 2936 wrote to memory of 2832	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	30
PID 2936 wrote to memory of 2832	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	30
PID 2936 wrote to memory of 2196	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	31
PID 2936 wrote to memory of 2196	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	31
PID 2936 wrote to memory of 2196	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	31
PID 2936 wrote to memory of 2196	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	31
PID 2936 wrote to memory of 632	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	32
PID 2936 wrote to memory of 632	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	32
PID 2936 wrote to memory of 632	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	32
PID 2936 wrote to memory of 632	2936	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	32
PID 2700 wrote to memory of 2100	2700	svchost.exe	34
PID 2700 wrote to memory of 2100	2700	svchost.exe	34
PID 2700 wrote to memory of 2100	2700	svchost.exe	34
PID 2700 wrote to memory of 2100	2700	svchost.exe	34
PID 2700 wrote to memory of 2600	2700	svchost.exe	35
PID 2700 wrote to memory of 2600	2700	svchost.exe	35
PID 2700 wrote to memory of 2600	2700	svchost.exe	35
PID 2700 wrote to memory of 2600	2700	svchost.exe	35
PID 632 wrote to memory of 2856	632	csrss3.exe	36
PID 632 wrote to memory of 2856	632	csrss3.exe	36
PID 632 wrote to memory of 2856	632	csrss3.exe	36
PID 632 wrote to memory of 2856	632	csrss3.exe	36
PID 2832 wrote to memory of 2984	2832	csrss1.exe	37
PID 2832 wrote to memory of 2984	2832	csrss1.exe	37
PID 2832 wrote to memory of 2984	2832	csrss1.exe	37
PID 2832 wrote to memory of 2984	2832	csrss1.exe	37
PID 2984 wrote to memory of 536	2984	._cache_csrss1.exe	38
PID 2984 wrote to memory of 536	2984	._cache_csrss1.exe	38
PID 2984 wrote to memory of 536	2984	._cache_csrss1.exe	38
PID 2984 wrote to memory of 536	2984	._cache_csrss1.exe	38
PID 2484 wrote to memory of 2284	2484	svchost.exe	40
PID 2484 wrote to memory of 2284	2484	svchost.exe	40
PID 2484 wrote to memory of 2284	2484	svchost.exe	40
PID 2484 wrote to memory of 2284	2484	svchost.exe	40
PID 2484 wrote to memory of 2176	2484	svchost.exe	41
PID 2484 wrote to memory of 2176	2484	svchost.exe	41
PID 2484 wrote to memory of 2176	2484	svchost.exe	41
PID 2484 wrote to memory of 2176	2484	svchost.exe	41
PID 632 wrote to memory of 1180	632	csrss3.exe	42
PID 632 wrote to memory of 1180	632	csrss3.exe	42
PID 632 wrote to memory of 1180	632	csrss3.exe	42
PID 632 wrote to memory of 1180	632	csrss3.exe	42
PID 1180 wrote to memory of 1528	1180	Synaptics.exe	43
PID 1180 wrote to memory of 1528	1180	Synaptics.exe	43
PID 1180 wrote to memory of 1528	1180	Synaptics.exe	43
PID 1180 wrote to memory of 1528	1180	Synaptics.exe	43
PID 2984 wrote to memory of 2060	2984	._cache_csrss1.exe	44
PID 2984 wrote to memory of 2060	2984	._cache_csrss1.exe	44
PID 2984 wrote to memory of 2060	2984	._cache_csrss1.exe	44
PID 2984 wrote to memory of 2060	2984	._cache_csrss1.exe	44

C:\Users\Admin\AppData\Local\Temp\0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
"C:\Users\Admin\AppData\Local\Temp\0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\csrss1.exe
  C:\Users\Admin\AppData\Local\Temp\csrss1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
      C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 828
      4⤵
      Loads dropped DLL
      Program crash
      PID:2060
- C:\Users\Admin\AppData\Local\Temp\csrss2.exe
  C:\Users\Admin\AppData\Local\Temp\csrss2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\csrss3.exe
  C:\Users\Admin\AppData\Local\Temp\csrss3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1528

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 180
  2⤵
  - Program crash
  PID:2600

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 180
  2⤵
  - Program crash
  PID:2176

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe

Filesize
5.0MB

MD5
044d17f97d75da98e9eb2aa62ec7b75a

SHA1
0115b76acb7424b55252416f5f96dfcbd8575c17

SHA256
d9161c71e9aa4ed4cbe22b6fda94e18c85b43125fc5cee102daa0db5f9b60a34

SHA512
f3e3d0ec861a0ee5aedf45b2d05c0a4de4cece59ce7c848e1294885a22409a8d88ab045c52606a4bd60585d7ac8ec084b200886f518cafb691eb0333385f2200

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJqxmfb3.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJqxmfb3.xlsm

Filesize
21KB

MD5
4da7ac3537a9209bb547c6b42b630f87

SHA1
ceaacee6e87aefe073b84feb2b989dba21a344ba

SHA256
379474b51ffd0a9cde9ffec6dec5f3db53e3a1b901f6dfebd13cc3b9a891ac3a

SHA512
ccfaa2b095a0729fd9ca60f86265623fbebb1dc3834034472ddb9ecfcfe207b72cde28d2e1f041e38f57b6acb643121ec4fe3a84beeb8aaa31da98783ef7afa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJqxmfb3.xlsm

Filesize
25KB

MD5
5b81ca390ac53f44fe60219d3c784ff0

SHA1
91816c41f51c4cfdabd1190027dc04c4231c21fc

SHA256
02272c326ff0b39127459ae77261dfa9512c3cec29f9e762d3ebdaeedf43bc54

SHA512
f7935f05ef8aa74f8cc21c674617d2c85dc7a3780d318291bbb693a33ce4e119054b50f67def399ce1b1007630c35edda2a4ceb0e9ab2f0a866bf42741de92c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJqxmfb3.xlsm

Filesize
25KB

MD5
05b036b845591acad9f947198dc303dd

SHA1
4b60e9a90b1e250d045ccfd2ac16a2fc1d878354

SHA256
a81774343a665dc6a6afb1c45a9b69099ba8fdc6ae87f9fc31187af1f4d49353

SHA512
8e0ac1d51cee511c3b7c45885810228e5ade0025388285d9f3dc3099446ae6e2e0b71a1411094fed182c9984b1a10f3f0005f6b2e05a31147eb9572b3acf0666

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe

Filesize
36KB

MD5
6bcfc02cec27994f21fbd864eab7cced

SHA1
941469f26107f8e5576943b8a6f1338a2a0694b8

SHA256
aac2fcb25f1022e52ca001f655c50e94f59b8cb1447a3a89b31f5b51b1c1cbc3

SHA512
1988fe89ccd35335927ec444b6d0c178d28198f3270bb12bad89fc5a9e70527a5a03b9c7c89330dc7dafc141d2156eb2795288454c74c9a8c8e0abcdd5378fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss2.exe

Filesize
36KB

MD5
1c47934968624092ab9d889aa6c42f89

SHA1
6371c0b5bf568225e637a9049d3b7b2888e7ec1f

SHA256
ee8f0bab814a672f624ed59f157806229cc194aaf3704aea7f49e6f5fd70c0b0

SHA512
d35c84a17e29d401a563dfa7b9b0c56d3a266a5bdc00dc85ee2e35b44931639c4b1ddd08ef178797144086fa3a09c3daad35340e0c99217f06adfdecc069752c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss3.exe

Filesize
1.4MB

MD5
948ef47cbef691ed14da3dd81fd12d99

SHA1
3d495e706c9456d76d19013cb89ff87c874f2e8e

SHA256
ef700e93e37470b99acbcd35e450bf63f03b19a362d3821350c62abacd6c9d54

SHA512
9f0b5268794f4b168fb6ae0197a1f56acba6d9820f295cc24947354b8cece0dadfca0f5f7967f607f578125de39232a801e17c6f1f14b35288c98c16d6a37d62

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe

Filesize
700KB

MD5
e90eddc4db34ec03b80c552e53b5c69c

SHA1
885cff8c7f6fcc362332dcaec0beadb73ea28eba

SHA256
7e7825184c8bd575fac683ee957fc530100de3399e22d611d12ddf155d62e336

SHA512
3e9fae21e9a528072fc8add9bb3bd8a2f6183fc4375beebe05e4ae0383cfc4619dbd1061737eeea439caea1f9bb81dab1cf9c5b887077024b8d92bb1a5807095

Download Submit
\Users\Admin\AppData\Local\Temp\csrss1.exe

Filesize
5.1MB

MD5
f33b166aa53dcbdb6ee38dbc041ed51b

SHA1
fd77e28afa1008b7a2d43191fea2a42bbab37df2

SHA256
aa5fe8561ad9325981bd6f514c25b8a15571120638fb37ad6e151b8f4defe135

SHA512
8f3a82e3921796c092c31b1e7aefa15776b277810f5248bb39988af7cb1576aafc974e9046a2defa5f2e959269f4dbcba8244afc67463348afc8c66a675cf619

Download Submit
memory/632-105-0x0000000004290000-0x0000000004352000-memory.dmp

Filesize
776KB

Download
memory/632-106-0x0000000004290000-0x0000000004352000-memory.dmp

Filesize
776KB

Download
memory/1180-295-0x0000000005560000-0x0000000005622000-memory.dmp

Filesize
776KB

Download
memory/1180-179-0x0000000005560000-0x0000000005622000-memory.dmp

Filesize
776KB

Download
memory/1528-296-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2832-53-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/2832-115-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/2832-83-0x0000000004510000-0x0000000004520000-memory.dmp

Filesize
64KB

Download
memory/2856-111-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2856-271-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2936-24-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2936-36-0x0000000000B3C000-0x0000000000E6B000-memory.dmp

Filesize
3.2MB

Download
memory/2936-4-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2936-2-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2936-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2936-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2936-9-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2936-12-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2936-14-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2936-110-0x0000000000400000-0x000000000194F000-memory.dmp

Filesize
21.3MB

Download
memory/2936-17-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2936-29-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2936-19-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2936-108-0x0000000000B3C000-0x0000000000E6B000-memory.dmp

Filesize
3.2MB

Download
memory/2936-22-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2936-27-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2936-34-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2936-5-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2936-32-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2936-52-0x0000000003750000-0x0000000003D34000-memory.dmp

Filesize
5.9MB

Download
memory/2936-46-0x0000000000400000-0x000000000194F000-memory.dmp

Filesize
21.3MB

Download
memory/2936-49-0x0000000003750000-0x0000000003D34000-memory.dmp

Filesize
5.9MB

Download
memory/2936-48-0x0000000000400000-0x000000000194F000-memory.dmp

Filesize
21.3MB

Download
memory/2936-30-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2984-135-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2984-118-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-120-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-123-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2984-125-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2984-128-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2984-130-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2984-133-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2984-138-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2984-112-0x0000000010000000-0x0000000010891000-memory.dmp

Filesize
8.6MB

Download