agenttesla | e6e6c8b2f2d2eef2b954c2271dc863eb8abe44bb14269f73c35809084c6e7b70

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13/12/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QDecrypt.exe
Size

952KB
MD5

be6086b33699a2c56233cd55c36ecfca
SHA1

bc9ae30e3fc72d3a40c864095cbeb4c55b51ccdf
SHA256

fec18f885bc9b84835873b54705efa4e92b47fe50e9c9a8b0ff935f1d173758d
SHA512

f64d44dd3048d74a62b627e72a569d8d72a84a0696eb55d09d49d0d1fe77e68a59e44dcef3ce7b94f83043b0302b52d81c4489b81550d429d1ca58c595180562
SSDEEP

24576:grGha+IYGXRz8vgobejS932cUSUsjs6666666l:KGEhX9obH932cUSUsjT

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pgsu.co.id
Port:
587
Username:
[email protected]
Password:
Vecls16@Vezs
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2480	06.exe
684	06.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000015f25-6.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2480 set thread context of 2292	2480	06.exe	40
PID 684 set thread context of 764	684	06.exe	43

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QDecrypt.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DllHost.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DllHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DllHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DllHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 520031000000000057592388122041707044617461003c0008000400efbe57592388575923882a000000f30100000000020000000000000000000000000000004100700070004400610074006100000016000000	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	QDecrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	QDecrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "7"	QDecrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "8"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 9e0000001a00eebbfe23000010000aab12216ac8fe4fa3680de96e47012e00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbea7722a3ffa99db4da5a8c604edf61d6b8207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{3F2A72A7-99FA-4DDB-A5A8-C604EDF61D6B}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000000000002000000ffffffff	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{3F2A72A7-99FA-4DDB-A5A8-C604EDF61D6B}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{3F2A72A7-99FA-4DDB-A5A8-C604EDF61D6B}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4c003100000000005759698c100041646d696e00380008000400efbe575923885759698c2a00000037000000000005000000000000000000000000000000410064006d0069006e00000014000000	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "10"	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 4c0031000000000057595d8910204c6f63616c00380008000400efbe5759238857595d892a000000060200000000020000000000000000000000000000004c006f00630061006c00000014000000	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7400310000000000575923881100557365727300600008000400efbeee3a851a575923882a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	QDecrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	QDecrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	QDecrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	QDecrypt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{3F2A72A7-99FA-4DDB-A5A8-C604EDF61D6B}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	QDecrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	QDecrypt.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	QDecrypt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	QDecrypt.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2292	RegSvcs.exe
2292	RegSvcs.exe
764	RegSvcs.exe
764	RegSvcs.exe
656	chrome.exe
656	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	QDecrypt.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2480	06.exe
684	06.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeRestorePrivilege	2256	7zG.exe
Token: 35	2256	7zG.exe
Token: SeSecurityPrivilege	2256	7zG.exe
Token: SeSecurityPrivilege	2256	7zG.exe
Token: SeDebugPrivilege	2292	RegSvcs.exe
Token: SeDebugPrivilege	764	RegSvcs.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2256	7zG.exe
2256	7zG.exe
2480	06.exe
2480	06.exe
684	06.exe
684	06.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
2480	06.exe
2480	06.exe
684	06.exe
684	06.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2932	QDecrypt.exe
2292	RegSvcs.exe
764	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 2480 wrote to memory of 2292	2480	06.exe	40
PID 684 wrote to memory of 764	684	06.exe	43
PID 684 wrote to memory of 764	684	06.exe	43
PID 684 wrote to memory of 764	684	06.exe	43
PID 684 wrote to memory of 764	684	06.exe	43
PID 684 wrote to memory of 764	684	06.exe	43
PID 684 wrote to memory of 764	684	06.exe	43
PID 684 wrote to memory of 764	684	06.exe	43
PID 684 wrote to memory of 764	684	06.exe	43
PID 656 wrote to memory of 608	656	chrome.exe	45
PID 656 wrote to memory of 608	656	chrome.exe	45
PID 656 wrote to memory of 608	656	chrome.exe	45
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1188	656	chrome.exe	46
PID 656 wrote to memory of 1972	656	chrome.exe	47
PID 656 wrote to memory of 1972	656	chrome.exe	47
PID 656 wrote to memory of 1972	656	chrome.exe	47
PID 656 wrote to memory of 2360	656	chrome.exe	48
PID 656 wrote to memory of 2360	656	chrome.exe	48
PID 656 wrote to memory of 2360	656	chrome.exe	48

C:\Users\Admin\AppData\Local\Temp\QDecrypt.exe
"C:\Users\Admin\AppData\Local\Temp\QDecrypt.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2772

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:2196

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:2700

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3004

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Videos\" -an -ai#7zMap10190:64:7zEvent9806
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2256

C:\Users\Admin\Videos\06.exe
"C:\Users\Admin\Videos\06.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\Videos\06.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2292

C:\Users\Admin\Videos\06.exe
"C:\Users\Admin\Videos\06.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\Videos\06.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6cd9758,0x7fef6cd9768,0x7fef6cd9778
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:2
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2100 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2112 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1144 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:2
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3168 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1004
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f5d7688,0x13f5d7698,0x13f5d76a8
    3⤵
    PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2716 --field-trial-handle=1368,i,14809530020843665205,2392705561601571667,131072 /prefetch:1
  2⤵
  PID:2264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anglophile

Filesize
234KB

MD5
9c14b2d945a2202eb66b9df953984de3

SHA1
c8104735366c95e9b5db8fd35779d847143ba811

SHA256
4d99fd6ebabbd72de150cc0c6eddaa41a68c3cbb1b296d394678bf823500ed35

SHA512
117082400189d08a1efb045c3dae83b11709e20b87c6e884e56056d219ad0cff2c7f0237fe7463639a74a21adb40776756f25690f9a3237e185233107d4b7c73

Download Submit
C:\Users\Admin\Videos\06.exe

Filesize
1.0MB

MD5
edb4cbdc3e425a6230ed2313a77be7e4

SHA1
f308dee5d68796fb2f37f3170d1b3f7ed8294e6d

SHA256
39c15e35f0b21b2680c56f0f281feffba42f17e437e4234fb2f575678e3afbd9

SHA512
4d645fcbb4bbbca5981c32dfd4af79d2966e8c71198af9926a7b092d28692b7380a7aae3d0d7359a2909e39208c003f718231c2460385ffaf7d0f497d252db63

Download Submit
C:\Users\Admin\Videos\p003.zip

Filesize
575KB

MD5
af2b08eb07660f845e6f45216f76814d

SHA1
eb784b59e6d8dbdf2a8aae9f8cf954e073b3bc49

SHA256
a8086d1b7e98bc52909f866b3d0087949862308bf9f5027a17be88a67265700c

SHA512
03dfe8a797b371c4bfdc61f0dc0bd05d3060a1a239ab1ab22e311ea0d2814caffb724738d475b492687acf09ba13c904aac84bc504d23285a98c54b952225b6f

Download Submit
memory/2292-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-0-0x0000000006650000-0x0000000006652000-memory.dmp

Filesize
8KB

Download