asyncrat | 11948c9b0bb30505094e237e91f2eae6b4bd32710983732c917d398bc2b7618a

Analysis

max time kernel
181s
max time network
242s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreebsdSensitive.exe
Size

739KB
MD5

e52dec7860f62f934e934966801f3eb3
SHA1

1220eabda84623ce3d1649b491513291bff31513
SHA256

11948c9b0bb30505094e237e91f2eae6b4bd32710983732c917d398bc2b7618a
SHA512

aeb568388d18e02d7e792ce6d62ca4b29b3973a671fe804aece60f26d2b0f0c8a1cb43b92fb03eaf44cf400dadd05fadcf1f2b6a8b21dfb26ecdd43902751506
SSDEEP

12288:vHadwSQZsCJCzmFyinp17VuYkPMZqN0H+68AJV78u5jiqSDGeeLtOUQYWCaGEk:PadNQZsCYzmFy01gzoZeFuVou5m1Geej

Score

10^/10

asyncrat fwzcrypt rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Fwzcrypt

alertazazws123.ddnsgeek.com:7707

Mutex

AsyncMutex_shwdfee

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

Religions.pifReligions.pifReligions.pif

description	pid	process	target process
PID 608 created 1380	608	Religions.pif	Explorer.EXE
PID 608 created 1380	608	Religions.pif	Explorer.EXE
PID 2996 created 1380	2996	Religions.pif	Explorer.EXE
PID 1956 created 1380	1956	Religions.pif	Explorer.EXE

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumCode.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumCode.url	cmd.exe

Executes dropped EXE 6 IoCs

Processes:

Religions.pifRegAsm.exeReligions.pifReligions.pifRegAsm.exeRegAsm.exe

pid process

608 Religions.pif
1580 RegAsm.exe
2996 Religions.pif
1956 Religions.pif
2944 RegAsm.exe
2100 RegAsm.exe
Loads dropped DLL 8 IoCs

Processes:

cmd.exeReligions.pifRegAsm.execmd.exeReligions.pifReligions.pifRegAsm.exeRegAsm.exe

pid process

2572 cmd.exe
608 Religions.pif
1580 RegAsm.exe
1792 cmd.exe
2996 Religions.pif
1956 Religions.pif
2944 RegAsm.exe
2100 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2216 tasklist.exe
1964 tasklist.exe
2140 tasklist.exe
2696 tasklist.exe
1204 tasklist.exe
2940 tasklist.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

helppane.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main helppane.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1344 PING.EXE
2556 PING.EXE
3032 PING.EXE

pid	process
2572	cmd.exe
608	Religions.pif
1580	RegAsm.exe
1792	cmd.exe
2996	Religions.pif
1956	Religions.pif
2944	RegAsm.exe
2100	RegAsm.exe

pid	process
2216	tasklist.exe
1964	tasklist.exe
2140	tasklist.exe
2696	tasklist.exe
1204	tasklist.exe
2940	tasklist.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe

pid	process
1344	PING.EXE
2556	PING.EXE
3032	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

Religions.pifReligions.pifReligions.pif

pid	process
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
608	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif
2996	Religions.pif
2996	Religions.pif
1956	Religions.pif
1956	Religions.pif

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exehelppane.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2696	tasklist.exe
Token: SeDebugPrivilege	1204	tasklist.exe
Token: SeDebugPrivilege	1580	RegAsm.exe
Token: SeTakeOwnershipPrivilege	2640	helppane.exe
Token: SeTakeOwnershipPrivilege	2640	helppane.exe
Token: SeTakeOwnershipPrivilege	2640	helppane.exe
Token: SeTakeOwnershipPrivilege	2640	helppane.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	2216	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	2140	tasklist.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Religions.pifhelppane.exeReligions.pifReligions.pif

pid	process
608	Religions.pif
608	Religions.pif
608	Religions.pif
2640	helppane.exe
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

Religions.pifReligions.pifReligions.pif

pid	process
608	Religions.pif
608	Religions.pif
608	Religions.pif
2996	Religions.pif
2996	Religions.pif
2996	Religions.pif
1956	Religions.pif
1956	Religions.pif
1956	Religions.pif

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

helppane.exe

pid process

2640 helppane.exe
2640 helppane.exe

pid	process
2640	helppane.exe
2640	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FreebsdSensitive.execmd.exeReligions.pifFreebsdSensitive.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 2572	1680	FreebsdSensitive.exe	cmd.exe
PID 1680 wrote to memory of 2572	1680	FreebsdSensitive.exe	cmd.exe
PID 1680 wrote to memory of 2572	1680	FreebsdSensitive.exe	cmd.exe
PID 1680 wrote to memory of 2572	1680	FreebsdSensitive.exe	cmd.exe
PID 2572 wrote to memory of 2696	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 2696	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 2696	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 2696	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 2792	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 2792	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 2792	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 2792	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 1204	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 1204	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 1204	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 1204	2572	cmd.exe	tasklist.exe
PID 2572 wrote to memory of 776	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 776	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 776	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 776	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 2736	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 2736	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 2736	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 2736	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 2904	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 2904	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 2904	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 2904	2572	cmd.exe	findstr.exe
PID 2572 wrote to memory of 1904	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 1904	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 1904	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 1904	2572	cmd.exe	cmd.exe
PID 2572 wrote to memory of 608	2572	cmd.exe	Religions.pif
PID 2572 wrote to memory of 608	2572	cmd.exe	Religions.pif
PID 2572 wrote to memory of 608	2572	cmd.exe	Religions.pif
PID 2572 wrote to memory of 608	2572	cmd.exe	Religions.pif
PID 2572 wrote to memory of 1344	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 1344	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 1344	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 1344	2572	cmd.exe	PING.EXE
PID 608 wrote to memory of 3008	608	Religions.pif	cmd.exe
PID 608 wrote to memory of 3008	608	Religions.pif	cmd.exe
PID 608 wrote to memory of 3008	608	Religions.pif	cmd.exe
PID 608 wrote to memory of 3008	608	Religions.pif	cmd.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 608 wrote to memory of 1580	608	Religions.pif	RegAsm.exe
PID 1600 wrote to memory of 1792	1600	FreebsdSensitive.exe	cmd.exe
PID 1600 wrote to memory of 1792	1600	FreebsdSensitive.exe	cmd.exe
PID 1600 wrote to memory of 1792	1600	FreebsdSensitive.exe	cmd.exe
PID 1600 wrote to memory of 1792	1600	FreebsdSensitive.exe	cmd.exe
PID 1792 wrote to memory of 2940	1792	cmd.exe	tasklist.exe
PID 1792 wrote to memory of 2940	1792	cmd.exe	tasklist.exe
PID 1792 wrote to memory of 2940	1792	cmd.exe	tasklist.exe
PID 1792 wrote to memory of 2940	1792	cmd.exe	tasklist.exe
PID 1792 wrote to memory of 2472	1792	cmd.exe	findstr.exe
PID 1792 wrote to memory of 2472	1792	cmd.exe	findstr.exe
PID 1792 wrote to memory of 2472	1792	cmd.exe	findstr.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\FreebsdSensitive.exe
  "C:\Users\Admin\AppData\Local\Temp\FreebsdSensitive.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Charts Charts.cmd & Charts.cmd & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1204
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 688318
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AkConcertSoonRepair" Missing
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Madrid + Adidas + Canberra 688318\p
      4⤵
      PID:1904
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\Religions.pif
      688318\Religions.pif 688318\p
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:608
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumCode.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumCode Systems\QuantumCode.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumCode.url" & exit
  2⤵
  - Drops startup file
  PID:3008
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1132
- C:\Users\Admin\Desktop\FreebsdSensitive.exe
  "C:\Users\Admin\Desktop\FreebsdSensitive.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Charts Charts.cmd & Charts.cmd & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 688318
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AkConcertSoonRepair" Missing
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Madrid + Adidas + Canberra 688318\p
      4⤵
      PID:2400
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\Religions.pif
      688318\Religions.pif 688318\p
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2996
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2556
- C:\Users\Admin\Desktop\FreebsdSensitive.exe
  "C:\Users\Admin\Desktop\FreebsdSensitive.exe"
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Charts Charts.cmd & Charts.cmd & exit
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2140
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 688318
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Madrid + Adidas + Canberra 688318\p
      4⤵
      PID:1756
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\Religions.pif
      688318\Religions.pif 688318\p
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1956
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3032
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2944
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2100

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\p

Filesize
244KB

MD5
4da4aa0b50b6efcec3083ede453a143a

SHA1
645491c14f69ec2b531d7455a766cb082b57bfe7

SHA256
de15b9bf72d6f4312e6dee828bafeca42878cea72517c85a6f3c84c32898c62d

SHA512
84ff66b92693478435637bbfb62dd4c91cdc2427f81635b55d3a647c98ac9df8ba286cf9b42356cdefecb41f711126e3a4c74f55f87e9fa8dcb0a66b0aec2dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Achieved

Filesize
67KB

MD5
6086ebe4d59e36878c6f3a077f6ddb38

SHA1
e357829411e95227232f81f81baba1d9d624cf2c

SHA256
ae59990eb6405bdc700bfa309684234eb570e6f54ec21ff9bdb510fe4f6afec0

SHA512
3b48c332e4e7807630d9c3ba756d955218fe66c966dac68a846b8195c9228445ab4110188a77ccb6846283638372be8bc19d2ece0a1ccdc93d6c840eff572bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Adidas

Filesize
96KB

MD5
afed5fda25215980e5f06150567ded40

SHA1
8ab10bfb2300eb73c84fe9a195c69664979aa3b0

SHA256
8a4f271530c5b715830971f30fb3f183aca1785811b087751e2fe377b9eeb42a

SHA512
431c0186e59bf589851c0b1bc34102cda46952d11f446e370db3d7aac52b2d285185779a38eb69f5409ab914be5d336540597f8037881fb41f5a8547b76c9751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Alternatives

Filesize
69KB

MD5
8e0cdfb792b82eb0f6dabf597c8baa3c

SHA1
885b0b9e35f427c9de4d63f960b2a7ab8648eae9

SHA256
ec6d406b595cb0367ecd84fff5060b7ef72ed3c66b57ff5d188214f51f925724

SHA512
91f2d22d9b45e6cb624eac4a235cb5a461df158edeeac3140da79adda0311b54203bf72701bf7904066a7db010a3f7b0ad6245bbaeb6a9e6c1361000cd2b097e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Antiques

Filesize
54KB

MD5
98f251bcb9b4b5af56266f4b756f7e96

SHA1
a5b5e00963d340b8bd3f88f4e7bfb8bfa26bfbaf

SHA256
390906544e15ce46f3b54a2446c55f92e1b425d8afceab927e132d7150088150

SHA512
fd908d41c2e1946743f6fc109c3175b8ca8c8d6fe0ded8c4a11e66f6e6d01e8f6bed0d930eb991c1b5c9c7fa6f2f828f50313a6901a868ee8f2297a36b96aa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bangkok

Filesize
32KB

MD5
c9ed05439ba072ab7d3c706ad30a6972

SHA1
4d39e8151147c659158e0edfc37b2d43247dfc14

SHA256
9695c29a882b325b6dd3a771f0eac5067009228d3b32600c7c56419ca5513e65

SHA512
18c4fd33ed06b1e3925799ab087c86afe372a0d834d091c811715255e907f01fd3b2e196bab0cfeaab84079762489973d90000d2f16737ba31486b734364b6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Basic

Filesize
27KB

MD5
be8ab2e8fb5764640e827ffe87667e07

SHA1
b5e91ffe4af7dd769f866e2c752741912a90e482

SHA256
e20e008b4d6d61dcd0e184feb9b8368440ced2adcab430937604abfd8c8feaf4

SHA512
5c73842591cd2e1f4c01b1e6dae14877fa838f46a53a504b857d72b1dc6f0d299a509f6e4069128b39c42118d7b4ca720925a3735e0e2643d5f9a71fb5b2e1d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Canberra

Filesize
64KB

MD5
18bfbd4335e9e1c65bf4ab5b15d3cdf5

SHA1
22c378c54d63b7b5cd26414fa0cf6505c14e8e18

SHA256
a2fd5a0ab47878f29b996f96b6da0038311b79f795277fc455412cd968e4712b

SHA512
c5f06538051b8e0c95b4fd856c11cc8aa5bd1acd1d2cb72d8c011d51746234e8986ef0a028fa660ec7c0be0661267623848279f9d527b16c1f48cd91568cd94b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Charts

Filesize
6KB

MD5
8434d9dbc4fe7e382004da2b6ff40cb8

SHA1
5edbd7565916486dde046bf70f5001b18a11a52e

SHA256
0f74aaf0c12aa826df3b040e18ab19ebafe975755397af9eadf43868344f08ba

SHA512
a7c0a1949d57266c883510388a774ca58b67b46aa3d8a01b1534ff9c4d233f2ef027c648ea390af3dee31a1850e93154f7b7bdbc539c5b3c3c937be6c3d946c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Classroom

Filesize
46KB

MD5
df1a31de8ea92a2c0b41173dca88c5e4

SHA1
3382579c323cdfabd2eda92abdea3c878d689fe9

SHA256
cb8b926e8fe403869991ed9c10c6c478d5629cbc446d974f09da2c49a11e9aad

SHA512
1d739aab01ef24ad53bc1093dd90c0d2e814c1c029fda16b1add90d784e877a3995e587230a7d4807aa1fc3e2c0b0a902324dfa4999a19637c2dec6f56bf71d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dev

Filesize
35KB

MD5
32acab28bcb9d1d8d9e6c3f22401e616

SHA1
524b1f85262b3cd6c7c899e887ace043d33065ce

SHA256
63ede86ac8b071a117ae389402933060f36a875d22ada4a2e7c1c2dd7eb9d2ea

SHA512
bf406aa36e916cb2ba50e5c13cf405eb5f0f26b814a854036a7c21c782a6a158ac0bdd71cc30dfb7ba40d44832d7e267b69d2388490f045615afa5629e3069d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dover

Filesize
9KB

MD5
1e2cba09f31289f6d26b91a222e29784

SHA1
4ef88fa53fa60a2e7984968e59089708c39ba7a2

SHA256
800b6712738cc470dca41da9e8d584a317d5970b44f3d44a912f68a8dd1be706

SHA512
448c6bac2627bdbec3ffd63a4410efca7ff8912f0e67dbf14b06559312eca0e0639ff2cf406e086019dc11a70ef5c5e160f0ffbffa22414196891110a3f73579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dvds

Filesize
57KB

MD5
c7cf94f894c7bcaf8202c886ed3c8588

SHA1
120b89e8c28c402594243608fa61677a139d63eb

SHA256
ecf166deb2bdcf19e5cde8f3c4dae7de36f4bf957639cd0cf13677ff01479221

SHA512
957f2b869f70f923fd6edf1d78eeb4de4ef952354cf96fa3a18eb5c2f2d8d54a7b46b386ccf9d7957460643d4fc320c965966e3ae935e2290540676f9b26be39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fair

Filesize
20KB

MD5
eb4e8bf15b38bfc7429e8ab21e12836b

SHA1
82ff6f0de708c3b2b034101652dab6b9e6d2ebe8

SHA256
4b13945ba7616ed6e9154074d2411d863387257f3b39659feed3b694db55ad38

SHA512
76958dca9b66a4455bd5f2da481699afb6041bbfb89c1a07004da0a0f5e2d537badaf5eea8bab78397dc614f50602fb3b5d87018b2976b32f58fcd7fc2adbd05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fan

Filesize
49KB

MD5
f531c79387259e7ce063ce713713061b

SHA1
46385ca27183842557f7e071a56e4c4038f9a465

SHA256
0fb1ba32be3a78ce2eda216647450bfad824cb9d25cc29b834f76a66653827a2

SHA512
cc8a1da18022de045bae580e28e3bdf064b43a7bedd9997924e270b379dd9c7b619ceeb106e9faf4f2cf47aa512b1b80c9dca377d4d872fbaf5cc892ebea99cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kay

Filesize
5KB

MD5
352d5dafa2aa3abde0b7acc1288a3a7d

SHA1
5615d3bed0f23aea301025be07274adc57f55d02

SHA256
2ce56fd2010287b9ae502b53f42ba57808a2fe178beb85fd6db319825247fd38

SHA512
05a112f7161261bbc26f7418155204d3d4be0487e6b18f21fc9a8c4bfbaee5448171108e8d55a0fb0ea7fd5b1d7d90997139f39487f40c7e8404ad5a3d7f9138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kyle

Filesize
20KB

MD5
6de43da6d15873e130a70ab50c7e3e02

SHA1
952857fbd0804e51962a6d20b1c933739ba33739

SHA256
bd85df336508083a5654754910721742eac46f1379662fcd25c849172f0cad83

SHA512
06bd78365e33134f386ced950c76301aa557b88df575aa7586be4efa6824901d91db2c5a383f735d27ce4a0782b7b02d4eee1547ec2b38422de4472569feeba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lanes

Filesize
67KB

MD5
e9e6ab8c888400a767098b2fcbeeccd7

SHA1
e2083228358ec98668552e10095efd0c9146ee01

SHA256
dabd791bc831f914e68e2028c51b3a2c352ed8881b65e8affb78e9020ae62551

SHA512
ef0cb6fa9ce88a6a777be281e9f5e46e0a1ac1fbf3a0a5820741638a00e758e77273e2ad7e5549a1577c569f5ff5c0accaa03ce015582c5fcffc1c4cbbc9f6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Macro

Filesize
19KB

MD5
de3ca9a3a6a1c037954de25902fa5871

SHA1
04677d349bcf02a0819ff0d9d0093976df434eee

SHA256
87f0a751c83130091da8cc3ff6ec0a0d64c5933842fde9c7ac19e9f4c7ac8142

SHA512
fcb048c7bafeff30b86fc05fc24be2a76d0fefbc370730f7f34396e63dd3b1770b2615e29e44aff4a8eea9a4a498e6ac99cc6499678b7d30050bbcfbcb398c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Madrid

Filesize
84KB

MD5
3ad444dc5ce4c67ec18d89a0e37895c7

SHA1
4039a20d78b466c0e74c74ec5b7c4827dd5477a2

SHA256
079860f8f6c121d9db7b2ffa26beabb88784a29fb128ca30611470fda7405a32

SHA512
bf6c6c0760368d3372dedd1f85d8df09a6db590ae3c1f1090455468251c92bc33066a265611a91225952f3c3e5d469da4c47202db829ce033274177ac1e0cdde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Missing

Filesize
94B

MD5
159c162bb31510b6b5a5134dc1daf17e

SHA1
815a92fa7a50bb00a2458ee76878aea3cf89e4f8

SHA256
e2d48abc3dfd6103eac2c30bb5482321da40e0ec00df3732ddeaa47ca9ac7016

SHA512
ecbac5356c2f88d41900f69f318b21c742b580bf1992d5b8888e8cf935ad9731f3b325eccd15cb9c8835546a7ebb4b6a31ee7dfec9be6747a9bc65688f0039d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Patio

Filesize
29KB

MD5
47735392bd404919870dc88db772c64f

SHA1
0a5e9a35aceefad5e74791eb267de76b44f0dd2e

SHA256
edc7ffd164880ed874cf2739dc99e73b3c5b1623f7330790c8c5207e0e18dd2f

SHA512
bcdb55bcf0d2ecc9605106f42f0ce851bdc51d44b027b9bea424582af5cbcc9e89f955c9000d6b8ba77b11c929d795378a296898f0a3cdccce0d3b0d5d0dd646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Podcasts

Filesize
37KB

MD5
e785fb3ceaecd2adaa5907a14f0ef983

SHA1
af1313aa58b953b109a3dc0bafe3bd5125ca397b

SHA256
e9f1d7156628fb634b6ca7a998f256ecd5fadb09c589cc72c4e83894cd0442f4

SHA512
b12f0e4c4c86aaafd4526e8ab7ea3dc933091f84e6e9aec2217339cbd51697f608a2cf353a4378af1f43d2847b46449392b8083b1e79a0aa9d36414957784a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Poems

Filesize
24KB

MD5
1ac4e634281593b6d0162d1779bac4af

SHA1
1267b8ff7ba52d555c282fad9e3abb5e0810d6d3

SHA256
cc46bc68bb4d8f8d2dd18c20131137cf9679e24c7bbe0a57aefa92d71a2ecf39

SHA512
d4d3cd6d3de73594748d37e6168ffa269f6e427671608b325a20e3d3695af1f5571d894079b0b472ec0d32bf175726a0a62aa71d36e30d6d1856cd307d006f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Presently

Filesize
23KB

MD5
87036bcd22a5d5f692a7ce541e743d5a

SHA1
ff3196257816c865c0159b71855056116b02fbee

SHA256
7e83535b61f6b433669168d49d7c21b580206974abbd63186bc1d55ef8fa3fa4

SHA512
5d61ea8773f1f4d1c15bec1c5f6ce2d3dad3c311b8885af0470c4380a9d300a8ff159f5ed6befff38d8a9a3f622ffac4332ae1b4c4bb200194638db3b6965f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Research

Filesize
27KB

MD5
6c298239609d5a3778b0ab54223024c6

SHA1
593ffb47a200fa24d1c1bb512f72fe8ce0a5fc17

SHA256
3980d4e08d4158e0b2692bcada88af77348eb080fd0af9fd0a87f4dad67c1a90

SHA512
663aa20e88f3f11c779657988201df4038eb733e3f25f899cb372729a44c3f9d02f08964c8c8d2590bc2707385b2ff455b7f8b4c706ba7d45d3a558ff61ca17a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sept

Filesize
31KB

MD5
41ae371e87c326225ed335aaa59a9136

SHA1
cdbb462e840c86fc72f1c9ac35676a1a3cfe4098

SHA256
8f9ae7a0b74f0b2810bc649f56732cbc16ae6a449fe53224141702f7035db877

SHA512
1e939d043cacf2aecddcd0504d981f6772cc354c7ecf122c6ba1fe057685b4b34ffcd406c1450c0aba3760edfd27dc281c4dc87a6166df842c57b9a0531c69e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Soul

Filesize
40KB

MD5
5d5870f64c46bb42d4b54ae43af19aa4

SHA1
77e19296551b089300d8d76402b474354a95ffc2

SHA256
37f43fbdd377f8acb12ff3895e2a454a9859292a4a41f3550febd432d516103f

SHA512
168bd235e13b69fc8ba635c3adddd46d00aa4b9eb24bf6f1c3126d894475e29a1218750746fd2291cd639a66952ca661edad4ea9fc2d907772f1ef6ac0b1caad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Supported

Filesize
13KB

MD5
6f8a934d946a094fe2482ac39efdc597

SHA1
aca7443ba7ee3b1aebf683c472490fd883dec314

SHA256
598d32663324c45200e49d419e28336e83917dde7ebcdcfd7cbdee4a2c91c60c

SHA512
77449418551ad58c5e8d75f2b0b181a87139ddbaf0047e4ca3b0ea2226fa09562757145cb347e704b84b576cb8b6b3260e7c01715dad65caac05184a10cf1f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tradition

Filesize
27KB

MD5
c78d80fe580749c6e4107f4f38f661f3

SHA1
23e2707bbfcda01327d3c2db7330549ca67d5872

SHA256
680c7fcb70415cb05f3e63c8ac25bbadd34a5c4d5352670c286c9a9911d4ba64

SHA512
4ff3d701e6bb4d6213f475486019ab8e6682c15cc5613032623ea39eba97536b68cefe4a291ef79a561028d5e443f9e1501a9875e45d656cc42ed7ccb4224432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tricks

Filesize
51KB

MD5
fbd1c96f486f1704f0e0c255b635a414

SHA1
b688cfd1386a76fab3915a78d673ae70cc5d1396

SHA256
1620529c7f677be13ba27610592ab05d150f1169d0e412d7e4d38d30cd7f3e56

SHA512
ff393366df58d64e8d20957c02ba47d012e78aca88f7878a7ca4d13f1a13dea5d53a57384a164b7abaaea5c2c0b7d7b82c23b445de3c9b504dfa9472b3d473b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Une

Filesize
37KB

MD5
c989debd0b8040ed48587336326037a9

SHA1
6c015ac1ea8349a7178a8ca357f607d5e3e8d0d1

SHA256
fa714ff8ab1dba6fc37299bc6f46d8a4ef34fb9632e9c6edfc9def106e6dac7c

SHA512
5dba22ef673724d430311dab0c13db4e28c3a37779d49534c9ba90f9e7b3486a12a20113c0ceba8bb16d110d28a34ca6b10500ae061731fee3232692e6677613

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\688318\Religions.pif

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
memory/1580-225-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1580-222-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1580-224-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/2100-587-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/2100-589-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/2100-588-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/2944-584-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/2944-585-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/2944-586-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download