asyncrat | 847fe611efd7e9e6375b659664a9d53a4807d62d670cc8e591ad65b28297c58a

Analysis

max time kernel
108s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zwirAFK.exe
Size

63KB
MD5

c9df1c28f720e04d38a9c44598cb33f9
SHA1

6ad67b10c1e355a9586a1cec3ae813e112148a17
SHA256

847fe611efd7e9e6375b659664a9d53a4807d62d670cc8e591ad65b28297c58a
SHA512

8611057f93ad5feb5cbca3535b07b40bf47a9fa1f26d3d18bc96c0238e83a7cfb64a8ec4986f12e9492c1b6d496c3a4f7df8d7da77f764d31edc3e06629c99b2
SSDEEP

1536:cRnrEGV/tWnpgUbfh9o2cmlukdpqKmY7:cFEGV0pgUbf8zm7Gz

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

192.168.1.108:2024

Attributes

delay
1
install
true
install_file
OperaGx.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000016b9b-15.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1636	OperaGx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2356	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1512	zwirAFK.exe
1512	zwirAFK.exe
1512	zwirAFK.exe
1512	zwirAFK.exe
1512	zwirAFK.exe
1512	zwirAFK.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe
1636	OperaGx.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	zwirAFK.exe
Token: SeDebugPrivilege	1512	zwirAFK.exe
Token: SeDebugPrivilege	1636	OperaGx.exe
Token: SeDebugPrivilege	1636	OperaGx.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe
Token: SeShutdownPrivilege	840	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe
840	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2800	1512	zwirAFK.exe	31
PID 1512 wrote to memory of 2800	1512	zwirAFK.exe	31
PID 1512 wrote to memory of 2800	1512	zwirAFK.exe	31
PID 1512 wrote to memory of 2812	1512	zwirAFK.exe	33
PID 1512 wrote to memory of 2812	1512	zwirAFK.exe	33
PID 1512 wrote to memory of 2812	1512	zwirAFK.exe	33
PID 2800 wrote to memory of 2896	2800	cmd.exe	35
PID 2800 wrote to memory of 2896	2800	cmd.exe	35
PID 2800 wrote to memory of 2896	2800	cmd.exe	35
PID 2812 wrote to memory of 2356	2812	cmd.exe	36
PID 2812 wrote to memory of 2356	2812	cmd.exe	36
PID 2812 wrote to memory of 2356	2812	cmd.exe	36
PID 2812 wrote to memory of 1636	2812	cmd.exe	37
PID 2812 wrote to memory of 1636	2812	cmd.exe	37
PID 2812 wrote to memory of 1636	2812	cmd.exe	37
PID 840 wrote to memory of 652	840	chrome.exe	39
PID 840 wrote to memory of 652	840	chrome.exe	39
PID 840 wrote to memory of 652	840	chrome.exe	39
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 2476	840	chrome.exe	40
PID 840 wrote to memory of 1656	840	chrome.exe	41
PID 840 wrote to memory of 1656	840	chrome.exe	41
PID 840 wrote to memory of 1656	840	chrome.exe	41
PID 840 wrote to memory of 708	840	chrome.exe	42
PID 840 wrote to memory of 708	840	chrome.exe	42
PID 840 wrote to memory of 708	840	chrome.exe	42
PID 840 wrote to memory of 708	840	chrome.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\zwirAFK.exe
"C:\Users\Admin\AppData\Local\Temp\zwirAFK.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "OperaGx" /tr '"C:\Users\Admin\AppData\Roaming\OperaGx.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2896
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCA2.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\Users\Admin\AppData\Roaming\OperaGx.exe
    "C:\Users\Admin\AppData\Roaming\OperaGx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70c9758,0x7fef70c9768,0x7fef70c9778
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:8
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2160 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:1
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1336 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:2
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3760 --field-trial-handle=1208,i,8820394833357744709,9518316794270431057,131072 /prefetch:1
  2⤵
  PID:1748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8796af39fcf2b3d44b60fdf1122867ac

SHA1
7cdb464eebf0c31e8ca6dd96c2f6005b9f374805

SHA256
1d1a5ecb5dd37971e0cf599cd9fb44d816325c9726ef8eadedf4fb69ba6363a7

SHA512
b7ac7280c04e24577944e2ff46fd5570c9fea97ba682cc2fdd32a6ea10c6b674df1bcc519eb13296aa800da88a1a09128b840484d44d7999a80a2d771c6e01d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
31bff9bd91669f54cf1646124da91aa6

SHA1
3138f336398a63b02ded81d6aba3134f3000ea70

SHA256
279c0c2e9678ba1c3cf6e8fa97cc5bc64dbb5c5e37ac05607a3e799e686fb624

SHA512
cfa7d3588af509fd13887052aad5b65e3195e2992d1bdd4f411bf6b0725e2d09540f26cb0b03fae845d796932d6f3f09183ca4fe69c0d5a211c7d79c3445051d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
bfa2a5fe0adf06b4351c897625c2287e

SHA1
f67a06561e0c191860bda4c9916d20987378e776

SHA256
ace0e4bfc2ac238bad1949882251ff916c2faed014e034ec90b6958879e101fb

SHA512
ee676f97cc2f86d2b25fd4de48425c87545bc209271756e1e666209bed68e6c791e57fba7a8b614526b9cbb7390f6df561e5e7efd83318ef7171e069ca9cc85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
24b2135ca4a612d07dab58cb8c232381

SHA1
619a53386c504afffe8e68e9ac64b396f148737c

SHA256
b439e047a17d14ec3763bf33e268be6e1897acce5f72c2c90fba60ba6a04dfae

SHA512
cb1c9297a43ec8d2513608c03862ff0824c9edd4378a5fb3506be0ed8e79f7d35e5609ceb6d06a5f580908e5d30a7c1c26c9864687b9cc358ceb58e4d4f4e723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCA2.tmp.bat

Filesize
151B

MD5
71098d41b924e49f2b1d3839ed03c330

SHA1
c0d126cd93607c64460c2361769750cde7566204

SHA256
d6da18501d2161a20dcc6c4ed9d1f18153dcbb247698310471c2517ca1ec5540

SHA512
cf8c3d09e664c0c5f1c48a1d66b502232218bfec09d54c8515cf00f44542f60ea49e9b8eaacce6b12bda7514890f7ae834cbd988510210ef8b19cb8e684a864b

Download Submit
C:\Users\Admin\AppData\Roaming\OperaGx.exe

Filesize
63KB

MD5
c9df1c28f720e04d38a9c44598cb33f9

SHA1
6ad67b10c1e355a9586a1cec3ae813e112148a17

SHA256
847fe611efd7e9e6375b659664a9d53a4807d62d670cc8e591ad65b28297c58a

SHA512
8611057f93ad5feb5cbca3535b07b40bf47a9fa1f26d3d18bc96c0238e83a7cfb64a8ec4986f12e9492c1b6d496c3a4f7df8d7da77f764d31edc3e06629c99b2

Download Submit
memory/1512-13-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/1512-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

Filesize
4KB

Download
memory/1512-3-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/1512-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/1512-1-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/1636-17-0x0000000001290000-0x00000000012A6000-memory.dmp

Filesize
88KB

Download