Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
02-10-2021 17:26
General
-
Target
https://usaupload.com/4SjY/MultiCheat.V5.rar
-
Sample
211002-v1azqaeffn
Score
10/10
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 4 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://usaupload.com/4SjY/MultiCheat.V5.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff956754f50,0x7ff956754f60,0x7ff956754f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5808 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5856 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 /prefetch:82⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1428,16400994216326014863,16523408846344099367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\MultiCheat.V5.rar"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\New folder\MultiCheat.exe"C:\Users\Admin\Desktop\New folder\MultiCheat.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess tempagx.exe ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess Microsoft.exe ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionProcess Microsofts.exe ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\ ; powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath D:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Tempagx.exe"C:\Users\Admin\AppData\Local\Tempagx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MicroSoft.exe"C:\Users\Admin\AppData\Roaming\MicroSoft.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\MicroSoft.exe" "MicroSoft.exe" ENABLE4⤵
-
C:\Users\Admin\AppData\Local\Tempagx.exe"C:\Users\Admin\AppData\Local\Tempagx.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tempagx.exe.logMD5
4b1382f82cb506f36d30c01d5d515bca
SHA1621aeafd1d115a27c71dd58c6211716c9640aba6
SHA256d01a9a6d2f90166ffccd93ebf12c3ba6dd2ab12a9c047a6449d5968cc92d4200
SHA5128700fd86011f3af3467ccb6c6d6c56f4004aada7a82186047dbba1cb01c3a2344213ecb1f1c67f3e20d269a79b0e61238b043a363047b050eecbd84bba4e65a5
-
C:\Users\Admin\AppData\Local\Tempagx.exeMD5
a244bcc4ea1def56bb39df0d4f1623d7
SHA12d5ed47c3a0c398e44f281822f1494d5b9caa807
SHA256b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348
SHA512f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46
-
C:\Users\Admin\AppData\Local\Tempagx.exeMD5
a244bcc4ea1def56bb39df0d4f1623d7
SHA12d5ed47c3a0c398e44f281822f1494d5b9caa807
SHA256b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348
SHA512f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46
-
C:\Users\Admin\AppData\Local\Tempagx.exeMD5
a244bcc4ea1def56bb39df0d4f1623d7
SHA12d5ed47c3a0c398e44f281822f1494d5b9caa807
SHA256b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348
SHA512f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46
-
C:\Users\Admin\AppData\Local\Tempagx.exeMD5
a244bcc4ea1def56bb39df0d4f1623d7
SHA12d5ed47c3a0c398e44f281822f1494d5b9caa807
SHA256b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348
SHA512f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46
-
C:\Users\Admin\AppData\Roaming\MicroSoft.exeMD5
a244bcc4ea1def56bb39df0d4f1623d7
SHA12d5ed47c3a0c398e44f281822f1494d5b9caa807
SHA256b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348
SHA512f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46
-
C:\Users\Admin\AppData\Roaming\MicroSoft.exeMD5
a244bcc4ea1def56bb39df0d4f1623d7
SHA12d5ed47c3a0c398e44f281822f1494d5b9caa807
SHA256b30b7c721f63c18d597d657cbea69a7a3d9795a95adb0c947805f2b1fbe84348
SHA512f00bdd70632fa6e7a5e44f43f66e5b8b30b12a7558d97af0cfb3743f672dfb4a1c4253578481af92237f863dd4f7c099b5d590e5cedc889362a01d47fddb8d46
-
C:\Users\Admin\Desktop\New folder\MultiCheat.exeMD5
8f7e29a97b6d01efe7323ff5fc2dcbf2
SHA186d46ea08c1f1235ee3bc8dbbf87e6238ddf1f69
SHA2560454c97a761adc8d2565830844d8c03f55e32651d73f8f80c29298662b5a0aa9
SHA512cbce3e95cde104f3a12eb36bdda3690a2a2be10b5493c25709a1974abc4030fb2976be4101b8e4bc5e007c3100293cc9089a2a03ee93c2f37d5926217a9757fd
-
C:\Users\Admin\Desktop\New folder\MultiCheat.exeMD5
8f7e29a97b6d01efe7323ff5fc2dcbf2
SHA186d46ea08c1f1235ee3bc8dbbf87e6238ddf1f69
SHA2560454c97a761adc8d2565830844d8c03f55e32651d73f8f80c29298662b5a0aa9
SHA512cbce3e95cde104f3a12eb36bdda3690a2a2be10b5493c25709a1974abc4030fb2976be4101b8e4bc5e007c3100293cc9089a2a03ee93c2f37d5926217a9757fd
-
C:\Users\Admin\Downloads\MultiCheat.V5.rarMD5
29b1a0c5e5c2ba460ac0b3cc2bebc9fd
SHA1b920c819f3213047345d0dc66e0bddc71a4522e1
SHA25645599d4cc4414702f38919b538a619ace0a7e81f4745012dcebf80e6f03bc6c2
SHA512035965c99074ddc696c81d746e87b2fe78c643cc48b3acc538e9d99279d72bb169a3f5b42407c137b765a10a18db643352c7d82a5c8b3a1c65686e72288fd0af
-
\??\pipe\crashpad_2208_OWSTABNOIYVBROYQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/420-156-0x0000000000000000-mapping.dmp
-
memory/812-329-0x0000000000000000-mapping.dmp
-
memory/816-140-0x0000000000000000-mapping.dmp
-
memory/944-135-0x0000000000000000-mapping.dmp
-
memory/1864-255-0x0000000000000000-mapping.dmp
-
memory/1880-635-0x0000000000000000-mapping.dmp
-
memory/1880-643-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2032-288-0x0000000000000000-mapping.dmp
-
memory/2352-117-0x0000000000000000-mapping.dmp
-
memory/2392-163-0x0000000000000000-mapping.dmp
-
memory/3156-121-0x0000000000000000-mapping.dmp
-
memory/3156-123-0x00007FF9618C0000-0x00007FF9618C1000-memory.dmpFilesize
4KB
-
memory/3188-286-0x0000000000000000-mapping.dmp
-
memory/3320-260-0x0000000000000000-mapping.dmp
-
memory/3556-129-0x0000000000000000-mapping.dmp
-
memory/3564-305-0x0000000000000000-mapping.dmp
-
memory/3668-122-0x0000000000000000-mapping.dmp
-
memory/3684-647-0x0000000000000000-mapping.dmp
-
memory/3684-656-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/3876-151-0x0000000000000000-mapping.dmp
-
memory/3924-166-0x0000000000000000-mapping.dmp
-
memory/4136-177-0x0000000000000000-mapping.dmp
-
memory/4152-265-0x0000000000000000-mapping.dmp
-
memory/4220-184-0x0000000000000000-mapping.dmp
-
memory/4232-368-0x0000000006BB0000-0x0000000006BB1000-memory.dmpFilesize
4KB
-
memory/4232-372-0x00000000067E0000-0x00000000067E1000-memory.dmpFilesize
4KB
-
memory/4232-598-0x0000000008FB0000-0x0000000008FB1000-memory.dmpFilesize
4KB
-
memory/4232-398-0x00000000067E3000-0x00000000067E4000-memory.dmpFilesize
4KB
-
memory/4232-396-0x0000000008E50000-0x0000000008E51000-memory.dmpFilesize
4KB
-
memory/4232-391-0x0000000008CF0000-0x0000000008CF1000-memory.dmpFilesize
4KB
-
memory/4232-592-0x0000000008FC0000-0x0000000008FC1000-memory.dmpFilesize
4KB
-
memory/4232-397-0x000000007EFE0000-0x000000007EFE1000-memory.dmpFilesize
4KB
-
memory/4232-399-0x0000000009010000-0x0000000009011000-memory.dmpFilesize
4KB
-
memory/4232-367-0x0000000006E20000-0x0000000006E21000-memory.dmpFilesize
4KB
-
memory/4232-384-0x0000000008D10000-0x0000000008D43000-memory.dmpFilesize
204KB
-
memory/4232-366-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/4232-376-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/4232-375-0x0000000007A90000-0x0000000007A91000-memory.dmpFilesize
4KB
-
memory/4232-374-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/4232-373-0x00000000067E2000-0x00000000067E3000-memory.dmpFilesize
4KB
-
memory/4232-369-0x0000000006CD0000-0x0000000006CD1000-memory.dmpFilesize
4KB
-
memory/4232-371-0x00000000076A0000-0x00000000076A1000-memory.dmpFilesize
4KB
-
memory/4232-362-0x0000000000000000-mapping.dmp
-
memory/4232-370-0x0000000007450000-0x0000000007451000-memory.dmpFilesize
4KB
-
memory/4236-272-0x0000000000000000-mapping.dmp
-
memory/4240-188-0x0000000000000000-mapping.dmp
-
memory/4324-633-0x0000000005700000-0x0000000005BFE000-memory.dmpFilesize
5.0MB
-
memory/4324-363-0x0000000005700000-0x0000000005BFE000-memory.dmpFilesize
5.0MB
-
memory/4324-361-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/4324-360-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/4324-359-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/4324-358-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/4324-357-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/4324-355-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/4336-644-0x0000000000000000-mapping.dmp
-
memory/4352-335-0x0000000000000000-mapping.dmp
-
memory/4356-338-0x0000000000000000-mapping.dmp
-
memory/4392-197-0x0000000000000000-mapping.dmp
-
memory/4396-279-0x0000000000000000-mapping.dmp
-
memory/4504-350-0x0000000000000000-mapping.dmp
-
memory/4504-201-0x0000000000000000-mapping.dmp
-
memory/4588-208-0x0000000000000000-mapping.dmp
-
memory/4604-211-0x0000000000000000-mapping.dmp
-
memory/4620-625-0x0000000000000000-mapping.dmp
-
memory/4620-634-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/4668-300-0x0000000000000000-mapping.dmp
-
memory/4672-341-0x0000000000000000-mapping.dmp
-
memory/4768-222-0x0000000000000000-mapping.dmp
-
memory/4792-308-0x0000000000000000-mapping.dmp
-
memory/4824-227-0x0000000000000000-mapping.dmp
-
memory/4876-231-0x0000000000000000-mapping.dmp
-
memory/4888-234-0x0000000000000000-mapping.dmp
-
memory/4936-346-0x0000000000000000-mapping.dmp
-
memory/4952-240-0x0000000000000000-mapping.dmp
-
memory/4996-243-0x0000000000000000-mapping.dmp
-
memory/5012-321-0x0000000000000000-mapping.dmp
-
memory/5056-250-0x0000000000000000-mapping.dmp
-
memory/5084-325-0x0000000000000000-mapping.dmp