loaderbot | 0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

W1nnerFree CS2.exe
Size

21.4MB
MD5

7494cccce30350832ac77113f3cf28d8
SHA1

ffba86775e5dc0a12957249e5f2d1c48bb1c58f0
SHA256

0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6
SHA512

94550c34c2887ca3227bfc559eeb2806bdd189b31bd866facbc5ed22ff2f6dc89684b268aa22a36c1b6a062deb2db6545d4e1b021a572f85fc9fcf7f65d059e7
SSDEEP

393216:KYd9oOoUptPemm5HCizqg+o1sg1t6u14FBmqXiW2wcpIZSFH+fbYdUvCAhZ:pdnh/Ge41L1th15qIT41fsdU6m

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 4 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231e6-16.dat	loaderbot
behavioral2/files/0x00090000000231e6-24.dat	loaderbot
behavioral2/files/0x00090000000231e6-25.dat	loaderbot
behavioral2/memory/5000-26-0x0000000000A90000-0x0000000000E8E000-memory.dmp	loaderbot

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/4480-1186-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1190-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1191-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1198-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1199-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1201-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1205-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1206-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1207-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1208-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1209-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1210-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1211-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1212-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1213-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/524-1214-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	W1nnerFree CS2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	MinerMega.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerMega.exe

Executes dropped EXE 5 IoCs

pid	Process
1092	ExLoader_Installer.exe
5000	MinerMega.exe
3132	ExLoader_Installer.exe
4480	Driver.exe
524	Driver.exe

Loads dropped DLL 7 IoCs

pid	Process
660	W1nnerFree CS2.exe
3132	ExLoader_Installer.exe
3132	ExLoader_Installer.exe
3132	ExLoader_Installer.exe
3132	ExLoader_Installer.exe
3132	ExLoader_Installer.exe
3132	ExLoader_Installer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerMega.exe"	MinerMega.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe
5000	MinerMega.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	MinerMega.exe
Token: SeLockMemoryPrivilege	4480	Driver.exe
Token: SeLockMemoryPrivilege	4480	Driver.exe
Token: SeLockMemoryPrivilege	524	Driver.exe
Token: SeLockMemoryPrivilege	524	Driver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3132	ExLoader_Installer.exe
3132	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1092	660	W1nnerFree CS2.exe	85
PID 660 wrote to memory of 1092	660	W1nnerFree CS2.exe	85
PID 660 wrote to memory of 5000	660	W1nnerFree CS2.exe	86
PID 660 wrote to memory of 5000	660	W1nnerFree CS2.exe	86
PID 660 wrote to memory of 5000	660	W1nnerFree CS2.exe	86
PID 1092 wrote to memory of 3132	1092	ExLoader_Installer.exe	87
PID 1092 wrote to memory of 3132	1092	ExLoader_Installer.exe	87
PID 3132 wrote to memory of 3360	3132	ExLoader_Installer.exe	88
PID 3132 wrote to memory of 3360	3132	ExLoader_Installer.exe	88
PID 3360 wrote to memory of 2896	3360	cmd.exe	90
PID 3360 wrote to memory of 2896	3360	cmd.exe	90
PID 3132 wrote to memory of 4440	3132	ExLoader_Installer.exe	93
PID 3132 wrote to memory of 4440	3132	ExLoader_Installer.exe	93
PID 4440 wrote to memory of 1788	4440	cmd.exe	92
PID 4440 wrote to memory of 1788	4440	cmd.exe	92
PID 5000 wrote to memory of 4480	5000	MinerMega.exe	95
PID 5000 wrote to memory of 4480	5000	MinerMega.exe	95
PID 5000 wrote to memory of 524	5000	MinerMega.exe	102
PID 5000 wrote to memory of 524	5000	MinerMega.exe	102

C:\Users\Admin\AppData\Local\Temp\W1nnerFree CS2.exe
"C:\Users\Admin\AppData\Local\Temp\W1nnerFree CS2.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
        5⤵
        
        PID:2896
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4440
- C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe
  "C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:524

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
58KB

MD5
26c0ca03e9dbb773e3dc94784ade2945

SHA1
e1feda84dfe5aeec3cc2f26e07071eb29cb18a71

SHA256
c88286e59963a4b460864a3f76321b9bb645a2cc43ddc05bbcc26fbe002fdd6e

SHA512
81f6307e0b20ad29525d7dc31d269b6aa23caf3b9f93b02572aa4c99b776cf9a93bbc83cdc189a2d609e7b6fa2ae8d18045e270ff4dbd5c9e841a63ca9b3f443

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
160KB

MD5
2ead84d84868efb13f8ef2cc9899905a

SHA1
5b044f580c052eef4c2ab9e3f772446b2280ecde

SHA256
03377f1e71e58a58646b9443fa86c8d5e27d5457b08976b07c44a192b210f93b

SHA512
2065f2a79afac4fca286550a59cf98fd723e590591fc2272e26d9d1aa83cb21b5bf85cf2e55860d4dd7b313daac094049ab52f04e1fd6be309f17cb4bb7b2e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
94KB

MD5
c8e5574247f5a2468f71b53fc0279594

SHA1
c28d7c9cad48882beaeed0fba15cbc11fc2f949c

SHA256
0373c0cd6856950dee1b1a9e3ddb896099c6c823f6e46dc00802fed19dbd58d0

SHA512
d244d3879cbdfd22bd94eb7d4950916b5999d6c012b0287a8807a110f1bc80266049f4d0563b97bb0154bcde7480ffcba07e9f7e66fc2ac20020e3c77792df81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
1.8MB

MD5
0b8afb779fdaed5ef05e7ed31a7f20ae

SHA1
7d121c086e171a7c45e3f7cf71d091920511ea3c

SHA256
8afb8cdfb3a86be92c81753f49cb856f0dbd72d3451d16687b653eabf9acef68

SHA512
3d0443b321683309f013faf5dbadbe2ba7caeda50f276d59306d010e118754208b1aa1dbc1de4a920793601cfdc2d1769f9d34ab31af56cd628b1069ed2547d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
1.5MB

MD5
e26bd6bcb53360ef47f1a202239902fe

SHA1
46cb4603a0412aa3427d9ba61d6c64c3e3e9c6d0

SHA256
1550d47e3e3cc0cb3ac1afa4d4cafdf5b28cd60864d94c1cb40986e428fe8726

SHA512
dc80ccc0fa4e33af974d1028b0172f1a7d3c59857096d5fed455b8cc4c99bee328e6b3324a104f3afce065024bae5d63be9e0e1de5bdc84f069d815414316990

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
2.9MB

MD5
51e841164ca8915b20e507803718bfa7

SHA1
54b87d179bde4130ef92c727ddd962d0e53caa8d

SHA256
d1df1ef0581c3531c60041cfbf5af264cb39fdcb5c5207a023d63fe28c5f9e2a

SHA512
f250b88eb27631204414ed097ba3c610cf15c91c4efef0753b1f392489c1173de074402095293bddd230a5e3d152e1f0cbf04a82430aae0875dc1346ace70ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
36KB

MD5
37319e9e5131c88c5169e044dfd432fb

SHA1
f8207003744b2cf6d6ebd6080c9afe5925904a0d

SHA256
f50d907a3487cfbff2fe04f6eca8f38c968d52c971c8044a9e9d39286becf735

SHA512
3e8750f329f936622e55162003b73a57a808db1a3c408fcabb0a3653c5126b0848e1df1b84bac54406b5c365b8a89cf4c29d41774c97b8c393457e308f994b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
687B

MD5
08916680285af6ddf4adbd1dd265487d

SHA1
e5fa77912a69248aab08714c5b605df62c469f33

SHA256
ef252f80a090c0ae1499c34148c27f3e982100b25c8daa9921d102343383f751

SHA512
68c9858777147a6a1c4932c13149aba4bb97453a3aface4c80077a5746ed493c811e36cd89b838e34429e91b1833b1866177b4bfc216129d555f310fe71a108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Warcraft.jpg

Filesize
52KB

MD5
a48a77f8b3f8f7e6a9661776472b14c0

SHA1
7118461b780b558939a325a319e8515edbbedef1

SHA256
2e58bd1444d8452ba963e877601e8942a1560abdd44c16ed33580148322234ba

SHA512
f6a8a2844d872b650fc6342f809198bf078cf2d472c1b43f18529a0216393f6494202ab3b95ffef560fdba4bee7a4c6a85be49d9151cbd52c0c870d65c6e47fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\RE.png

Filesize
2KB

MD5
23f2c7dc04bfe492598bc440f57114af

SHA1
c30b386b7138a1d89b90f0e679ef58f4c545ba42

SHA256
94a0c4bc3aa825e44d36b0a463f9bfb012c2156392594a8ac6d76b389776e3a9

SHA512
edbc28f9f61ad48ac02e1bcb0f862249b5baf352289e068cb5df5552b5e9752a205e7b093b7caedccf4230186659d4b12579433ae8141b5129a5a6cf4c6bc5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\SJ.png

Filesize
2KB

MD5
bf25a4249d34f915ec1a246a468290cc

SHA1
5cc47373c11ff0488929124e18e280c7eb36b232

SHA256
0dd0e0a0d72ff4179b11afd5367a72b000de4a5c5ea0362f1f1723f80a3a2d22

SHA512
982fbc34c0c0ccad148b6745185af317bbe12215e08c879c6a06a7073d2afbcbc70c4fed9e028cc91a6a1eaa1fece064dbddf415a4b97a799dbfb1debcc02337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Black.ttf

Filesize
159KB

MD5
35e0e2e7a5b03275ba569a214edbab77

SHA1
b341b185db9c7231884558dcdab0124d2f5ed1d0

SHA256
2d1149ca6075e3559fa4234107474b3b500bc479baa0bdaa8a99563a587c62f5

SHA512
e3d752d8fd5a7306dcf8fc428b72df1668991b7152b66fba41e365cc61626f8ddfc8092dbcbc2b2ef3acea5c09496e83af2a2208cdd5b66e7ff3267b2bf2f0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Bold.ttf

Filesize
159KB

MD5
88079335418f389bfb2d86bc4f1ced64

SHA1
fd799b6fb4aff1a9402e071ab02d1ddea731b868

SHA256
85c6a818e33ae8b62d15672522c0b12f2e602680f75c4414ee815a73596ad365

SHA512
5105d0f432cda4de9749e4e0dd09f9687d06ad17b7e02f98dc9d0b2ffc3d959c386302f8882c3a3f1021c39ecf88e60f5e630b929fb905eec48bead923b47e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-ExtraBold.ttf

Filesize
159KB

MD5
27f7ef17de3691b5cdb9f1ee1ee5cc6a

SHA1
1c92715c134738f2956bf758181522243c7586dd

SHA256
118e237edf796dd76c453e912a4f445816e918bc3ff1d3941b2548c0a8fdfe29

SHA512
6d5c68056a37d989f64528c092680416c1300c95471be43ebddff7b579bcae9dfa7f402ab422406bf3a4a3df728b4af1e68e15e385b49221847f48e0bc59f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Medium.ttf

Filesize
159KB

MD5
b952c3c81ba34b54c66c748ea1e828a7

SHA1
9d35f805e98f95e72f5d0a4ced7397584d7349be

SHA256
f5a6dcd3227d1a75db47a6770e617d8077cba42c146d1d6479ae394431c7d40e

SHA512
30ddc9f9fd2916b3ac846cac60c93b5f89057a1369ffd38ccf569a6eba3dff6be10408ad7413257e794e94a46e68e67105fae28f1ce95544485edbe85842a420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-SemiBold.ttf

Filesize
159KB

MD5
87641f9900d717d6bfbf108b8755868e

SHA1
75f4fca0d4d80e2b9a62d3283261e933786fb8c1

SHA256
564368e49d2d7d65005649278c3e042d6954df5e5dee3874a3b548ad067db0cc

SHA512
a319660d6457efd705c291aa5445146f77e2d099ac26be3f48963b9846cb0f3cfaaee1fbd1e9acb5a7ebb74d39b541d00c76fd50932b388cee7ff54da2ef40ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\collapse.svg

Filesize
195B

MD5
ad6092934dc48be9d00331e6f21eb235

SHA1
29cd8e5478e432b386382caf6ac7b3537b108c33

SHA256
2e0eb48ef144b771903a2ee5096ac4305ef43c830d2905f46b0384a07f5f4090

SHA512
38254a977c1a74515ed6184b5ebb3b1b3125db4b713a2de69aee9dc54912a9e869fede36423548e9ebf8cfc66e6711738789ee2c33f6f3af74def779eb7e5afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
798KB

MD5
cf772cf9f6ca67f592fe47da2a15adb1

SHA1
9cc4d99249bdba8a030daf00d98252c8aef7a0ff

SHA256
ac44ccc3f61bf630bb20fb8043d86cfe4c8995d06b460084400db45d70497b30

SHA512
0bec0d3a34a4ac1cc2ed81dba3bc52981c5dd391a68fe21132dfadb70e42ffbe8f3ba798185733d64a900fd2bb2403f9a8558e6666f2c1e2c0e818d8e3f154fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
3.3MB

MD5
932f4211e7267aa48c5cdb6dc3588f96

SHA1
404e72dc1ac687c5432d50a3b0c9e7c1f6beb85a

SHA256
be2cc8308ac5eaa837e0b433f1257e4eb7033f4d3bec1f8680b56f68c3b7ffbf

SHA512
6d38c92b8f95359649e251100f06525683e7c0f6e87a890af6bb74e9bd05d1a646f0452d85f3c9bc1d71c1575090a500915d8ede3c0a1a146d6e95167200bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
3.7MB

MD5
8eda8bfcdd8e2eac36c422df8f2e03f6

SHA1
14c21877b2e9eefa11f4ab3d84ad943f1f621879

SHA256
cb8b9a911a525282bbf7be11d7ff1f688314d9033ceb1c3f7777a9501a2202a3

SHA512
472ae156821eaa5fb816ab1036a31f427c125187a43bc96386b105d1fdd1396aef8fde2c466ac1ac149d58ec4dae4c1adec6c01745249b8c148731d53a07348d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

Filesize
554KB

MD5
9aeacfd60c19fdb1af926ecf7e6eab87

SHA1
e18684b140af095c25628fcc599b600b2ef999a9

SHA256
7bb664a486e941d0f6004ef1eb48773c7c5f1be5f1cbf1aa5f9819a215863d5d

SHA512
8a9654018313ab79af95a92745b4faaa87b62210506bfd788919769878a43efaf6e48494b8b2c7ad6155adebb8b07cae0f06ef734e9042c858478e95e911c656

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
36KB

MD5
35628f1d136c003699382ea7d489cb16

SHA1
30dfd392927161182224f0e6b8aace235a00fbea

SHA256
0d6f93c5d19530a1623798f936468bc0934c1795545dd000b8812539b3e308cf

SHA512
558e6d729d39f25584191804e3b60f8fe8e9e950d58cd8f82eeaecb45c5bc86f2b9e9ac499ddabbee7dfe6a6ac6cb44cf63ced6e8105405ab9b314b5005d9cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4CDA.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe

Filesize
2.5MB

MD5
7a979ac9c3acfefbc4700e798f4283e7

SHA1
cc19c32bd1a742d23da448dd75051624fe004542

SHA256
070ef381260160c8cb182f95bc00331f1b3489120704f172d4c83e16c619f69e

SHA512
0c0fe4a88db822cf582277fe0bccf6dce4fe66355d8da820d41e95a8ad3abac84830cb443d86be10850a1a43f55f30fc4203ebf6c254a46f247adc827a0875b6

Download Submit
C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe

Filesize
1.6MB

MD5
9021abc4d065b17a6344b57f28a00bec

SHA1
f035dfc0ffb94f6e09ce596e0dd5a113461ec7e0

SHA256
cfd1eee07d1b4c0f1260aacee5a284196553df0ecd2805db64a02415d3cf20a3

SHA512
557f82f71bd4568ed21180f3219e08b7e97441ffd8254d585bf9bf724b11b1e33b814f4c4ac1085537f2dc06235aa34e4a89e5f269239edf5ba8ca696b8e5d1e

Download Submit
C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe

Filesize
6.0MB

MD5
01f9a273733965cac87088aec7f31cae

SHA1
f0e8703a3471b5ee58c0722197dc5be9b2d188ac

SHA256
141896803703cc2d421ac10c35e6adfb4e6feb9fb112e5d2a7603d3c072c89c7

SHA512
d743ece810039540e9739fcb0422187b4b6b23b44cbe8e817543575b59582274a5e017455387700b3858b51f9919de09ecbe6c3783722c208f457cbf007f06f1

Download Submit
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe

Filesize
2.1MB

MD5
aa8130dba4b9d0c2e0edd875a3590855

SHA1
90f99cbf1a86027dfd2c2b9225bc951cd15965c3

SHA256
e3e2f19a10f8806fc8f24cfaf242060cb69affa1791a0a50da57ef6dd0f809e9

SHA512
332fa72901800fa952344d7413b2d5dba8b85712cc7d84a877cb60d636ce591cb8916581a7260a80e12146ab658ad0f144dc7c57d10a8ac0d93838d934c762e6

Download Submit
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe

Filesize
1.9MB

MD5
e0c3712d9be4e38c1bdaa411e420c963

SHA1
d8537dd42f952bf5d0eea075922cbb3440e498e7

SHA256
0a46d3424737edc8e15817774e260d471a272d42938e38dbebf89a923ccb9995

SHA512
2fd352baabe22dce66ade5465c4552b4a206bf206c8a1e0a7b3e4bf0f66f2d631b8b5a50837dab9b348dfe722b0d0ae68d9cd86d5b764ddab8293c673d0ba674

Download Submit
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe

Filesize
2.3MB

MD5
5ab5d6de49ccc1ca1550ab45d4f684ea

SHA1
b796cbabaf9b808ebaec41b65ad4295fef765236

SHA256
c3310dc33f4726e9421d753e41eb7dd0bca0b2180a4affdc28ebcd43554889ef

SHA512
8ea136ecf509909b2db6669f1b62370b3951afc8015b978d141855720d5752450ae25557f877b8a369aaf9e432d357b66c78f51a2ee3738f9f04ac0ff6e3b870

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
612KB

MD5
c95a27b95cebbf61a6e23563e35d900c

SHA1
16e10f0fcb78acdadc5c7a6917fbd752238a45ee

SHA256
b2a96cba7b20bd1e404150c2f2685314cc19e3c396a2e31f8aaaf5457f868caa

SHA512
216acfc76310549d8e8e42a0328664ddaa95bcd94694faea10ce1208d723e103471078419111ac386b84b5d1cfdbd6a2a8141e09332869961c364697913db631

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
341KB

MD5
18016690ab5d60b74aeb8ac0ed695269

SHA1
a55ba80a6716eb0b2aca8340a33d297b252774d2

SHA256
bf1e1bb764b49a0bf0a3e2875f6e361fe4f11a669bb2b4f20b2de42adcaf62ea

SHA512
fabc743cb29cf2d0356dad75221a3c33e7d1590b6b6364319a60159517cb400ea60cff25c84d46f52033f20c03a332aaf682fa7edbae10ffdd10aa997ed00d3d

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
333KB

MD5
0331a39166d0a19e4c20809c8dc97c1a

SHA1
9e25015dbc962e51ff9db66b297bd56932874096

SHA256
48b4ba2c114479639e59528971188bc229321af3035148963050e6ba9ddb5d2b

SHA512
d86ba1404b027bb67afe69e2b3ede486a0c8107f285ca4262c505a8ddd21d63c95c9caf11a58110816922be02b2216c89635c26634e35783084eea80131f82d9

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
780KB

MD5
ea4461b7dc3788667b3ea3a2688bbb5f

SHA1
6fe1bd8942c60e2d3cca6e091c6f5e4b4e73b848

SHA256
c5358ac6ab1238c1af59ef0916effc4c5ee193fadab048b828d623f7b9cd035c

SHA512
e127552d183f091165fc3905bf4c689b509164963d2385691054be2b053963c4a453d0be80de55985dc1f7a2e1409ff00f3f462ec4607bad5e821e6ff1cf5fd1

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
246B

MD5
46e90c44727444f9a8e235ce333e5a5d

SHA1
9c4b51b1c25604058466f28ed6c3313a264f03b3

SHA256
51562617bded054c697111387bc0533699a28d99c5e74401e2dda81491e83733

SHA512
f947ff4cb0a9f6ecbd46496a5af4f87bd1eafcbc3e962f9f04aeaf8148d7a4a100d5035c0b675faa64f98b9156690188f3fa35511041827d8eb7b62f77aaa5b3

Download Submit
memory/524-1189-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/524-1192-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/524-1214-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1213-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1212-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1205-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1204-0x00000000137E0000-0x0000000013800000-memory.dmp

Filesize
128KB

Download
memory/524-1203-0x00000000134B0000-0x00000000134D0000-memory.dmp

Filesize
128KB

Download
memory/524-1211-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1210-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1209-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1202-0x0000000002030000-0x0000000002050000-memory.dmp

Filesize
128KB

Download
memory/524-1201-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1190-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1191-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1206-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1208-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1194-0x0000000002030000-0x0000000002050000-memory.dmp

Filesize
128KB

Download
memory/524-1195-0x00000000134B0000-0x00000000134D0000-memory.dmp

Filesize
128KB

Download
memory/524-1207-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1197-0x00000000137E0000-0x0000000013800000-memory.dmp

Filesize
128KB

Download
memory/524-1198-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1199-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/524-1200-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/3132-1130-0x00000244ED3D0000-0x00000244EE1CD000-memory.dmp

Filesize
14.0MB

Download
memory/3132-1131-0x00000244ED290000-0x00000244ED291000-memory.dmp

Filesize
4KB

Download
memory/3132-1129-0x00000244ED3D0000-0x00000244EE1CD000-memory.dmp

Filesize
14.0MB

Download
memory/3132-1128-0x00000244ED3D0000-0x00000244EE1CD000-memory.dmp

Filesize
14.0MB

Download
memory/3132-1127-0x00000244EB180000-0x00000244EB181000-memory.dmp

Filesize
4KB

Download
memory/4480-1186-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4480-1185-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download
memory/4480-1183-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5000-1196-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/5000-1193-0x0000000073AA0000-0x0000000074250000-memory.dmp

Filesize
7.7MB

Download
memory/5000-27-0x0000000073AA0000-0x0000000074250000-memory.dmp

Filesize
7.7MB

Download
memory/5000-1172-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/5000-1173-0x00000000030B0000-0x00000000030C0000-memory.dmp

Filesize
64KB

Download
memory/5000-26-0x0000000000A90000-0x0000000000E8E000-memory.dmp

Filesize
4.0MB

Download