Malware Analysis Report

2024-11-16 13:39

Sample ID 240530-2hsv5sdb43
Target FizzyCheat.rar
SHA256 2e992e8dec38852aa826e898b601fc3591b982b10162475704f3394e4bc5f0a9
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e992e8dec38852aa826e898b601fc3591b982b10162475704f3394e4bc5f0a9

Threat Level: Known bad

The file FizzyCheat.rar was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 22:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 22:35

Reported

2024-05-30 22:38

Platform

win7-20231129-en

Max time kernel

138s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2364 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2364 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 2664 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2256 wrote to memory of 2664 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2256 wrote to memory of 2664 N/A C:\Windows\system32\rundll32.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

MD5 74b9fb954e75a22593c8af07b109012a
SHA1 44e339cc361f8948084b4c296ecddd92716d118a
SHA256 6f1335919add21929992f0120305ea905400729a04bb616b66f04454ea143afb
SHA512 2a4c5abd0373dde5d6c501e9039e95bd8e166eff766fa875d4108961be7a7ecfef9feba11997e24de1358b69dd3d5c338a6f126cff7293e19840a362dbd74e2d

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

MD5 2a4006ee7a5e9862693c9ca25470a226
SHA1 3f19ab02ed708349ce5f7e347a6d120237c02d20
SHA256 59938d1e769636ae0411c56d03b5af228f9b14e6bef2d33e4c1793468e3dd797
SHA512 64e078acacb9137395ffc78213b035ad4ca583137fcd15beadfba505b90ba70ced94339f9410aef33d1fbef00982facacb9b2bcc758d9e6c6c1e730b4a2c5d2b

memory/2664-92-0x000007FEFB510000-0x000007FEFB544000-memory.dmp

memory/2664-91-0x000000013F2E0000-0x000000013F3D8000-memory.dmp

memory/2664-94-0x000007FEFB810000-0x000007FEFB828000-memory.dmp

memory/2664-96-0x000007FEF7BF0000-0x000007FEF7C01000-memory.dmp

memory/2664-95-0x000007FEFB610000-0x000007FEFB627000-memory.dmp

memory/2664-98-0x000007FEF7BB0000-0x000007FEF7BC1000-memory.dmp

memory/2664-97-0x000007FEF7BD0000-0x000007FEF7BE7000-memory.dmp

memory/2664-99-0x000007FEF7B90000-0x000007FEF7BAD000-memory.dmp

memory/2664-100-0x000007FEF7B70000-0x000007FEF7B81000-memory.dmp

memory/2664-93-0x000007FEF63C0000-0x000007FEF6674000-memory.dmp

memory/2664-118-0x000007FEF4FE0000-0x000007FEF5004000-memory.dmp

memory/2664-115-0x000007FEF6D20000-0x000007FEF6D31000-memory.dmp

memory/2664-122-0x000007FEF4F50000-0x000007FEF4F62000-memory.dmp

memory/2664-101-0x000007FEF5310000-0x000007FEF63BB000-memory.dmp

memory/2664-121-0x000007FEF4F70000-0x000007FEF4F81000-memory.dmp

memory/2664-120-0x000007FEF4F90000-0x000007FEF4FB3000-memory.dmp

memory/2664-119-0x000007FEF4FC0000-0x000007FEF4FD7000-memory.dmp

memory/2664-117-0x000007FEF5010000-0x000007FEF5038000-memory.dmp

memory/2664-116-0x000007FEF5040000-0x000007FEF5096000-memory.dmp

memory/2664-114-0x000007FEF50A0000-0x000007FEF510F000-memory.dmp

memory/2664-113-0x000007FEF6920000-0x000007FEF6987000-memory.dmp

memory/2664-112-0x000007FEF6D40000-0x000007FEF6D70000-memory.dmp

memory/2664-111-0x000007FEF6D70000-0x000007FEF6D88000-memory.dmp

memory/2664-110-0x000007FEF6F50000-0x000007FEF6F61000-memory.dmp

memory/2664-109-0x000007FEF7950000-0x000007FEF796B000-memory.dmp

memory/2664-108-0x000007FEF7970000-0x000007FEF7981000-memory.dmp

memory/2664-107-0x000007FEF7990000-0x000007FEF79A1000-memory.dmp

memory/2664-106-0x000007FEF79B0000-0x000007FEF79C1000-memory.dmp

memory/2664-105-0x000007FEF7B10000-0x000007FEF7B28000-memory.dmp

memory/2664-104-0x000007FEF79D0000-0x000007FEF79F1000-memory.dmp

memory/2664-103-0x000007FEF7B30000-0x000007FEF7B6F000-memory.dmp

memory/2664-102-0x000007FEF5110000-0x000007FEF5310000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 22:35

Reported

2024-05-30 22:38

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

132s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Steam.exe" C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4836 wrote to memory of 676 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2556 wrote to memory of 1708 N/A C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe
PID 2556 wrote to memory of 1708 N/A C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe
PID 2556 wrote to memory of 1708 N/A C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe
PID 2792 wrote to memory of 2008 N/A C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe
PID 2008 wrote to memory of 4332 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe
PID 2008 wrote to memory of 4332 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe
PID 1708 wrote to memory of 2916 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe
PID 1708 wrote to memory of 2916 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe
PID 2008 wrote to memory of 1628 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Windows\SysWOW64\WWAHost.exe
PID 2008 wrote to memory of 1628 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Windows\SysWOW64\WWAHost.exe
PID 2008 wrote to memory of 1628 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Windows\SysWOW64\WWAHost.exe
PID 1708 wrote to memory of 2040 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Windows\SysWOW64\WWAHost.exe
PID 1708 wrote to memory of 2040 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Windows\SysWOW64\WWAHost.exe
PID 1708 wrote to memory of 2040 N/A C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe C:\Windows\SysWOW64\WWAHost.exe
PID 4332 wrote to memory of 2652 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 2652 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3248 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3248 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3532 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3532 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3092 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 3092 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 4312 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\schtasks.exe
PID 4332 wrote to memory of 4312 N/A C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe

"C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe"

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe

"C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe

"C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe"

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe

"C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe

pngquant.exe

C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe

pngquant.exe

C:\Windows\SysWOW64\WWAHost.exe

WWAHost.exe

C:\Windows\SysWOW64\WWAHost.exe

WWAHost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1628 -ip 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\FizzyLoader\pngquant.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pngquant.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Steam.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\Users\Admin\AppData\Local\Steam.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zE4A26D608\FizzyLoader\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Users\Admin\Desktop\FizzyLoader\.FizzyLoader..exe

MD5 0b65f0386ba941b6b611c06e5fc13bc9
SHA1 2b14f00ea554baa5f77c764078bd3f6e5f196178
SHA256 b240d620b5fcd62182a16433c4990014d0a67e3a096838c0e6b2d849140b3199
SHA512 211e93004a447bde01f0f8d9426c05026b6acb2ced055166a2e2a551d93d62d8a96173efdb99617bb200234d00d76207a5321f5b442fb087aa75097b1801fd1c

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

memory/2556-473-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Users\Admin\Desktop\FizzyLoader\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Users\Admin\Desktop\FizzyLoader\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Users\Admin\Desktop\FizzyLoader\lib\jfoenix.jar

MD5 6316f84bc78d40b138dab1adc978ca5d
SHA1 b12ea05331ad89a9b09937367ebc20421f17b9ff
SHA256 d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17
SHA512 1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\Desktop\FizzyLoader\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\Desktop\FizzyLoader\lib\dn-compiled-module.jar

MD5 20c17a402fb2bd39771b085d6e8b3f97
SHA1 02afdab2fbad65ab2c667ff6e9a7832e4c7aa693
SHA256 e4a417ee30442d3d3dfdcf8aea00114468a0872a72976b3148985c8453c60080
SHA512 f27aa90a4958f1feafbaa816d4e2c6fa27da670b447fc5f54f07ec4750270137c4c13503eed5cc6ff0933dc7e96a9bada54ba99732ccf93447ecc82685dbf6ae

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-gui-jfoenix-ext.jar

MD5 d093f94c050d5900795de8149cb84817
SHA1 54058dda5c9e66a22074590072c8a48559bba1fb
SHA256 4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba
SHA512 3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

memory/1708-530-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\Desktop\FizzyLoader\lib\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

memory/1708-547-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

memory/1708-578-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

memory/1708-610-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\prism_d3d.dll

MD5 5aadadf700c7771f208dda7ce60de120
SHA1 e9cf7e7d1790dc63a58106c416944fd6717363a5
SHA256 89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79
SHA512 624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2

memory/1708-613-0x0000000002440000-0x0000000002441000-memory.dmp

memory/1708-617-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\glass.dll

MD5 434cbb561d7f326bbeffa2271ecc1446
SHA1 3d9639f6da2bc8ac5a536c150474b659d0177207
SHA256 1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143
SHA512 9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc

memory/2792-623-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1708-640-0x0000000002440000-0x0000000002441000-memory.dmp

memory/1708-639-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\b120ffeccee68964.timestamp

MD5 6c101f0308ffc0a0b8a9c8b1d045ebff
SHA1 9275af0b9c4c5a3c69dfa0da6d9a04a5b0d68309
SHA256 1f75fed211fc299d1f4da3acc7b34a3e4a7ad8b4bd6ba18c707121e571932b60
SHA512 858180925d46c657c7bee7a1ddde0e2f14631aef41687ddd453333af40f72c7ff870fda354fbcdbafbd4ed9de006e99d821d370405c8a8a7a581048857aa5892

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\javafx_font.dll

MD5 aeada06201bb8f5416d5f934aaa29c87
SHA1 35bb59febe946fb869e5da6500ab3c32985d3930
SHA256 f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3
SHA512 89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78

C:\Users\Admin\Desktop\FizzyLoader\jre\bin\awt.dll

MD5 159ccf1200c422ced5407fed35f7e37d
SHA1 177a216b71c9902e254c0a9908fcb46e8d5801a9
SHA256 30eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49
SHA512 ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365

C:\Users\Admin\Desktop\FizzyLoader\jre\lib\accessibility.properties

MD5 9e5e954bc0e625a69a0a430e80dcf724
SHA1 c29c1f37a2148b50a343db1a4aa9eb0512f80749
SHA256 a46372b05ce9f40f5d5a775c90d7aa60687cd91aaa7374c499f0221229bf344e
SHA512 18a8277a872fb9e070a1980eee3ddd096ed0bba755db9b57409983c1d5a860e9cbd3b67e66ff47852fe12324b84d4984e2f13859f65fabe2ff175725898f1b67

memory/4332-863-0x00000000007F0000-0x0000000000802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03imos2f.bbw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2652-982-0x00000265F0040000-0x00000265F0062000-memory.dmp

C:\Users\Admin\AppData\Local\Steam.exe

MD5 6570c2748e36a6849d7560c21b289834
SHA1 7a57e5f4d0d4d34b15a1658bd8e7aa7c7ec19efc
SHA256 942f214b27507cd041d46f034403e5b6db0ff9867b4c5ec287f019dcd83d3fc3
SHA512 f0d9d3ac74228bb5332372d4508a582248c1b1549273a626a3e70b577d18d898c3955fec5fff0382a70dcec251a1db1289ad61d8a1fd6d853f85b3d0ca65dae9