quasar | 571ddfbe3251be2f3908505e755ebf70dab52fe6bf6cddf875991afa940efaab

Analysis

max time kernel
55s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FenixCheatBETA.exe
Size

25.5MB
MD5

4ffd42d26dc1f942be4154c18ce3be55
SHA1

44dfc8e59cbbdda58d03f81ef4ea57566f528858
SHA256

571ddfbe3251be2f3908505e755ebf70dab52fe6bf6cddf875991afa940efaab
SHA512

d50cfc6b488fb701c643e08a48a9e69af50ab7c6589f2911bb07abf411777d0fb34a136e91f19896b3da518e85c82f2c276c6baffecb3f8d20820a9e2ac6df54
SSDEEP

393216:erES87bfONTU7MEmKbOaVan4W2tlXXQ1K3BflIYGloxEHJy9SN/AjMQ2bgQaQsiB:I8vV7TXSaQZ+cGflUYEWgtQogQaa23W

Score

10^/10

quasar fenixfn office04 evasion spyware themida trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

products-behalf.at.ply.gg:6320

Mutex

c23b61cb-eabd-4e27-8555-54877e46a96f

Attributes

encryption_key
46B3B352EE74A03CFD2F29605A3A4FEDFCA67DDD
install_name
Microsoft.exe
log_directory
crashlogs
reconnect_delay
3000
startup_key
Microsoft Windows
subdirectory
Microsoft

Extracted

Family

quasar

Version

1.4.0

Botnet

FenixFN

region-remarks.at.ply.gg:28982

Mutex

d8be406e-39d8-4c7b-9a06-eddd3d2b4731

Attributes

encryption_key
B7C9B35BDD90869A55A0CEF7257C297ED4BAE201
install_name
Dashboard.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1.exe	family_quasar
C:\Users\Admin\AppData\Roaming\1.exe	family_quasar
C:\Users\Admin\AppData\Roaming\1.exe	family_quasar
behavioral1/memory/4996-157-0x0000000000C60000-0x0000000000CE4000-memory.dmp	family_quasar
behavioral1/memory/3624-221-0x0000000000B20000-0x00000000013B8000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe	family_quasar
behavioral1/memory/3624-225-0x0000000000B20000-0x00000000013B8000-memory.dmp	family_quasar
behavioral1/memory/3624-412-0x0000000000B20000-0x00000000013B8000-memory.dmp	family_quasar
behavioral1/memory/1476-416-0x0000000001000000-0x0000000001898000-memory.dmp	family_quasar
behavioral1/memory/1476-417-0x0000000001000000-0x0000000001898000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

SYSWOW64.exeupdater.execonhost.exe

description	pid	process	target process
PID 2224 created 3152	2224	SYSWOW64.exe	Explorer.EXE
PID 2224 created 3152	2224	SYSWOW64.exe	Explorer.EXE
PID 2216 created 3152	2216	updater.exe	Explorer.EXE
PID 916 created 3152	916	conhost.exe	Explorer.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Roblox Player.exeFenixCheat_Packages.exeDashboard.exeFenixCheat.exeFenixCheat_Packages.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Roblox Player.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FenixCheat_Packages.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Dashboard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FenixCheat.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FenixCheat_Packages.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FenixCheat.exeFenixCheat_Packages.exeRoblox Player.exeFenixCheat_Packages.exeDashboard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FenixCheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FenixCheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FenixCheat_Packages.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FenixCheat_Packages.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Roblox Player.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FenixCheat_Packages.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Roblox Player.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FenixCheat_Packages.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Dashboard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Dashboard.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FenixCheatBETA.exeFenixCheatBETA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	FenixCheatBETA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	FenixCheatBETA.exe

Executes dropped EXE 12 IoCs

Processes:

FenixCheatBETA.exe1.exeFenixCheat.exeSYSWOW64.exeFenixCheat_Packages.exeRoblox Player.exeFenixCheatPACKAGES.exeFenixCheatLoader.exeMicrosoft.exeFenixCheat_Packages.exeDashboard.exeupdater.exe

pid	process
4304	FenixCheatBETA.exe
4996	1.exe
3624	FenixCheat.exe
2224	SYSWOW64.exe
3332	FenixCheat_Packages.exe
1664	Roblox Player.exe
332	FenixCheatPACKAGES.exe
636	FenixCheatLoader.exe
4572	Microsoft.exe
1704	FenixCheat_Packages.exe
1476	Dashboard.exe
2216	updater.exe

Loads dropped DLL 52 IoCs

Processes:

FenixCheat_Packages.exe

pid	process
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe

Themida packer 32 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\FenixCheat.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
C:\Users\Admin\AppData\Roaming\Roblox Player.exe	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
C:\Users\Admin\AppData\Roaming\Roblox Player.exe	themida
C:\Users\Admin\AppData\Roaming\Roblox Player.exe	themida
behavioral1/memory/3332-219-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/3624-221-0x0000000000B20000-0x00000000013B8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
behavioral1/memory/3624-225-0x0000000000B20000-0x00000000013B8000-memory.dmp	themida
behavioral1/memory/3332-226-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/3332-240-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/3332-245-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/3332-250-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/3332-248-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/3332-252-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe	themida
behavioral1/memory/1704-342-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-343-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-344-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-346-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-347-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-348-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-349-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\FenixCheat.exe	themida
behavioral1/memory/3624-412-0x0000000000B20000-0x00000000013B8000-memory.dmp	themida
behavioral1/memory/1476-416-0x0000000001000000-0x0000000001898000-memory.dmp	themida
behavioral1/memory/1476-417-0x0000000001000000-0x0000000001898000-memory.dmp	themida
behavioral1/memory/3332-420-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-442-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida
behavioral1/memory/1704-678-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp	themida

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI33322\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\pythoncom310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\psutil\_psutil_windows.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libssl-1_1.dll	upx
behavioral1/memory/1704-424-0x00007FFF085D0000-0x00007FFF085DB000-memory.dmp	upx
behavioral1/memory/1704-426-0x00007FFF02E00000-0x00007FFF0326E000-memory.dmp	upx
behavioral1/memory/1704-430-0x00007FFF0FAA0000-0x00007FFF0FAAF000-memory.dmp	upx
behavioral1/memory/1704-433-0x00007FFF06BD0000-0x00007FFF06BFF000-memory.dmp	upx
behavioral1/memory/1704-434-0x00007FFF06DD0000-0x00007FFF06DE9000-memory.dmp	upx
behavioral1/memory/1704-437-0x00007FFF00F30000-0x00007FFF00FF1000-memory.dmp	upx
behavioral1/memory/1704-439-0x00007FFF06AF0000-0x00007FFF06B0C000-memory.dmp	upx
behavioral1/memory/1704-441-0x00007FFF00AD0000-0x00007FFF00E45000-memory.dmp	upx
behavioral1/memory/1704-443-0x00007FFF02E00000-0x00007FFF0326E000-memory.dmp	upx
behavioral1/memory/1704-452-0x00007FFF00F30000-0x00007FFF00FF1000-memory.dmp	upx
behavioral1/memory/1704-457-0x00007FFF00A10000-0x00007FFF00AC8000-memory.dmp	upx
behavioral1/memory/1704-462-0x00007FFF00730000-0x00007FFF008A1000-memory.dmp	upx
behavioral1/memory/1704-465-0x00007FFF06B60000-0x00007FFF06B6C000-memory.dmp	upx
behavioral1/memory/1704-476-0x00007FFF00690000-0x00007FFF0069C000-memory.dmp	upx
behavioral1/memory/1704-482-0x00007FFF00610000-0x00007FFF00620000-memory.dmp	upx
behavioral1/memory/1704-489-0x00007FFF00480000-0x00007FFF00496000-memory.dmp	upx
behavioral1/memory/1704-495-0x00007FFF001B0000-0x00007FFF003FE000-memory.dmp	upx
behavioral1/memory/1704-490-0x00007FFF00450000-0x00007FFF0047B000-memory.dmp	upx
behavioral1/memory/1704-488-0x00007FFF004A0000-0x00007FFF004AE000-memory.dmp	upx
behavioral1/memory/1704-487-0x00007FFF004B0000-0x00007FFF004EF000-memory.dmp	upx
behavioral1/memory/1704-486-0x00007FFF004F0000-0x00007FFF00505000-memory.dmp	upx
behavioral1/memory/1704-485-0x00007FFF00510000-0x00007FFF00523000-memory.dmp	upx
behavioral1/memory/1704-484-0x00007FFF005D0000-0x00007FFF005EB000-memory.dmp	upx
behavioral1/memory/1704-483-0x00007FFF005F0000-0x00007FFF00604000-memory.dmp	upx
behavioral1/memory/1704-481-0x00007FFF00620000-0x00007FFF00635000-memory.dmp	upx
behavioral1/memory/1704-480-0x00007FFF00640000-0x00007FFF0064C000-memory.dmp	upx
behavioral1/memory/1704-479-0x00007FFF00650000-0x00007FFF00662000-memory.dmp	upx
behavioral1/memory/1704-478-0x00007FFF00670000-0x00007FFF0067D000-memory.dmp	upx
behavioral1/memory/1704-477-0x00007FFF00680000-0x00007FFF0068C000-memory.dmp	upx
behavioral1/memory/1704-475-0x00007FFF006A0000-0x00007FFF006AB000-memory.dmp	upx
behavioral1/memory/1704-474-0x00007FFF006B0000-0x00007FFF006BB000-memory.dmp	upx
behavioral1/memory/1704-473-0x00007FFF006C0000-0x00007FFF006CC000-memory.dmp	upx
behavioral1/memory/1704-472-0x00007FFF006D0000-0x00007FFF006DC000-memory.dmp	upx
behavioral1/memory/1704-471-0x00007FFF006E0000-0x00007FFF006EE000-memory.dmp	upx
behavioral1/memory/1704-470-0x00007FFF006F0000-0x00007FFF006FD000-memory.dmp	upx
behavioral1/memory/1704-469-0x00007FFF00700000-0x00007FFF0070C000-memory.dmp	upx
behavioral1/memory/1704-468-0x00007FFF00710000-0x00007FFF0071B000-memory.dmp	upx
behavioral1/memory/1704-467-0x00007FFF00720000-0x00007FFF0072C000-memory.dmp	upx
behavioral1/memory/1704-466-0x00007FFF06AE0000-0x00007FFF06AEB000-memory.dmp	upx
behavioral1/memory/1704-464-0x00007FFF07930000-0x00007FFF0793B000-memory.dmp	upx
behavioral1/memory/1704-461-0x00007FFF008B0000-0x00007FFF008CF000-memory.dmp	upx
behavioral1/memory/1704-460-0x00007FFF008D0000-0x00007FFF009E8000-memory.dmp	upx
behavioral1/memory/1704-459-0x00007FFF090C0000-0x00007FFF090CD000-memory.dmp	upx
behavioral1/memory/1704-458-0x00007FFF009F0000-0x00007FFF00A04000-memory.dmp	upx
behavioral1/memory/1704-456-0x00007FFF00AD0000-0x00007FFF00E45000-memory.dmp	upx
behavioral1/memory/1704-455-0x00007FFF00F00000-0x00007FFF00F2E000-memory.dmp	upx
behavioral1/memory/1704-440-0x00007FFF00F00000-0x00007FFF00F2E000-memory.dmp	upx
behavioral1/memory/1704-438-0x00007FFF09AC0000-0x00007FFF09ACA000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Dashboard.exeFenixCheat.exeFenixCheat_Packages.exeRoblox Player.exeFenixCheat_Packages.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dashboard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FenixCheat.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FenixCheat_Packages.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Roblox Player.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FenixCheat_Packages.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 api.ipify.org
46 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

FenixCheat.exeFenixCheat_Packages.exeRoblox Player.exeFenixCheat_Packages.exeDashboard.exe

pid process

3624 FenixCheat.exe
3332 FenixCheat_Packages.exe
1664 Roblox Player.exe
1704 FenixCheat_Packages.exe
1476 Dashboard.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 2216 set thread context of 916 2216 updater.exe conhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4604 schtasks.exe
2312 schtasks.exe
760 schtasks.exe
1992 schtasks.exe

flow	ioc
45	api.ipify.org
46	api.ipify.org

pid	process
3624	FenixCheat.exe
3332	FenixCheat_Packages.exe
1664	Roblox Player.exe
1704	FenixCheat_Packages.exe
1476	Dashboard.exe

description	pid	process	target process
PID 2216 set thread context of 916	2216	updater.exe	conhost.exe

pid	process
4604	schtasks.exe
2312	schtasks.exe
760	schtasks.exe
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

SYSWOW64.exepowershell.exepowershell.exeFenixCheat_Packages.exepowershell.exeupdater.exepowershell.execonhost.exe

pid	process
2224	SYSWOW64.exe
2224	SYSWOW64.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
1704	FenixCheat_Packages.exe
2224	SYSWOW64.exe
2224	SYSWOW64.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
2216	updater.exe
2216	updater.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
2216	updater.exe
916	conhost.exe
916	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1.exepowershell.exeMicrosoft.exeFenixCheat.exepowershell.exeFenixCheat_Packages.exeDashboard.exe

description	pid	process
Token: SeDebugPrivilege	4996	1.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4572	Microsoft.exe
Token: SeDebugPrivilege	3624	FenixCheat.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	1704	FenixCheat_Packages.exe
Token: SeIncreaseQuotaPrivilege	4580	powershell.exe
Token: SeSecurityPrivilege	4580	powershell.exe
Token: SeTakeOwnershipPrivilege	4580	powershell.exe
Token: SeLoadDriverPrivilege	4580	powershell.exe
Token: SeSystemProfilePrivilege	4580	powershell.exe
Token: SeSystemtimePrivilege	4580	powershell.exe
Token: SeProfSingleProcessPrivilege	4580	powershell.exe
Token: SeIncBasePriorityPrivilege	4580	powershell.exe
Token: SeCreatePagefilePrivilege	4580	powershell.exe
Token: SeBackupPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeSystemEnvironmentPrivilege	4580	powershell.exe
Token: SeRemoteShutdownPrivilege	4580	powershell.exe
Token: SeUndockPrivilege	4580	powershell.exe
Token: SeManageVolumePrivilege	4580	powershell.exe
Token: 33	4580	powershell.exe
Token: 34	4580	powershell.exe
Token: 35	4580	powershell.exe
Token: 36	4580	powershell.exe
Token: SeIncreaseQuotaPrivilege	4580	powershell.exe
Token: SeSecurityPrivilege	4580	powershell.exe
Token: SeTakeOwnershipPrivilege	4580	powershell.exe
Token: SeLoadDriverPrivilege	4580	powershell.exe
Token: SeSystemProfilePrivilege	4580	powershell.exe
Token: SeSystemtimePrivilege	4580	powershell.exe
Token: SeProfSingleProcessPrivilege	4580	powershell.exe
Token: SeIncBasePriorityPrivilege	4580	powershell.exe
Token: SeCreatePagefilePrivilege	4580	powershell.exe
Token: SeBackupPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeSystemEnvironmentPrivilege	4580	powershell.exe
Token: SeRemoteShutdownPrivilege	4580	powershell.exe
Token: SeUndockPrivilege	4580	powershell.exe
Token: SeManageVolumePrivilege	4580	powershell.exe
Token: 33	4580	powershell.exe
Token: 34	4580	powershell.exe
Token: 35	4580	powershell.exe
Token: 36	4580	powershell.exe
Token: SeDebugPrivilege	1476	Dashboard.exe
Token: SeIncreaseQuotaPrivilege	4580	powershell.exe
Token: SeSecurityPrivilege	4580	powershell.exe
Token: SeTakeOwnershipPrivilege	4580	powershell.exe
Token: SeLoadDriverPrivilege	4580	powershell.exe
Token: SeSystemProfilePrivilege	4580	powershell.exe
Token: SeSystemtimePrivilege	4580	powershell.exe
Token: SeProfSingleProcessPrivilege	4580	powershell.exe
Token: SeIncBasePriorityPrivilege	4580	powershell.exe
Token: SeCreatePagefilePrivilege	4580	powershell.exe
Token: SeBackupPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeSystemEnvironmentPrivilege	4580	powershell.exe
Token: SeRemoteShutdownPrivilege	4580	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Microsoft.exeDashboard.exe

pid process

4572 Microsoft.exe
1476 Dashboard.exe

pid	process
4572	Microsoft.exe
1476	Dashboard.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

FenixCheatBETA.exeFenixCheatBETA.exe1.exeFenixCheatLoader.exeFenixCheatPACKAGES.exeFenixCheat_Packages.exeMicrosoft.execmd.exeFenixCheat.execmd.exeFenixCheat_Packages.exeDashboard.execmd.exepowershell.exeupdater.execmd.exeRoblox Player.exemsedge.exe

description	pid	process	target process
PID 1964 wrote to memory of 4304	1964	FenixCheatBETA.exe	FenixCheatBETA.exe
PID 1964 wrote to memory of 4304	1964	FenixCheatBETA.exe	FenixCheatBETA.exe
PID 1964 wrote to memory of 4996	1964	FenixCheatBETA.exe	1.exe
PID 1964 wrote to memory of 4996	1964	FenixCheatBETA.exe	1.exe
PID 4304 wrote to memory of 3624	4304	FenixCheatBETA.exe	FenixCheat.exe
PID 4304 wrote to memory of 3624	4304	FenixCheatBETA.exe	FenixCheat.exe
PID 4304 wrote to memory of 3624	4304	FenixCheatBETA.exe	FenixCheat.exe
PID 4304 wrote to memory of 2224	4304	FenixCheatBETA.exe	SYSWOW64.exe
PID 4304 wrote to memory of 2224	4304	FenixCheatBETA.exe	SYSWOW64.exe
PID 4996 wrote to memory of 4604	4996	1.exe	schtasks.exe
PID 4996 wrote to memory of 4604	4996	1.exe	schtasks.exe
PID 4304 wrote to memory of 3332	4304	FenixCheatBETA.exe	FenixCheat_Packages.exe
PID 4304 wrote to memory of 3332	4304	FenixCheatBETA.exe	FenixCheat_Packages.exe
PID 4304 wrote to memory of 1664	4304	FenixCheatBETA.exe	Roblox Player.exe
PID 4304 wrote to memory of 1664	4304	FenixCheatBETA.exe	Roblox Player.exe
PID 4304 wrote to memory of 1664	4304	FenixCheatBETA.exe	Roblox Player.exe
PID 4304 wrote to memory of 636	4304	FenixCheatBETA.exe	FenixCheatLoader.exe
PID 4304 wrote to memory of 636	4304	FenixCheatBETA.exe	FenixCheatLoader.exe
PID 4304 wrote to memory of 636	4304	FenixCheatBETA.exe	FenixCheatLoader.exe
PID 4304 wrote to memory of 332	4304	FenixCheatBETA.exe	FenixCheatPACKAGES.exe
PID 4304 wrote to memory of 332	4304	FenixCheatBETA.exe	FenixCheatPACKAGES.exe
PID 4304 wrote to memory of 332	4304	FenixCheatBETA.exe	FenixCheatPACKAGES.exe
PID 4996 wrote to memory of 4572	4996	1.exe	Microsoft.exe
PID 4996 wrote to memory of 4572	4996	1.exe	Microsoft.exe
PID 636 wrote to memory of 4056	636	FenixCheatLoader.exe	cmd.exe
PID 636 wrote to memory of 4056	636	FenixCheatLoader.exe	cmd.exe
PID 332 wrote to memory of 4332	332	FenixCheatPACKAGES.exe	cmd.exe
PID 332 wrote to memory of 4332	332	FenixCheatPACKAGES.exe	cmd.exe
PID 3332 wrote to memory of 1704	3332	FenixCheat_Packages.exe	FenixCheat_Packages.exe
PID 3332 wrote to memory of 1704	3332	FenixCheat_Packages.exe	FenixCheat_Packages.exe
PID 4572 wrote to memory of 2312	4572	Microsoft.exe	schtasks.exe
PID 4572 wrote to memory of 2312	4572	Microsoft.exe	schtasks.exe
PID 4056 wrote to memory of 3984	4056	cmd.exe	powershell.exe
PID 4056 wrote to memory of 3984	4056	cmd.exe	powershell.exe
PID 3624 wrote to memory of 1992	3624	FenixCheat.exe	schtasks.exe
PID 3624 wrote to memory of 1992	3624	FenixCheat.exe	schtasks.exe
PID 3624 wrote to memory of 1992	3624	FenixCheat.exe	schtasks.exe
PID 4332 wrote to memory of 2936	4332	cmd.exe	cacls.exe
PID 4332 wrote to memory of 2936	4332	cmd.exe	cacls.exe
PID 3624 wrote to memory of 1476	3624	FenixCheat.exe	Dashboard.exe
PID 3624 wrote to memory of 1476	3624	FenixCheat.exe	Dashboard.exe
PID 3624 wrote to memory of 1476	3624	FenixCheat.exe	Dashboard.exe
PID 1704 wrote to memory of 4196	1704	FenixCheat_Packages.exe	cmd.exe
PID 1704 wrote to memory of 4196	1704	FenixCheat_Packages.exe	cmd.exe
PID 4332 wrote to memory of 1788	4332	cmd.exe	wscript.exe
PID 4332 wrote to memory of 1788	4332	cmd.exe	wscript.exe
PID 1476 wrote to memory of 760	1476	Dashboard.exe	schtasks.exe
PID 1476 wrote to memory of 760	1476	Dashboard.exe	schtasks.exe
PID 1476 wrote to memory of 760	1476	Dashboard.exe	schtasks.exe
PID 1704 wrote to memory of 3164	1704	FenixCheat_Packages.exe	cmd.exe
PID 1704 wrote to memory of 3164	1704	FenixCheat_Packages.exe	cmd.exe
PID 3164 wrote to memory of 4968	3164	cmd.exe	WMIC.exe
PID 3164 wrote to memory of 4968	3164	cmd.exe	WMIC.exe
PID 4764 wrote to memory of 4664	4764	powershell.exe	schtasks.exe
PID 4764 wrote to memory of 4664	4764	powershell.exe	schtasks.exe
PID 2216 wrote to memory of 916	2216	updater.exe	conhost.exe
PID 4864 wrote to memory of 4896	4864	cmd.exe	WMIC.exe
PID 4864 wrote to memory of 4896	4864	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 3424	1664	Roblox Player.exe	msedge.exe
PID 1664 wrote to memory of 3424	1664	Roblox Player.exe	msedge.exe
PID 3424 wrote to memory of 4492	3424	msedge.exe	msedge.exe
PID 3424 wrote to memory of 4492	3424	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\FenixCheatBETA.exe
"C:\Users\Admin\AppData\Local\Temp\FenixCheatBETA.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
"C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Roaming\FenixCheat.exe
"C:\Users\Admin\AppData\Roaming\FenixCheat.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Dashboard.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FenixCheat.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1992

C:\Users\Admin\AppData\Roaming\SYSWOW64.exe
"C:\Users\Admin\AppData\Roaming\SYSWOW64.exe"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
"C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
"C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
6⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
7⤵
PID:4968

C:\Users\Admin\AppData\Roaming\Roblox Player.exe
"C:\Users\Admin\AppData\Roaming\Roblox Player.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Roblox Player.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
5⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7fff0b0046f8,0x7fff0b004708,0x7fff0b004718
6⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15608819899080211407,12578153042956283822,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
6⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15608819899080211407,12578153042956283822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
6⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15608819899080211407,12578153042956283822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
6⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15608819899080211407,12578153042956283822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
6⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15608819899080211407,12578153042956283822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
6⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15608819899080211407,12578153042956283822,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
6⤵
PID:5088

C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
"C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\97EF.tmp\97F0.tmp\97F1.bat C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Start-Process elevated.bat -Verb runas"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
"C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9BD7.tmp\9BD8.tmp\9BD9.bat C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
6⤵
PID:2936

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
6⤵
PID:1788

C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\1.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4604

C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Microsoft Windows" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gmnga#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cabjutuff#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:4664

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe wifbcredad
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:916

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:4896

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gmnga#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1640

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:3376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FenixCheatBETA.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\83f2619b-c9e7-40ba-884a-f6f2775696dc.tmp
Filesize
9KB

MD5
e2c6584b1261be20fe4f984fec0b3998

SHA1
3e5b7b44fc4ece73c365ca7aff3de2aba80cc18f

SHA256
c105795d81f538d1c86dd5a8665d4441d6564030c3f3d5d0756df9d445768045

SHA512
bdada7539e61fab627ea13b80418031d08173c1f271d7497cb39399b7c5b6f38dbd323bfb5e19f4a65945ea68a0e5a50b255e08d9e0da7d9fed67f2cc97b7ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
300d003af3578e2b0b4c9c0ad71b7b6d

SHA1
617ab45fa36d1889da74fd17a1b1420fbf3b5994

SHA256
924fdf59cd23bd7a19bb99a78457d23fc2be695b40539035357b372be8b78422

SHA512
b628d40b5bc8e5f9a6fd9c754a145c7341fe1a500d3b5408c65c320b9aadf3ded62a741221fa8dcef15b118df0b18cd83113d8ff3abd8d7f8a4d551215e7521f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe576ce3.TMP
Filesize
48B

MD5
d285765bb324bfc529469651732e5ae5

SHA1
8f94f25b2392981544c9e1fad4c7a8d95d66a135

SHA256
b2fae93754a3f9f8726311ce100e6ad7e4aa841d65e7b100be584eca55fe3e0c

SHA512
b7d1dead37dfe214ea545db35e321594d0e950bf7e05de520e8a87a882e5dc4611586c52cd98c219c11399f7ce2e2e98d032faff15c30fe118b6eaa610ce5e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
99c086604e056340982fdaa546efa0f5

SHA1
bf3b6a0676841b16b298e9d31afd0fea0eb15fc7

SHA256
21c41b542991465e1a18e3863f4277ab641ee33ad5dfd7323c1b54e271c21f23

SHA512
fdf082c33efec305926c0d9f1a1b837382af2def52dc07128d5f516ceab6db8efa052def0ccf9a931c1bdda411cc3bb501d904b7d3a967b317b707f8a314030b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
615fc9ea00cf3a8b9f58ce83b925becd

SHA1
61c7a1ac18d2a8e0e6c8874ef4d57453910f9ccf

SHA256
a7d60795c34db1f857550c2a02c87c66a72baef4266c596327ffbd93092ccc11

SHA512
0bd1e8f6dfe9c63cde80f957504a4d6bf18863eac81eb26ec6c104f863d08fab3b54c0342d26b9ed14ced73938055dc08a6058a98901b1487055722b3219bfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
77c27058cd26e0c05b1b8138c222ee0c

SHA1
e30d9cf0f5013eb4109956a9bde3aea088106910

SHA256
54a7c5db3858bf832b8faa5e06c1604f33e39acac6f5faa112b9460df623c6bb

SHA512
0491e699df5fa452b495f370fd32d88ee074e0a76470877d223d63fdd76dda9932e5ac1a78d14a22a64441eb63492a33f25b6e7a1b67b62aeeb5a5a508a7b24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1196d74a30eaf18b797d3cd286f1709a

SHA1
a5ab5c33c1ab73922f87e3dc8ac7341a1c1d5f06

SHA256
37471566e58b2bc0930cb131083c77cec71b599b5d9e2b79e8c38811886400c5

SHA512
204db8f5b97d9203d832ed2e60d04d79c89068fc5d2103d9db5b65b9bb138f2b482291388f0edfe48df86268b22435bc38eddd4ad1539512006ab0317795e5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\97EF.tmp\97F0.tmp\97F1.bat
Filesize
3KB

MD5
76e341356371b52b90cb6fc4de9e4c73

SHA1
a422976b20d653418ef731590ee02f003cd2a3f7

SHA256
1f567fc0fed78d5fee2a59ae12ae82abf6b520ce72f4a135b2f89e2bedcdc61c

SHA512
c4a875d540da0596103fae67cd67b8502ea1a09362045d209f98a7ca3d432adc06b7312b2a4c12a2bd5f177a2d70dc0af1453a7a6133bdfc4387f11265229c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BD7.tmp\9BD8.tmp\9BD9.bat
Filesize
3KB

MD5
b98c87aab10a1fd144da6bae1021ed61

SHA1
46e95d33aae128eaf460871896a9c4ea5d60296b

SHA256
914a07bb1bd8414c2c4e45021fd8175b44cb84d3a88cbc841f0b2df3a3fb512b

SHA512
92eee2680305309721b24341ad6b12e822088a771227585514cae39ec461c653d07804b250ddff827cd00136414f063ba3ae897f9beea08a39bdcea33a1a1344

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_bz2.pyd
Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_bz2.pyd
Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_ctypes.pyd
Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_ctypes.pyd
Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_hashlib.pyd
Filesize
33KB

MD5
0d723bc34592d5bb2b32cf259858d80e

SHA1
eacfabd037ba5890885656f2485c2d7226a19d17

SHA256
f2b927aaa856d23f628b01380d5a19bfe9233db39c9078c0e0585d376948c13f

SHA512
3e79455554d527d380adca39ac10dbf3914ca4980d8ee009b7daf30aeb4e9359d9d890403da9cc2b69327c695c57374c390fa780a8fd6148bbea3136138ead33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_hashlib.pyd
Filesize
33KB

MD5
0d723bc34592d5bb2b32cf259858d80e

SHA1
eacfabd037ba5890885656f2485c2d7226a19d17

SHA256
f2b927aaa856d23f628b01380d5a19bfe9233db39c9078c0e0585d376948c13f

SHA512
3e79455554d527d380adca39ac10dbf3914ca4980d8ee009b7daf30aeb4e9359d9d890403da9cc2b69327c695c57374c390fa780a8fd6148bbea3136138ead33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_lzma.pyd
Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_lzma.pyd
Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_queue.pyd
Filesize
24KB

MD5
0d267bb65918b55839a9400b0fb11aa2

SHA1
54e66a14bea8ae551ab6f8f48d81560b2add1afc

SHA256
13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c

SHA512
c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_queue.pyd
Filesize
24KB

MD5
0d267bb65918b55839a9400b0fb11aa2

SHA1
54e66a14bea8ae551ab6f8f48d81560b2add1afc

SHA256
13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c

SHA512
c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_socket.pyd
Filesize
41KB

MD5
afd296823375e106c4b1ac8b39927f8b

SHA1
b05d811e5a5921d5b5cc90b9e4763fd63783587b

SHA256
e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007

SHA512
95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_socket.pyd
Filesize
41KB

MD5
afd296823375e106c4b1ac8b39927f8b

SHA1
b05d811e5a5921d5b5cc90b9e4763fd63783587b

SHA256
e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007

SHA512
95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_sqlite3.pyd
Filesize
48KB

MD5
7b45afc909647c373749ef946c67d7cf

SHA1
81f813c1d8c4b6497c01615dcb6aa40b92a7bd20

SHA256
a5f39bfd2b43799922e303a3490164c882f6e630777a3a0998e89235dc513b5e

SHA512
fe67e58f30a2c95d7d42a102ed818f4d57baa524c5c2d781c933de201028c75084c3e836ff4237e066f3c7dd6a5492933c3da3fee76eb2c50a6915996ef6d7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_ssl.pyd
Filesize
60KB

MD5
1e643c629f993a63045b0ff70d6cf7c6

SHA1
9af2d22226e57dc16c199cad002e3beb6a0a0058

SHA256
4a50b4b77bf9e5d6f62c7850589b80b4caa775c81856b0d84cb1a73d397eb38a

SHA512
9d8cd6e9c03880cc015e87059db28ff588881679f8e3f5a26a90f13e2c34a5bd03fb7329d9a4e33c4a01209c85a36fc999e77d9ece42cebdb738c2f1fd6775af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_ssl.pyd
Filesize
60KB

MD5
1e643c629f993a63045b0ff70d6cf7c6

SHA1
9af2d22226e57dc16c199cad002e3beb6a0a0058

SHA256
4a50b4b77bf9e5d6f62c7850589b80b4caa775c81856b0d84cb1a73d397eb38a

SHA512
9d8cd6e9c03880cc015e87059db28ff588881679f8e3f5a26a90f13e2c34a5bd03fb7329d9a4e33c4a01209c85a36fc999e77d9ece42cebdb738c2f1fd6775af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_uuid.pyd
Filesize
21KB

MD5
81dfa68ca3cb20ced73316dbc78423f6

SHA1
8841cf22938aa6ee373ff770716bb9c6d9bc3e26

SHA256
d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190

SHA512
e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_uuid.pyd
Filesize
21KB

MD5
81dfa68ca3cb20ced73316dbc78423f6

SHA1
8841cf22938aa6ee373ff770716bb9c6d9bc3e26

SHA256
d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190

SHA512
e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\base_library.zip
Filesize
812KB

MD5
678d03034d0a29770e881bcb5ce31720

SHA1
a55befcf5cd76ceb98719bafc0e3dfb20c0640e3

SHA256
9c0e49af57460f5a550044ff40436615d848616b87cff155fcad0a7d609fd3cb

SHA512
19a6e2dc2df81ffc4f9af19df0a75cf2531ba1002dca00cd1e60bdc58ede08747dafa3778ab78781a88c93a3ece4e5a46c5676250ed624f70d8a38af2c75395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libcrypto-1_1.dll
Filesize
1.1MB

MD5
da5fe6e5cfc41381025994f261df7148

SHA1
13998e241464952d2d34eb6e8ecfcd2eb1f19a64

SHA256
de045c36ae437a5b40fc90a8a7cc037facd5b7e307cfcf9a9087c5f1a6a2cf18

SHA512
a0d7ebf83204065236439d495eb3c97be093c41daac2e6cfbbb1aa8ffeac049402a3dea7139b1770d2e1a45e08623a56a94d64c8f0c5be74c5bae039a2bc6ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libcrypto-1_1.dll
Filesize
1.1MB

MD5
da5fe6e5cfc41381025994f261df7148

SHA1
13998e241464952d2d34eb6e8ecfcd2eb1f19a64

SHA256
de045c36ae437a5b40fc90a8a7cc037facd5b7e307cfcf9a9087c5f1a6a2cf18

SHA512
a0d7ebf83204065236439d495eb3c97be093c41daac2e6cfbbb1aa8ffeac049402a3dea7139b1770d2e1a45e08623a56a94d64c8f0c5be74c5bae039a2bc6ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libffi-7.dll
Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libffi-7.dll
Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libssl-1_1.dll
Filesize
203KB

MD5
48d792202922fffe8ea12798f03d94de

SHA1
f8818be47becb8ccf2907399f62019c3be0efeb5

SHA256
8221a76831a103b2b2ae01c3702d0bba4f82f2afd4390a3727056e60b28650cc

SHA512
69f3a8b556dd517ae89084623f499ef89bd0f97031e3006677ceed330ed13fcc56bf3cde5c9ed0fc6c440487d13899ffda775e6a967966294cadfd70069b2833

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libssl-1_1.dll
Filesize
203KB

MD5
48d792202922fffe8ea12798f03d94de

SHA1
f8818be47becb8ccf2907399f62019c3be0efeb5

SHA256
8221a76831a103b2b2ae01c3702d0bba4f82f2afd4390a3727056e60b28650cc

SHA512
69f3a8b556dd517ae89084623f499ef89bd0f97031e3006677ceed330ed13fcc56bf3cde5c9ed0fc6c440487d13899ffda775e6a967966294cadfd70069b2833

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\psutil\_psutil_windows.pyd
Filesize
34KB

MD5
04d71bdd54b4c79cfaf21c1aa0a80132

SHA1
12bec0411eee3dbed5146696ca17857a4d49cf0d

SHA256
ea7faaa075c0ca0747be4fef7d19bda21b05f6d176d1cbad2611f481f49efe23

SHA512
c7712b271681327fc1a20c8ae3d06fed940c0ac37fe24c60e2424f9e9e152227998e0c229e7409c0d0a7538c9aa12699665fbdf0ed50d42c6577cd4fb3efd6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\psutil\_psutil_windows.pyd
Filesize
34KB

MD5
04d71bdd54b4c79cfaf21c1aa0a80132

SHA1
12bec0411eee3dbed5146696ca17857a4d49cf0d

SHA256
ea7faaa075c0ca0747be4fef7d19bda21b05f6d176d1cbad2611f481f49efe23

SHA512
c7712b271681327fc1a20c8ae3d06fed940c0ac37fe24c60e2424f9e9e152227998e0c229e7409c0d0a7538c9aa12699665fbdf0ed50d42c6577cd4fb3efd6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\python3.DLL
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\python310.dll
Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\python310.dll
Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\pythoncom310.dll
Filesize
195KB

MD5
c1dda655900c76a359534ce503035e05

SHA1
2ee4ada253f10c1a8facb105698cafff2b53b5e8

SHA256
26258ad7f04fcb9a1e2ab9ba0b04a586031e5d81c3d2c1e1d40418978253c4cd

SHA512
b55b6469a59752601a9d1996c2ae5245ca6b919468c057d8fc0253e3b314db376a597de2879d1e72a60c3662dfefbcb08d286b38022b041b937d39082855d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\pythoncom310.dll
Filesize
195KB

MD5
c1dda655900c76a359534ce503035e05

SHA1
2ee4ada253f10c1a8facb105698cafff2b53b5e8

SHA256
26258ad7f04fcb9a1e2ab9ba0b04a586031e5d81c3d2c1e1d40418978253c4cd

SHA512
b55b6469a59752601a9d1996c2ae5245ca6b919468c057d8fc0253e3b314db376a597de2879d1e72a60c3662dfefbcb08d286b38022b041b937d39082855d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\pywintypes310.dll
Filesize
61KB

MD5
2dcfb72036a89f11709f1317ff413883

SHA1
818406cca32c15520d6423bbb97cdfa8d8a7d786

SHA256
ac8b3341e756bc59358e36f390980ca46ec2a631dd8bf8739b4288484b131a4e

SHA512
5fe7c45f09245db2572d771ec0bb7c83cab5b4b2dea15378549b7029cc6a4c7beebb40f763346f9a4343a6eacfb6cf0ade2ef36838cce4db100b5d4d843ca74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\pywintypes310.dll
Filesize
61KB

MD5
2dcfb72036a89f11709f1317ff413883

SHA1
818406cca32c15520d6423bbb97cdfa8d8a7d786

SHA256
ac8b3341e756bc59358e36f390980ca46ec2a631dd8bf8739b4288484b131a4e

SHA512
5fe7c45f09245db2572d771ec0bb7c83cab5b4b2dea15378549b7029cc6a4c7beebb40f763346f9a4343a6eacfb6cf0ade2ef36838cce4db100b5d4d843ca74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\select.pyd
Filesize
24KB

MD5
72009cde5945de0673a11efb521c8ccd

SHA1
bddb47ac13c6302a871a53ba303001837939f837

SHA256
5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca

SHA512
d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\select.pyd
Filesize
24KB

MD5
72009cde5945de0673a11efb521c8ccd

SHA1
bddb47ac13c6302a871a53ba303001837939f837

SHA256
5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca

SHA512
d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\unicodedata.pyd
Filesize
287KB

MD5
ca3baebf8725c7d785710f1dfbb2736d

SHA1
8f9aec2732a252888f3873967d8cc0139ff7f4e5

SHA256
f2d03a39556491d1ace63447b067b38055f32f5f1523c01249ba18052c599b4c

SHA512
5c2397e4dcb361a154cd3887c229bcf7ef980acbb4b851a16294d5df6245b2615cc4b42f6a95cf1d3c49b735c2f7025447247d887ccf4cd964f19f14e4533470

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\unicodedata.pyd
Filesize
287KB

MD5
ca3baebf8725c7d785710f1dfbb2736d

SHA1
8f9aec2732a252888f3873967d8cc0139ff7f4e5

SHA256
f2d03a39556491d1ace63447b067b38055f32f5f1523c01249ba18052c599b4c

SHA512
5c2397e4dcb361a154cd3887c229bcf7ef980acbb4b851a16294d5df6245b2615cc4b42f6a95cf1d3c49b735c2f7025447247d887ccf4cd964f19f14e4533470

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\win32api.pyd
Filesize
48KB

MD5
23b6e4591cf72f3dea00bbe7e1570bf6

SHA1
d1b3459afdbcc94e13415ac112abda3693ba75a2

SHA256
388458feb3634bfced86140073ce3f027f1ae4a2ec73aa7f4b18d5475513f9da

SHA512
e40f42cf2b6fb5261cd9b653e03011375157a5ce7ff99b6db7ecc1eab9bc356b2e989ed43ba7c1ec904e58549da3cd5d153405d6d76d4a9485f18e02442ac4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\win32api.pyd
Filesize
48KB

MD5
23b6e4591cf72f3dea00bbe7e1570bf6

SHA1
d1b3459afdbcc94e13415ac112abda3693ba75a2

SHA256
388458feb3634bfced86140073ce3f027f1ae4a2ec73aa7f4b18d5475513f9da

SHA512
e40f42cf2b6fb5261cd9b653e03011375157a5ce7ff99b6db7ecc1eab9bc356b2e989ed43ba7c1ec904e58549da3cd5d153405d6d76d4a9485f18e02442ac4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kugshajo.lko.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat.exe
Filesize
3.2MB

MD5
51b2907fe15dd50bd41bd5417c3733de

SHA1
022600d58c781dd4c7a15f2e2ad71747b3efd7d2

SHA256
2447924f5b63ec9f0afb8d62186d1ae31f43463ded5f734da036dcbe6b881568

SHA512
88de9f1177b51ac34609bccbfdfe18027d2303c94fee13f543384e278a6137e7fef30e974a0b006cb4bbc1ef8d4ec167b4a230dcdc5c9aaf3570305317f86303

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat.exe
Filesize
3.2MB

MD5
51b2907fe15dd50bd41bd5417c3733de

SHA1
022600d58c781dd4c7a15f2e2ad71747b3efd7d2

SHA256
2447924f5b63ec9f0afb8d62186d1ae31f43463ded5f734da036dcbe6b881568

SHA512
88de9f1177b51ac34609bccbfdfe18027d2303c94fee13f543384e278a6137e7fef30e974a0b006cb4bbc1ef8d4ec167b4a230dcdc5c9aaf3570305317f86303

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat.exe
Filesize
3.2MB

MD5
51b2907fe15dd50bd41bd5417c3733de

SHA1
022600d58c781dd4c7a15f2e2ad71747b3efd7d2

SHA256
2447924f5b63ec9f0afb8d62186d1ae31f43463ded5f734da036dcbe6b881568

SHA512
88de9f1177b51ac34609bccbfdfe18027d2303c94fee13f543384e278a6137e7fef30e974a0b006cb4bbc1ef8d4ec167b4a230dcdc5c9aaf3570305317f86303

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
Filesize
25.0MB

MD5
f00f33766abff8d3c19b2f50da25a43f

SHA1
14b6feb45d2100735b9d98a8b7a6d421185ab223

SHA256
2ad50ca480a52bebf45cdfe575f494de3abd9ec7544b40118709bdae1702ff20

SHA512
896532703d0dbb020902e45bad40c5994d9703486c270fd282970000ceed121c6fc19854ad53ecc895073caa851b0b998161bc3655ff3cb426b2335eff95a940

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
Filesize
25.0MB

MD5
f00f33766abff8d3c19b2f50da25a43f

SHA1
14b6feb45d2100735b9d98a8b7a6d421185ab223

SHA256
2ad50ca480a52bebf45cdfe575f494de3abd9ec7544b40118709bdae1702ff20

SHA512
896532703d0dbb020902e45bad40c5994d9703486c270fd282970000ceed121c6fc19854ad53ecc895073caa851b0b998161bc3655ff3cb426b2335eff95a940

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatBETA.exe
Filesize
25.0MB

MD5
f00f33766abff8d3c19b2f50da25a43f

SHA1
14b6feb45d2100735b9d98a8b7a6d421185ab223

SHA256
2ad50ca480a52bebf45cdfe575f494de3abd9ec7544b40118709bdae1702ff20

SHA512
896532703d0dbb020902e45bad40c5994d9703486c270fd282970000ceed121c6fc19854ad53ecc895073caa851b0b998161bc3655ff3cb426b2335eff95a940

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
Filesize
92KB

MD5
5420719577ade0ce46f9b30dcf2fe5a4

SHA1
71e2ad869c6729fd67211252363afe802f01fdc8

SHA256
848512cbb2f8e5173f4e41a724138435a7bc568737ea31fa096912da917a794d

SHA512
6f33508d28cf862cb1897673fa51d6bffe135cc7a253516aa6c5f125913a51f7bad2ad2fae9f242d0b42bf818d2d705d6c3793b3651fca14ce278e69fa8eb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
Filesize
92KB

MD5
5420719577ade0ce46f9b30dcf2fe5a4

SHA1
71e2ad869c6729fd67211252363afe802f01fdc8

SHA256
848512cbb2f8e5173f4e41a724138435a7bc568737ea31fa096912da917a794d

SHA512
6f33508d28cf862cb1897673fa51d6bffe135cc7a253516aa6c5f125913a51f7bad2ad2fae9f242d0b42bf818d2d705d6c3793b3651fca14ce278e69fa8eb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatLoader.exe
Filesize
92KB

MD5
5420719577ade0ce46f9b30dcf2fe5a4

SHA1
71e2ad869c6729fd67211252363afe802f01fdc8

SHA256
848512cbb2f8e5173f4e41a724138435a7bc568737ea31fa096912da917a794d

SHA512
6f33508d28cf862cb1897673fa51d6bffe135cc7a253516aa6c5f125913a51f7bad2ad2fae9f242d0b42bf818d2d705d6c3793b3651fca14ce278e69fa8eb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
Filesize
92KB

MD5
d2d1d69518930a5e2dff77febe0e3dd5

SHA1
f50b6638b170d854c033eacf232e6cc9787c66a5

SHA256
9c176690242a29e7ab149a0e41004e0a5f3ec95427329bbd6a6c3f212a69a16a

SHA512
1ba5b46a5db92a7d3ceb9cabdd785701230db7df2c50a5ea8b08469a8cdda424b8a100f5a78a5353fd0161d85006a880bd0e5680461510f35ef8e1cfdca9cf84

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
Filesize
92KB

MD5
d2d1d69518930a5e2dff77febe0e3dd5

SHA1
f50b6638b170d854c033eacf232e6cc9787c66a5

SHA256
9c176690242a29e7ab149a0e41004e0a5f3ec95427329bbd6a6c3f212a69a16a

SHA512
1ba5b46a5db92a7d3ceb9cabdd785701230db7df2c50a5ea8b08469a8cdda424b8a100f5a78a5353fd0161d85006a880bd0e5680461510f35ef8e1cfdca9cf84

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheatPACKAGES.exe
Filesize
92KB

MD5
d2d1d69518930a5e2dff77febe0e3dd5

SHA1
f50b6638b170d854c033eacf232e6cc9787c66a5

SHA256
9c176690242a29e7ab149a0e41004e0a5f3ec95427329bbd6a6c3f212a69a16a

SHA512
1ba5b46a5db92a7d3ceb9cabdd785701230db7df2c50a5ea8b08469a8cdda424b8a100f5a78a5353fd0161d85006a880bd0e5680461510f35ef8e1cfdca9cf84

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\FenixCheat_Packages.exe
Filesize
17.0MB

MD5
3d85da94e872f4de17fe571f9bccb121

SHA1
0a6081645c9085afb4e02a8618ad202299599db9

SHA256
e3d6d1a6d580b382b0ebfafdcbf9a1286ff4953e93c3a338ba670b0102e1b72c

SHA512
6fd7f9acbe552a8e4dc31605c56c39fa140f754fdfbebc2d8b3b6254b47ee759f8ec44f2c4556b87598ad468158eb74b7b5bb5d213b6074427994790a0064907

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe
Filesize
502KB

MD5
6875f1036f9726709954bfe2fc441159

SHA1
267afcceaa4c0a0a4cbc479de6b9530a5e38d0ae

SHA256
ca81171087b529457aa3c328d7eb4eb6a84da0be739338139409dcc41e5ce52d

SHA512
349e2fb34e22488a0f6cdba1fa03db7b3d856d073d7b0d9463cccabf8d22a59a363ff122a4f109695c135ab66c0f54e487391d1763035901631443e66c4b07d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
dc4e0ab2697014e323148f1c82572fc3

SHA1
2f519273831ba1459b47422f55f089bf23a814e1

SHA256
b6286a6248db3c565f8a6a1a0cfd0b9bd616c33677eb3a2f408911e5afa2e8e8

SHA512
acc7113fb7b2558271951abefdc333ee5c99acd16202e2bd8a94e2a0756ed5cedff1ffa64294930a279b77ad8b784f6563e13626110c815d9d8c123056e25c51

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Player.exe
Filesize
3.0MB

MD5
96fa21d5ca7a8521d37ab1866f62c391

SHA1
46c9e97fd3fa9b5a2fa3cefa7d016763e6aa1b51

SHA256
32de49ea51cb4d8468fcd28b07eee9607e9765a3c1438bad9eff40ae6f21790b

SHA512
e2288052596b4026b336466a7fcd0b649bccd20ae69252dc1ee3c13ea1b50429f15464b56037b9e13e21f5651b6bb8731f72d775d2d80e7b0c2709ce9c951506

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Player.exe
Filesize
3.0MB

MD5
96fa21d5ca7a8521d37ab1866f62c391

SHA1
46c9e97fd3fa9b5a2fa3cefa7d016763e6aa1b51

SHA256
32de49ea51cb4d8468fcd28b07eee9607e9765a3c1438bad9eff40ae6f21790b

SHA512
e2288052596b4026b336466a7fcd0b649bccd20ae69252dc1ee3c13ea1b50429f15464b56037b9e13e21f5651b6bb8731f72d775d2d80e7b0c2709ce9c951506

Download Submit
C:\Users\Admin\AppData\Roaming\Roblox Player.exe
Filesize
3.0MB

MD5
96fa21d5ca7a8521d37ab1866f62c391

SHA1
46c9e97fd3fa9b5a2fa3cefa7d016763e6aa1b51

SHA256
32de49ea51cb4d8468fcd28b07eee9607e9765a3c1438bad9eff40ae6f21790b

SHA512
e2288052596b4026b336466a7fcd0b649bccd20ae69252dc1ee3c13ea1b50429f15464b56037b9e13e21f5651b6bb8731f72d775d2d80e7b0c2709ce9c951506

Download Submit
C:\Users\Admin\AppData\Roaming\SYSWOW64.exe
Filesize
1.6MB

MD5
9b3c00d2d060e4262761e8fa9a067de6

SHA1
b83be0b9f45e8806be6beee09118ab197c22c125

SHA256
0e759677a0d32025491f3307f99bf8c3975a014b7bb29f34c10cd6123caeca82

SHA512
dd76a816e5caeb1fe42c88413769b1481e5a8dc857d2350ebf3ca9982e7aaedcb61d55687314580939f47a775f1df079acb1ad7d26dbc1d1fa0503d00709d80f

Download Submit
C:\Users\Admin\AppData\Roaming\SYSWOW64.exe
Filesize
1.6MB

MD5
9b3c00d2d060e4262761e8fa9a067de6

SHA1
b83be0b9f45e8806be6beee09118ab197c22c125

SHA256
0e759677a0d32025491f3307f99bf8c3975a014b7bb29f34c10cd6123caeca82

SHA512
dd76a816e5caeb1fe42c88413769b1481e5a8dc857d2350ebf3ca9982e7aaedcb61d55687314580939f47a775f1df079acb1ad7d26dbc1d1fa0503d00709d80f

Download Submit
memory/1476-491-0x0000000001000000-0x0000000001898000-memory.dmp

Filesize
8.6MB

Download
memory/1476-492-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/1476-513-0x00000000064D0000-0x0000000006582000-memory.dmp

Filesize
712KB

Download
memory/1476-506-0x0000000006260000-0x00000000062B0000-memory.dmp

Filesize
320KB

Download
memory/1476-504-0x00000000067B0000-0x0000000006DC8000-memory.dmp

Filesize
6.1MB

Download
memory/1476-416-0x0000000001000000-0x0000000001898000-memory.dmp

Filesize
8.6MB

Download
memory/1476-417-0x0000000001000000-0x0000000001898000-memory.dmp

Filesize
8.6MB

Download
memory/1664-224-0x0000000000CC0000-0x00000000014EA000-memory.dmp

Filesize
8.2MB

Download
memory/1704-430-0x00007FFF0FAA0000-0x00007FFF0FAAF000-memory.dmp

Filesize
60KB

Download
memory/1704-452-0x00007FFF00F30000-0x00007FFF00FF1000-memory.dmp

Filesize
772KB

Download
memory/1704-424-0x00007FFF085D0000-0x00007FFF085DB000-memory.dmp

Filesize
44KB

Download
memory/1704-489-0x00007FFF00480000-0x00007FFF00496000-memory.dmp

Filesize
88KB

Download
memory/1704-692-0x00007FFF00AD0000-0x00007FFF00E45000-memory.dmp

Filesize
3.5MB

Download
memory/1704-490-0x00007FFF00450000-0x00007FFF0047B000-memory.dmp

Filesize
172KB

Download
memory/1704-488-0x00007FFF004A0000-0x00007FFF004AE000-memory.dmp

Filesize
56KB

Download
memory/1704-487-0x00007FFF004B0000-0x00007FFF004EF000-memory.dmp

Filesize
252KB

Download
memory/1704-486-0x00007FFF004F0000-0x00007FFF00505000-memory.dmp

Filesize
84KB

Download
memory/1704-485-0x00007FFF00510000-0x00007FFF00523000-memory.dmp

Filesize
76KB

Download
memory/1704-484-0x00007FFF005D0000-0x00007FFF005EB000-memory.dmp

Filesize
108KB

Download
memory/1704-483-0x00007FFF005F0000-0x00007FFF00604000-memory.dmp

Filesize
80KB

Download
memory/1704-481-0x00007FFF00620000-0x00007FFF00635000-memory.dmp

Filesize
84KB

Download
memory/1704-480-0x00007FFF00640000-0x00007FFF0064C000-memory.dmp

Filesize
48KB

Download
memory/1704-479-0x00007FFF00650000-0x00007FFF00662000-memory.dmp

Filesize
72KB

Download
memory/1704-478-0x00007FFF00670000-0x00007FFF0067D000-memory.dmp

Filesize
52KB

Download
memory/1704-477-0x00007FFF00680000-0x00007FFF0068C000-memory.dmp

Filesize
48KB

Download
memory/1704-475-0x00007FFF006A0000-0x00007FFF006AB000-memory.dmp

Filesize
44KB

Download
memory/1704-474-0x00007FFF006B0000-0x00007FFF006BB000-memory.dmp

Filesize
44KB

Download
memory/1704-473-0x00007FFF006C0000-0x00007FFF006CC000-memory.dmp

Filesize
48KB

Download
memory/1704-691-0x00007FFF00F00000-0x00007FFF00F2E000-memory.dmp

Filesize
184KB

Download
memory/1704-471-0x00007FFF006E0000-0x00007FFF006EE000-memory.dmp

Filesize
56KB

Download
memory/1704-470-0x00007FFF006F0000-0x00007FFF006FD000-memory.dmp

Filesize
52KB

Download
memory/1704-469-0x00007FFF00700000-0x00007FFF0070C000-memory.dmp

Filesize
48KB

Download
memory/1704-468-0x00007FFF00710000-0x00007FFF0071B000-memory.dmp

Filesize
44KB

Download
memory/1704-467-0x00007FFF00720000-0x00007FFF0072C000-memory.dmp

Filesize
48KB

Download
memory/1704-466-0x00007FFF06AE0000-0x00007FFF06AEB000-memory.dmp

Filesize
44KB

Download
memory/1704-464-0x00007FFF07930000-0x00007FFF0793B000-memory.dmp

Filesize
44KB

Download
memory/1704-461-0x00007FFF008B0000-0x00007FFF008CF000-memory.dmp

Filesize
124KB

Download
memory/1704-460-0x00007FFF008D0000-0x00007FFF009E8000-memory.dmp

Filesize
1.1MB

Download
memory/1704-459-0x00007FFF090C0000-0x00007FFF090CD000-memory.dmp

Filesize
52KB

Download
memory/1704-458-0x00007FFF009F0000-0x00007FFF00A04000-memory.dmp

Filesize
80KB

Download
memory/1704-456-0x00007FFF00AD0000-0x00007FFF00E45000-memory.dmp

Filesize
3.5MB

Download
memory/1704-455-0x00007FFF00F00000-0x00007FFF00F2E000-memory.dmp

Filesize
184KB

Download
memory/1704-442-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-440-0x00007FFF00F00000-0x00007FFF00F2E000-memory.dmp

Filesize
184KB

Download
memory/1704-438-0x00007FFF09AC0000-0x00007FFF09ACA000-memory.dmp

Filesize
40KB

Download
memory/1704-436-0x00007FFF06B70000-0x00007FFF06B9C000-memory.dmp

Filesize
176KB

Download
memory/1704-435-0x00007FFF06BA0000-0x00007FFF06BCD000-memory.dmp

Filesize
180KB

Download
memory/1704-432-0x00007FFF0B670000-0x00007FFF0B67D000-memory.dmp

Filesize
52KB

Download
memory/1704-431-0x00007FFF07F60000-0x00007FFF07F79000-memory.dmp

Filesize
100KB

Download
memory/1704-429-0x00007FFF06DF0000-0x00007FFF06E14000-memory.dmp

Filesize
144KB

Download
memory/1704-687-0x00007FFF06B70000-0x00007FFF06B9C000-memory.dmp

Filesize
176KB

Download
memory/1704-690-0x00007FFF06AF0000-0x00007FFF06B0C000-memory.dmp

Filesize
112KB

Download
memory/1704-441-0x00007FFF00AD0000-0x00007FFF00E45000-memory.dmp

Filesize
3.5MB

Download
memory/1704-439-0x00007FFF06AF0000-0x00007FFF06B0C000-memory.dmp

Filesize
112KB

Download
memory/1704-437-0x00007FFF00F30000-0x00007FFF00FF1000-memory.dmp

Filesize
772KB

Download
memory/1704-434-0x00007FFF06DD0000-0x00007FFF06DE9000-memory.dmp

Filesize
100KB

Download
memory/1704-433-0x00007FFF06BD0000-0x00007FFF06BFF000-memory.dmp

Filesize
188KB

Download
memory/1704-443-0x00007FFF02E00000-0x00007FFF0326E000-memory.dmp

Filesize
4.4MB

Download
memory/1704-689-0x00007FFF09AC0000-0x00007FFF09ACA000-memory.dmp

Filesize
40KB

Download
memory/1704-426-0x00007FFF02E00000-0x00007FFF0326E000-memory.dmp

Filesize
4.4MB

Download
memory/1704-680-0x00007FFF06DF0000-0x00007FFF06E14000-memory.dmp

Filesize
144KB

Download
memory/1704-495-0x00007FFF001B0000-0x00007FFF003FE000-memory.dmp

Filesize
2.3MB

Download
memory/1704-472-0x00007FFF006D0000-0x00007FFF006DC000-memory.dmp

Filesize
48KB

Download
memory/1704-688-0x00007FFF00F30000-0x00007FFF00FF1000-memory.dmp

Filesize
772KB

Download
memory/1704-482-0x00007FFF00610000-0x00007FFF00620000-memory.dmp

Filesize
64KB

Download
memory/1704-476-0x00007FFF00690000-0x00007FFF0069C000-memory.dmp

Filesize
48KB

Download
memory/1704-686-0x00007FFF06BA0000-0x00007FFF06BCD000-memory.dmp

Filesize
180KB

Download
memory/1704-685-0x00007FFF06DD0000-0x00007FFF06DE9000-memory.dmp

Filesize
100KB

Download
memory/1704-349-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-348-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-347-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-346-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-684-0x00007FFF06BD0000-0x00007FFF06BFF000-memory.dmp

Filesize
188KB

Download
memory/1704-344-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-343-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-342-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1704-682-0x00007FFF07F60000-0x00007FFF07F79000-memory.dmp

Filesize
100KB

Download
memory/1704-683-0x00007FFF0B670000-0x00007FFF0B67D000-memory.dmp

Filesize
52KB

Download
memory/1704-681-0x00007FFF0FAA0000-0x00007FFF0FAAF000-memory.dmp

Filesize
60KB

Download
memory/1704-679-0x00007FFF02E00000-0x00007FFF0326E000-memory.dmp

Filesize
4.4MB

Download
memory/1704-465-0x00007FFF06B60000-0x00007FFF06B6C000-memory.dmp

Filesize
48KB

Download
memory/1704-462-0x00007FFF00730000-0x00007FFF008A1000-memory.dmp

Filesize
1.4MB

Download
memory/1704-457-0x00007FFF00A10000-0x00007FFF00AC8000-memory.dmp

Filesize
736KB

Download
memory/1704-675-0x00007FFF085D0000-0x00007FFF085DB000-memory.dmp

Filesize
44KB

Download
memory/1704-678-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/1964-133-0x0000000000960000-0x00000000022DE000-memory.dmp

Filesize
25.5MB

Download
memory/2224-419-0x00007FF7DE080000-0x00007FF7DE227000-memory.dmp

Filesize
1.7MB

Download
memory/3332-420-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3332-250-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3332-245-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3332-240-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3332-219-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3332-226-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3332-248-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3332-252-0x00007FF7FA690000-0x00007FF7FAFA3000-memory.dmp

Filesize
9.1MB

Download
memory/3624-221-0x0000000000B20000-0x00000000013B8000-memory.dmp

Filesize
8.6MB

Download
memory/3624-225-0x0000000000B20000-0x00000000013B8000-memory.dmp

Filesize
8.6MB

Download
memory/3624-243-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/3624-412-0x0000000000B20000-0x00000000013B8000-memory.dmp

Filesize
8.6MB

Download
memory/3624-239-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/3624-177-0x0000000000B20000-0x00000000013B8000-memory.dmp

Filesize
8.6MB

Download
memory/3624-251-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/3984-494-0x000002937EAD0000-0x000002937EAE0000-memory.dmp

Filesize
64KB

Download
memory/3984-427-0x000002937EAD0000-0x000002937EAE0000-memory.dmp

Filesize
64KB

Download
memory/3984-428-0x000002937EAD0000-0x000002937EAE0000-memory.dmp

Filesize
64KB

Download
memory/4304-158-0x0000000000910000-0x000000000220C000-memory.dmp

Filesize
25.0MB

Download
memory/4572-382-0x000000001C9C0000-0x000000001CA72000-memory.dmp

Filesize
712KB

Download
memory/4572-247-0x000000001C1A0000-0x000000001C1B0000-memory.dmp

Filesize
64KB

Download
memory/4572-377-0x000000001C8B0000-0x000000001C900000-memory.dmp

Filesize
320KB

Download
memory/4580-425-0x000001D61F250000-0x000001D61F260000-memory.dmp

Filesize
64KB

Download
memory/4580-345-0x000001D61F250000-0x000001D61F260000-memory.dmp

Filesize
64KB

Download
memory/4580-214-0x000001D61F250000-0x000001D61F260000-memory.dmp

Filesize
64KB

Download
memory/4580-216-0x000001D61F250000-0x000001D61F260000-memory.dmp

Filesize
64KB

Download
memory/4580-237-0x000001D61F1A0000-0x000001D61F1C2000-memory.dmp

Filesize
136KB

Download
memory/4996-157-0x0000000000C60000-0x0000000000CE4000-memory.dmp

Filesize
528KB

Download
memory/4996-160-0x000000001C6C0000-0x000000001C6D0000-memory.dmp

Filesize
64KB

Download