vanillarat | hxxps://github[.]com/hxk-PLINT/Eulen

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-07-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/hxk-PLINT/Eulen

Score

10^/10

vanillarat pyinstaller rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/368-577-0x0000000000CE0000-0x0000000000D02000-memory.dmp	vanillarat

Executes dropped EXE 5 IoCs

Processes:

Eulen.exespoofer.exespoofer.exesvcchhost.exesvcchhost.exe

pid process

4988 Eulen.exe
1412 spoofer.exe
4888 spoofer.exe
368 svcchhost.exe
4348 svcchhost.exe
Loads dropped DLL 2 IoCs

Processes:

spoofer.exe

pid process

4888 spoofer.exe
4888 spoofer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

18 camo.githubusercontent.com
19 camo.githubusercontent.com
20 camo.githubusercontent.com

pid	process
4988	Eulen.exe
1412	spoofer.exe
4888	spoofer.exe
368	svcchhost.exe
4348	svcchhost.exe

pid	process
4888	spoofer.exe
4888	spoofer.exe

flow	ioc
18	camo.githubusercontent.com
19	camo.githubusercontent.com
20	camo.githubusercontent.com

Drops file in Program Files directory 64 IoCs

Processes:

Eulen Installer.exeEulen Installer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Collections.Immutable.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Eulen.pdb	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe.config	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Newtonsoft.Json.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Buffers.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Numerics.Vectors.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Core.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Memory.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Uninstall.exe	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Linq.Async.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Eulen.pdb	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Interactions.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.ValueTuple.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Uninstall.dat	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Interactions.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Newtonsoft.Json.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Buffers.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Collections.Immutable.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Linq.Async.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Commands.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Collections.Immutable.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Interactive.Async.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Core.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\presetforinstallforge.ifp	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Uninstall_lang.ifl	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Interactions.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Bcl.AsyncInterfaces.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.WebSocket.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Memory.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.ValueTuple.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Interactive.Async.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Threading.Tasks.Extensions.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Commands.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\presetforinstallforge.ifp	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Commands.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Extensions.DependencyInjection.Abstractions.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Threading.Tasks.Extensions.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Commands.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Interactive.Async.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Uninstall.dat	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Newtonsoft.Json.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Linq.Async.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Newtonsoft.Json.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Interactions.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.WebSocket.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\icon.ico	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Runtime.CompilerServices.Unsafe.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Core.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Bcl.AsyncInterfaces.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Memory.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\icon.ico	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Threading.Tasks.Extensions.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Rest.dll	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Uninstall.exe	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\System.Runtime.CompilerServices.Unsafe.xml	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Collections.Immutable.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Linq.Async.xml	Eulen Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\discord-rpc-w32.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Extensions.DependencyInjection.Abstractions.dll	Eulen Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Reactive.dll	Eulen Installer.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117287"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8ef5172b86ff84599acdb602053c0da00000000020000000000106600000001000020000000b27d6eccb2dafa26f0c93adc0ca9ca4aafd182420f55615fae8304b5d3b9ef0f000000000e8000000002000020000000d06015ef5ca10243551005789ce3dd5ffc8a8d789471a7e9f749e668a6dc861820000000787964df91ac5c1701188ca927810f104c72c2a12168aff1d6a2de31bb269b2240000000f5fbe9dd3c2851ab2a7610838ddedb1e9ef5738d2670170135e800650673f61cc110320cdc9edeb90b76e215d74b48181d908abc1ea4f776d160caa5871b1909	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50174a4ce7cfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8ef5172b86ff84599acdb602053c0da00000000020000000000106600000001000020000000f83321123990bec0b31bb844b7d78d69b0966451e55ea6fc99677d3f80faf0a5000000000e80000000020000200000000af6ae676e08d34477541764dfe997718278bcf84fba4012719828ab5e9502f42000000069ab62e4bd71fa7743b029ad901fa566c997968281bd6a9497748b65c72713e4400000007d13a5cb000ff862d0504dcc94579600f27bf919fcd38a01ce9367b98cfc96410cc490da35a227cf74121cb6e5670b2180f76c35783b53e7739c0f9f1def9a27	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117287"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1273994425"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77624D43-3BDA-11EF-A2FF-FA3BFB8A7566} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 605c454ce7cfda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1273994425"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133647730140624910"	chrome.exe

Modifies registry class 5 IoCs

Processes:

OpenWith.exeOpenWith.exechrome.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1580 chrome.exe
1580 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

OpenWith.exeEulen Installer.exeOpenWith.exe

pid process

4724 OpenWith.exe
3684 Eulen Installer.exe
4128 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1580 chrome.exe
1580 chrome.exe

pid	process
4724	OpenWith.exe
3684	Eulen Installer.exe
4128	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe
Token: SeShutdownPrivilege	1580	chrome.exe
Token: SeCreatePagefilePrivilege	1580	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exeEulen Installer.exeEulen Installer.exeEulen Installer.exeiexplore.exe

pid	process
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
576	Eulen Installer.exe
2676	Eulen Installer.exe
3684	Eulen Installer.exe
1924	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe
1580	chrome.exe

Suspicious use of SetWindowsHookEx 61 IoCs

Processes:

Eulen Installer.exeOpenWith.exeEulen Installer.exeEulen Installer.exeiexplore.exeIEXPLORE.EXEOpenWith.exeOpenWith.exeOpenWith.exe

pid	process
576	Eulen Installer.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
4724	OpenWith.exe
2676	Eulen Installer.exe
3684	Eulen Installer.exe
1924	iexplore.exe
1924	iexplore.exe
4984	IEXPLORE.EXE
4984	IEXPLORE.EXE
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4116	OpenWith.exe
4704	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe
4128	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1580 wrote to memory of 4152	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4152	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 3448	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 312	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 312	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe
PID 1580 wrote to memory of 4184	1580	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/hxk-PLINT/Eulen
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7ffdc6339758,0x7ffdc6339768,0x7ffdc6339778
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:2
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:8
  2⤵
  PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1832 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 --field-trial-handle=2116,i,17927837797346168739,1811349808989741397,131072 /prefetch:8
  2⤵
  PID:4260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:196

C:\Users\Admin\Desktop\Eulen-main\Eulen Installer.exe
"C:\Users\Admin\Desktop\Eulen-main\Eulen Installer.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4724
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Eulen-main\.gitignore
  2⤵
  PID:3536

C:\Users\Admin\Desktop\Eulen-main\Eulen Installer.exe
"C:\Users\Admin\Desktop\Eulen-main\Eulen Installer.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Users\Admin\Desktop\Eulen-main\Eulen Installer.exe
"C:\Users\Admin\Desktop\Eulen-main\Eulen Installer.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe
"C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.xml"
1⤵
PID:1612
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1924
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4984

C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe
"C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe"
1⤵
- Executes dropped EXE
PID:1412
- C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe
  "C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start Eulen_Controller.exe
    3⤵
    PID:3536

C:\Program Files (x86)\eulencheats\Eulen\Debug\svcchhost.exe
"C:\Program Files (x86)\eulencheats\Eulen\Debug\svcchhost.exe"
1⤵
- Executes dropped EXE
PID:368

C:\Program Files (x86)\eulencheats\Eulen\Debug\svcchhost.exe
"C:\Program Files (x86)\eulencheats\Eulen\Debug\svcchhost.exe"
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4116
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.dll
  2⤵
  PID:908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4128
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe.config
  2⤵
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.dll

Filesize
30KB

MD5
9188d316763b975a9e3356a688c9607d

SHA1
99839afdf0397f756e6b69970f8a65361fca9bd3

SHA256
abd5a1e1debdbf33ae1281aad9849a656a802438d54c413860c2d5103c7a362e

SHA512
97b4058c1addbf7f1129a019488a2b97b667c7d37ccbe565cafd55485fb2828bfe482c8fb8065506533551d608c73befbd4864558bcd9dd9af265f5e25fe7a68

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.xml

Filesize
8KB

MD5
c8e6624459879d278dc69ab2bf8ec492

SHA1
04e2fa75fc043bb4e9dda5adf15ae2b28a5f9f1e

SHA256
b6894dc52cbb2b113ed0fd61f4fc57bac32b3a50987d4d350d54f981bf99e255

SHA512
4e38e392a49f64ed10bb2ddb99a9a26dcf38e4ccf6960dee554e22b2e94977426566f6770895a0fa9c44ba7029ff8438fc4c34cb261cffb845876730bba2d90e

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe

Filesize
297KB

MD5
5f309ab77cc425d8954b7c25cab3b78d

SHA1
c7a0a97edaf12122128551d7e10dc95e956c04e5

SHA256
a9aa89e3ff1c3f5b02086d69b78971c83c75a85a4ce938f390c27c1cc5b69c59

SHA512
720399d8e91fcfbb7f307396559afa91c0403af36695810d7b96da41ceabb0371156e4b437ef9963a60a2ca12ba182f7c727c0eb0e14fefea38e22562ffa9b40

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe.config

Filesize
2KB

MD5
b1f9d66ef005aa3c83b4325d19eddfc7

SHA1
02fab54210b73330fc29fbb88cbf1f67238398f9

SHA256
54cf3144f875a8c6554a51b6fa1915fa85e37eb7ad2dbceab7b1fcafe5f9d099

SHA512
818081bda201b816e03e4f2d1db7b2588b190e85b8974d0801544c2c6ccca04768efffd446e9eebb9a4fc2f3bd91d9d5defc56bdb83ec0e41bb9e7e8d761f031

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Eulen.pdb

Filesize
61KB

MD5
0bfd30f2274fb537805a96266828b7b5

SHA1
becb9d9b6af51e4d376b4c3841f0461a66914dcb

SHA256
9e3f1495fc059b0c9244d9f7310bf262afb6c6446e169d31f068988f00556dd2

SHA512
baf25a0013297646f2db0c48eeee60a7e909b3eacc0402e89fa86a71cc087e66f7abee344e3f7d998118666d023dde5342c5799dfd9ce1e81ad0fdbdb05a3df4

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
26KB

MD5
ff34978b62d5e0be84a895d9c30f99ae

SHA1
74dc07a8cccee0ca3bf5cf64320230ca1a37ad85

SHA256
80678203bd0203a6594f4e330b22543c0de5059382bb1c9334b7868b8f31b1bc

SHA512
7f207f2e3f9f371b465bca5402db0e5cec3cb842a1f943d3e3dcedc8e5d134f58c7c4df99303c24501c103494b4f16160f86db80893779ce41b287a23574ee28

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Extensions.DependencyInjection.Abstractions.dll

Filesize
62KB

MD5
00053ff3b5744853b9ebf90af4fdd816

SHA1
13c0a343f38b1bb21a3d90146ed92736a8166fe6

SHA256
c5a119ec89471194b505140fba13001fa05f81c4b4725b80bb63ccb4e1408c1e

SHA512
c99fcda5165f8dc7984fb97ce45d00f8b00ca9813b8c591ad86691bd65104bbb86c36b49bb6c638f3b1e9b2642ec9ac830003e894df338acfca2d11296ff9da4

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\System.Buffers.xml

Filesize
3KB

MD5
1c55860dd93297a6ea2fad2974834c3a

SHA1
7f4069341c6b62ecfc999a6c2d8a2d5fb59d44f6

SHA256
2ec7fb12e11f9831e40524427f6d88a3c9ffdd56ccfa81d373467b75b479a578

SHA512
37fa5d4553ca3165f10e2ffef38fefc0dba4a2dbfa05ab9f09ab87b5f71f30e6d965d2f833f58b50b3bc2529ebe8fb5cc431c264f7b47ad026f5c5a874a6ada1

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\System.Runtime.CompilerServices.Unsafe.xml

Filesize
20KB

MD5
c782e92abbfc0531226f735c6ac56498

SHA1
2586fdbeb6d1e11d4cecd5b3e8387a18c7b4d350

SHA256
39c2d4a63a186d423e9c866f4d3e9a6acba0103398f20baf8b92a38744894215

SHA512
a12b6807695c9c626de9602abc6df72bcc5e869a29c7111e956034f321436e7c50ea36ed5ec5b6f93a639ae0f7aea93953e91ae557bf423a749b036c7252a7b9

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\System.Threading.Tasks.Extensions.xml

Filesize
9KB

MD5
c89e735fcf37e76e4c3d7903d2111c04

SHA1
3c0f1f09c188d8c74b42041004ece59bbd6f0f56

SHA256
975a9555f561b363c3e02fd533f6bf7083aa11bbc7cbf2b46c31df3d3696b97b

SHA512
debdd8d0ed2ff6ad7b175acfeb1681b1a68eeedd6d717e20e6ac5e0d11c13a1219b4d60f9319939c63bf4b53456328531369f4a9fff5b201475858310e385007

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\System.ValueTuple.dll

Filesize
24KB

MD5
23ee4302e85013a1eb4324c414d561d5

SHA1
d1664731719e85aad7a2273685d77feb0204ec98

SHA256
e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4

SHA512
6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\System.ValueTuple.xml

Filesize
142B

MD5
b6e60687ae5db6d011e21e6993620745

SHA1
b117c6bbddc72e7f4b590173992ee17bfdde4be1

SHA256
c37e163fa76629c196460c7b4d54e95b1a46a4c66ab7b6f3311959c8137dc5f1

SHA512
709212b6cb36f57b92a82def810f9c075a91b3e6a5fd330dcfb563d94a320783509441347d63bde97f530c6b10ce6aa769ca11f7fc39acf1b25d5c8f9dcbb389

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Uninstall.dat

Filesize
7KB

MD5
d465dc7f492fe655259287c7035a7884

SHA1
1c1c70a12323cf814a5c3dbc0f05d6b71f1351d6

SHA256
515213481a0ab9589eecafafef31e6ece2415b18384344a58e0e5a1e5a96a645

SHA512
7d5072a799c2f5b4cbbc8a5d3d219c817af710588c724b024ddb6e65a8951bc5beef12dfef380217e518536729eac8c21ec1f758402b7aa9217174d94a5bf100

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Uninstall_lang.ifl

Filesize
3KB

MD5
981077ef92410cbf204c59e5465de5dd

SHA1
ad253930fd3a5edd8a81dc473f89132ff2243699

SHA256
a792f4f5edee0e158798b75b82f6ac720e51957498450161b04ee812101f801c

SHA512
3f1e30cd667a658f3a2f1388efbd712b57cc5b028de431fd995d8ff376734a8e7ec62a686502761c03214eded30b0ab445d0762b58e5d24663cd25ef8749725c

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\presetforinstallforge.ifp

Filesize
5KB

MD5
6590775fed1e98af37801cbf3f7d3be8

SHA1
07125aa9e2e76baba2436f0b93cbf2d7c72ac6b8

SHA256
f570d30d02c3360a0fb53adc9df4420ba05b52451c86dc976d39734ad77168ab

SHA512
e543349acf0da60288d06ae2ff2363d1d052f4d0e38dbe43ea93ba1a31d912a7e8dd7d0d6cef69c70649009970cbc442aee744f748164318563a25d945ad8fb5

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe

Filesize
5.6MB

MD5
1a8ac5672cbc3e4c9b650af9b3474ba4

SHA1
25b8e9d55f718d47bf785d9a47ce1c63614abd40

SHA256
3b63560e4479e7bcc5671d8b266afb26f72d4c78c37e0684e62d863a69c37c69

SHA512
4829c5b3f46f0839ae8e83d79816043ef2a3694d489a3fd313f440540e09bbd6d3fc125b667b98a0c3f2d6674016895a7f98dd0fe2970f67dbc50da1f6f8b2a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d92eae9beb7e761c2788085124d06f50

SHA1
f1e490bac92466271fc6ad9c5b87103ce1ed423e

SHA256
eeeaa458f0d30abf0f74a419035ac9a0f1ab8c372f4120060f6d9175434151af

SHA512
5321a870809922ede6d043537d68cd434c5bb8c4b431ab3a9107617657a396ea4a02fb92fa43916a6e0cdcb124f4703c1960b8ac1870409232432988061c4150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0c0002c0333a4aa2ad7ce3e694be558e

SHA1
fd546caeaa31d54a6d60aa1f5fa0eb3ac173ebe9

SHA256
8287dff09293ca1427edf299b7f1da478e072143b6f1cc1255d4585434a33f0d

SHA512
5f4666404999d2f726f38b7a7c282b3df272386744cce319320fff8928a116fdd17abc42d45066f0875cf7a8a0edc0f75e7b8b1c93a215b702fb83326d7d4ebc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0e716673b3a22d5fd5f2035e6dfdecdd

SHA1
6f1983accff42fc31792e559ef281574f92d0faa

SHA256
387cdf83f89694271c8d15c4058aa3df2607e6750fd60e89d1c37cf161164c83

SHA512
e9b56bb27d5a426216cc8b53a71dcd1e029e0750a9404da6abf0c7ff89bfe94c680165d195760c0c2d5f720b507f2a1d1e93d5a543ada3d7dcef62939921a33c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e5411119550fbec2e4ee452c9e94600b

SHA1
0d84d6cc086d2ea56e256f3c36501d72ea34130f

SHA256
6add77103a66cc7b999c9ec0eb5307623f0a61102acde0b1b8b56916a30a353c

SHA512
67dd0d51dd15519c4ce134d58f35bf774dd953322f2fe9c5ae624f0ab7d87696f21a5a86be05e932e0c952b848bff023fd6833f6b5ec1506eefc32293fa3e051

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1965db21a82922b949ec8d80a87d842d

SHA1
7a4a8b6222f7c35b21bfa56a90cc99e5622b849a

SHA256
64c4c3e06802c0443461d5631a71e869cadfce161732f0fa613e28408d6ea83b

SHA512
36321a8e9dade5c5ff7bea374e3afa429ec806ea4a9d0c43deb64c3336aa2e7f5b132c89375457b30a80c44522dc0a417c0a8cf442f3f93fce03613eca54149f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
39b6ef97ccb1dee5869f2bf3269abc33

SHA1
ac77b338b135b6c0179e50c8d8544aaf7a4e3abb

SHA256
9e646cec6d2affebecc67170c94e6daceb86b840ef607661e9e44e74a9cabf45

SHA512
95ce2b4c0922b3cb9ab156a16dccbba743b6ddee79ea83f4b72174395620df48a06d2683f5aff4556c3f221e4ff4e0a29c97050a4fac8d3528ec14865f2a46d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
d0170ca36570afcb28ba4180cf074737

SHA1
12f0005eb14bc507ee2cc5202e99195288454f19

SHA256
e3a52d2d5527a0bdd5418546b461d494b248ca5906eeae1384497ad983c8f1eb

SHA512
c149dc3cfbe50f236aa8c21d0797057af9e9cd2c56c558e873639bf892919c491b24456e8dd6ee091a466c523afa0a95382b1232cf775bd44ae25d1852a2f827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{91AB3C7C-942D-477A-BCCF-20A43ABD4498}\Desktop.dat

Filesize
39B

MD5
155b88ea1bfd87caa0a1db30f5e9ee9a

SHA1
ab72a08395472a300d32114cc9872839acc4ba0e

SHA256
50900a5165a91fe6c25985330c12e0af6ddcfcdf9f363820cbfe119336af9f92

SHA512
d69113f709cc098be2663adff23b7f063f00d4f6c7504080a86bd9b10cf907df7d0f2b2a64ee609a182574b38feae04a828b89865d132b6b98e77e24f6899846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{91AB3C7C-942D-477A-BCCF-20A43ABD4498}\OS.dat

Filesize
242B

MD5
48d3c4d4cdc791b3c3e5b4432c3ea0ba

SHA1
3f840e5554cf797254550d702644d51c17576a33

SHA256
38f778cbb7aa3d52f7fd5ab5ccf30b25962a6a5fecdff6efbb10501829459ca5

SHA512
65240bafbb3e86c7c7b99cddeac7b3b202562b99506b458980fd8c1437ed560ca56bc446adc62a0cce397e1451b81b531d9dd6baf145664cfc2d55efda5cace7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{91AB3C7C-942D-477A-BCCF-20A43ABD4498}\SC.dat

Filesize
866B

MD5
16d4bd0f9df2ec5a3ccb7980f2bd064b

SHA1
76a212c6af9f2762547c9c23a58de8ab214faf45

SHA256
2a8d26e139707981826db30135c3ca9c4ce04ea8de046c10a16098ea3dad80c7

SHA512
d409ec560d1d4d96e02b4510e674b6b77c53282261d32b33dba3ce26f4393a0949c6db9ce6a4ea3c8c3819eb7d971fe0eb66cfe2a02ada258fead8a54cc3a6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{91AB3C7C-942D-477A-BCCF-20A43ABD4498}\languages.dat

Filesize
18B

MD5
a3ae2c67104c86a3197586c115a96136

SHA1
925e56044b3b98947ae208b22d8011b78613c56d

SHA256
8422463648619e4c5205304db50282cab2dba418f25b3ae32d14648293a0c019

SHA512
beb890e6cb8209e78db5d4ffe86aaf342efdb29ec912f9b55de2c3f20d309880d9daf013c9e7c25d7e612e51f416d572b68f547d5ba7eede3c2861357dd4dab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{91AB3C7C-942D-477A-BCCF-20A43ABD4498}\licence.rtf

Filesize
229B

MD5
822356269c1cf4e5cc7d6a42b7dcfd55

SHA1
b856b04d1d944d6b560ee2954dd5f34d859c6354

SHA256
a2d86c306a58582d056b9d2bdccf76419807e2a978f63b34ae38ef4193bd3d76

SHA512
614cf8d4de49acb3fd54ad0da66cb3a1ddd9e23321a3dcf9b6180cb9a2c75e56544005b7c18919fa3876db9d46e3cdb1d106d3531e9d5fa8d22f27ca01d2f69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{91AB3C7C-942D-477A-BCCF-20A43ABD4498}\setupArchive.archive

Filesize
7.9MB

MD5
b2781d20ec7a767e76d86e96bf47587a

SHA1
5e7e0857190bc5acae8c0d2f53a45b09e509bffd

SHA256
cbb6b83ea161bb016cdb9e9747ab1f5b37789ef2fa2ee3d14e0c28ee59e1c1e6

SHA512
94ff43c9c2351ffea2c52bca892524a9f13ba2be19f5192083c8775c8b9ec0dd46b0d66397f4f0d6109b06b9aac06eaccd83f84551bf452facfa38fbcad2abce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{91AB3C7C-942D-477A-BCCF-20A43ABD4498}\setupConfiguration.archive

Filesize
3KB

MD5
03f12a9620e961edf92807014833b9d3

SHA1
bdbdb280eed3a2762826d9aa0ea3153858165372

SHA256
9d23817ff79860369312c135123ddc8407d54ac70fd641e7ce5e4a320c864d7e

SHA512
b3691f9c790d3da9bab38a5e3f686856e6a6f5fe29f4cd73244bf2dfcc06e84a8916982633fba3a9c36e649a8834c96a936316e058f8801dd94cc982c76e1908

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{97A4EBD3-8B67-47CD-A698-A317CBC828F2}\English.ifl

Filesize
2KB

MD5
2922d0c758d9c3c10cbdc59f91979d0c

SHA1
feb69bdf58d06cca776db63036811af0764ca013

SHA256
20f6d12eac29bd6ddc6a99dd276c5e200fac25c976ab4293195b58ec164c253f

SHA512
d15e888bae4e23ce5d61becc3c47d9b5f61fbbe4612cf90677314570fe1df1f4fde6c519b789ad46cc50d19c2b3701bc9bd968e85bb618fb7127950d4ae92695

Download Submit
C:\Users\Admin\Downloads\Eulen-main.zip.crdownload

Filesize
8.4MB

MD5
88b28d43313761551b5055314e0ca392

SHA1
acee723481076c61c569240b4c2b4e6b04cf3fcc

SHA256
dc68d557b77e75d912bc38aeb859a8c1d2b762bc42c0af6aa76c1b666384e4a6

SHA512
da16ed428d9a4a8ae2357bcc70ed04a691d0634d974ce469832920b65c709385b68617106d29c493adf3f8a97ffc7d2d74bb54fcc47cc9e057bebaab7b2b4965

Download Submit
\??\pipe\crashpad_1580_RATJDDMDFNTLSCTD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/368-579-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/368-580-0x0000000003260000-0x000000000326A000-memory.dmp

Filesize
40KB

Download
memory/368-578-0x0000000005DF0000-0x00000000062EE000-memory.dmp

Filesize
5.0MB

Download
memory/368-577-0x0000000000CE0000-0x0000000000D02000-memory.dmp

Filesize
136KB

Download
memory/576-297-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1612-535-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download
memory/1612-539-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download
memory/1612-541-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download
memory/1612-540-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download
memory/1612-538-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download
memory/1612-536-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download
memory/1612-534-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download
memory/1612-533-0x00007FFD91E90000-0x00007FFD91EA0000-memory.dmp

Filesize
64KB

Download