aurora | hxxps://github[.]com/OverHeat1337/Fortnite-Account-Checker

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24-04-2023 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/OverHeat1337/Fortnite-Account-Checker

Score

10^/10

aurora discovery persistence stealer

Malware Config

Extracted

Family

aurora

146.19.24.118:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 6 IoCs

Processes:

7z2201-x64.exe7zG.exeXovLauncher.exeهذشهذشهذشهذشهذشهذش.exeXovLauncher.exeXovLauncher.exe

pid process

3976 7z2201-x64.exe
2164 7zG.exe
4192 XovLauncher.exe
4612 هذشهذشهذشهذشهذشهذش.exe
4648 XovLauncher.exe
4996 XovLauncher.exe
Loads dropped DLL 2 IoCs

Processes:

7zG.exe

pid process

3164
2164 7zG.exe

pid	process
3976	7z2201-x64.exe
2164	7zG.exe
4192	XovLauncher.exe
4612	هذشهذشهذشهذشهذشهذش.exe
4648	XovLauncher.exe
4996	XovLauncher.exe

pid	process
3164
2164	7zG.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

7z2201-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

7z2201-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2201-x64.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2201-x64.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2201-x64.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2201-x64.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt	7z2201-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2096 4648 WerFault.exe XovLauncher.exe
1544 4996 WerFault.exe XovLauncher.exe

pid	pid_target	process	target process
2096	4648	WerFault.exe	XovLauncher.exe
1544	4996	WerFault.exe	XovLauncher.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133267916098377761"	chrome.exe

Modifies registry class 21 IoCs

Processes:

7z2201-x64.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2201-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4024 chrome.exe
4024 chrome.exe
4772 chrome.exe
4772 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4024 chrome.exe
4024 chrome.exe
4024 chrome.exe
4024 chrome.exe
4024 chrome.exe
4024 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

chrome.exe7zG.exe

pid	process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
2164	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7z2201-x64.exe

pid process

3976 7z2201-x64.exe

pid	process
3976	7z2201-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4024 wrote to memory of 3460	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 3460	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 1524	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4356	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4356	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe
PID 4024 wrote to memory of 4656	4024	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/OverHeat1337/Fortnite-Account-Checker
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe7a969758,0x7ffe7a969768,0x7ffe7a969778
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:2
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1672 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:1
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:1
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5172 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:1
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5496 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:1
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5484 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5792 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5864 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:1
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4968 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:1
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3040 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2972 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=892 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1648 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=856 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:5048

C:\Users\Admin\Downloads\7z2201-x64.exe
"C:\Users\Admin\Downloads\7z2201-x64.exe"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3016 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:8
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 --field-trial-handle=1784,i,8055633756892649688,11686733863211376774,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1392

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\" -ad -an -ai#7zMap18225:204:7zEvent11686
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2164

C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe
"C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe"
1⤵
- Executes dropped EXE
PID:4192

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\هذشهذشهذشهذشهذشهذش.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\هذشهذشهذشهذشهذشهذش.exe"
2⤵
- Executes dropped EXE
PID:4612

C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe
"C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe"
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 748
2⤵
- Program crash
PID:2096

C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe
"C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe"
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 744
2⤵
- Program crash
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll
Filesize
1.7MB

MD5
bbf51226a8670475f283a2d57460d46c

SHA1
6388883ced0ce14ede20c7798338673ff8d6204a

SHA256
73578f14d50f747efa82527a503f1ad542f9db170e2901eddb54d6bce93fc00e

SHA512
f68eb9c4ba0d923082107cff2f0e7f78e80be243b9d92cfab7298f59461fcca2c5c944d4577f161f11a2011c0958a3c32896eba4f0e89cd9f8aed97ab5bc74f9

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
668KB

MD5
5ab26ffd7b3c23a796138640b1737b48

SHA1
6dab8c3822a0cab5b621fd2b7f16aebb159bcb56

SHA256
eb775b0e8cc349032187c2329fefcf64f5feed4d148034c060e227adf6d38500

SHA512
2b40489f46e305f7e3455cac25e375711a6a1733861ee7bf1b800b86eaad2f40871c219924ddceb69b9748ae3cf9de59f0edffd7ed7b5e7f35d1239fe0333a78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
936859877153006f0a5a6fec412af65f

SHA1
d7de44f16ca94cc4948c7596da56d695de51f77f

SHA256
9d5d43c702ff7578816bb54cce47de24123d1d709ef4ccd8cfea9f53fff9d093

SHA512
aa42c3f91b47a8822524f5009f2566657cc109012481998e9a15e87075c10fb5cf36f4a862d735150e22e08f60785df2361682532b576d6b79dae4ce6829e0e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
aff9dc63a411db050f0aa7126f3183f8

SHA1
f0b537015cdf4af35014152e0ddeca46fb8cd911

SHA256
c155f51d8e58668fcaad66cfa114027519ff8272f3d97105a501b85052d41e8c

SHA512
0d55636053f4a6c37c5a1b16a69057499c802c39a7cbddd8829ffbe6803a2282d71d63a65aeca5f5c9a0af851775fc4489fa3185cd65fdf420be7ca8028496df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
2b9feb007c833f54e20f45de6a982fcf

SHA1
e2cffeef28d576ded101b781bfc3597795731468

SHA256
cc7d028667d1b37c3b7580d4df45fdbbf55939272056d8d251bc293bea585f9b

SHA512
49f278c349c01e952c406bcf4657af7604a0e757ec6320c78ed8518933decc34406eeeffbc245ed04bd79eed1ebccbfdc4c658e946dd6c5899c1e9e5936d9790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
f28cede33e60f57c57d95906bfecccce

SHA1
8f4cda628e0e34439fa4bf154bf766df8f63c499

SHA256
a5264b4a05b2affa9ba243f438b7cfce75863f8a809f68c6f6a28ac8b0ed52d9

SHA512
afa913dac378ab711f2966344e779703ff12e701f9db6789b5f3d05af9ec1af0c16355cd0fe15db350ef30f07a2db8849d8e8f510143189b02c9979427570556

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
20c23bb1895dd8fc01015aca440f80e3

SHA1
8147d3c28000bb50189bcc1d93171d063a7b6fdb

SHA256
88db10712de150ba30c03e78b246df4a91b06c64d59f41cfb319fee25a0fc276

SHA512
ba9e1c84ab3c018442576b3759a036b23fb9f00ef29ab38a01b3dfd6dcc78d63074ca13f7bc3b6c29d7d8e32a87bee40e153268ee779603797e742bd0ed0ba85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6360daa68fcb70b0e764f93972681a7f

SHA1
1ff5e7f3790ffe00410475f5c430fec94beac2d5

SHA256
c6315a477e0ce508d4ffaa76daa3ee575424736a22662a5f2e7d3f3a893a435b

SHA512
d85ce52eb4522c67bb56c21187ad06cafe4d577f6e03f2d13f1bb2a5b547079f35b252c08f47e30118452c82eca043990be2d34d349fd10ceea64ea4d6e461d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a9ef84ccb5cfb14abddd9c42b997274b

SHA1
865184696258f1dc2ad4f40ade533855a572704e

SHA256
94ab3fe7cf01e1b019d1e681cefda64be10c50149c7e673c5c2c43d913d357b6

SHA512
af817c1ac6504d2db7b3d437fd02225be9f0b1e3db20bcba1eb54e94ab5576e49fa42b77f56e2c7c8fa92b145e81f32d70749988921aa8f56828fb78c9ef869d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
38688e9dd3aef410f390cf662b71008c

SHA1
d3c7219b90f43c711ede3daa9f03585d731355a4

SHA256
889f160217096c034975c3651a9b242f9eefbdd60f531f4042a41605aa910878

SHA512
84ac39366a53311cfef8852edde3fa8c2ac4bcb6eaaa8f3d13bfd0909a641c772ac9f67ad6dd333e092f2ac8c6c2c10272bf4a8e93c11d2b78207bd7f53185a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2107b7bd530d7d48de2bbd79074fdb60

SHA1
8b3bcbc75507b9864b1367171777963a8faf3834

SHA256
fab95f74c6e70ba9bb80cc3e9943c944d5e810ce9eb81cd0fc029580963cde33

SHA512
5ab177218f2339af936722e4a4a79afca5b95c89b925f646fae48823e8e7dab8e3ad82983cbab95fdb88ea4141f017e02d32e0258bfbffc783829c8c9db9a214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
7cd6f22ce4bbb7801296a2e5b7de6a10

SHA1
589f33fca7e0c0eb5e39f3ea6ec5928e23a34f0a

SHA256
1ba8a343c1ac1bd071222856043cc847ec8aeb948a65c072f8ad5d942aef1f18

SHA512
5d7d8f6b8f8ca785df42e48e2c8e2752db92719971e0f28e38645c25c96ae5b3045526c522673b15b7ada90484015a16d554460bf8b771122efe8ce85fc2757b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
909f20db50afaf8ae9bf656aab57d1ef

SHA1
c89a863e79f00d6fce0dd492050be126b2d2bbf5

SHA256
fb185cd6894774091455ab7c98384a55ea720b87fe1b3f4531e79fa6b7c8a5c5

SHA512
a1eb62856e9dbdeb405ead1436ea5704bec064fd86878ff3c914fc9de7dd31549dfc225e982b35f3e4386f402d34788e4a005ffd085705790363abbc2c7b7d30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7fd5d6eb522591e079f19068eaa92771

SHA1
74af8a17ec187b0b215a42f65f373199baa355c0

SHA256
fb9a29f459c2bb5a857f7c007ab132d6b023e9dcc8cf80de3e578c509ca86f0e

SHA512
524760b4ee20439be36b1e5c86296f7dc1fd7499599e90436e61dc9a10de44e3f2da2f80431c059461d45f9e1ea7986e346e7a23780c7dad8821fa07d932119c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fa33a6e279bec239abc6ce78f2e347d1

SHA1
268823bd8f7b9799a356974a82ae3e475bfa79f4

SHA256
48492a1edcfd659ac2781361ed091b5692415c7dadeb8f378ed21147cc16b46c

SHA512
d3cd932df4f1c73a54e5cd41db046ee70633a11faef210114a759287e552e3dbd06859883a51eda98ddbac55f603ad0749fa498048e91313c0d191cd77f7fd81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1e1fe131ef7918e186a41db675119165

SHA1
a84dc50d3d1a9d444aecea2e3916fdd0d2ee430c

SHA256
051f47e7fb6937d5de41f0b258c2c56557ac27ddcd1afc9faf6c28c7f6d0ab6b

SHA512
3c0b4dfa4946c4ccc3820d33c4a3e8e0e965d539b95245933f4a32ab0ced3a82e8a35f8fdc4c4e282e992b518c4f4e12e27689165a03646d4771151ae49ac7b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
201KB

MD5
dd6ed806917908278e0975ef65306df1

SHA1
577b1014219631c670a66add72a6c80fec7f05ae

SHA256
19384a4fe7a31f29571d83f471feeb2d617ba35ee2b58b536c6c0de7da90af01

SHA512
ce07aa7a198beb47b7238c174e45aa20f8af7d57a5fc24adc23657cb83ab898ba590f1f4952b0c37944f054bb9e86e664113971a3f4708e434ce62e73b1fc07f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
201KB

MD5
174e80809209bf8da21c111472f4efc9

SHA1
ac4b827a83d4f5e775dd6dd8c8d1068322398899

SHA256
e715d9dd825de8c12f2a845a447637a36554f31f9fc2b2a3565f257cbd07824b

SHA512
edd04d7eef42bcb411c0ba9dd85e89485fa9034530cdc6a0a29d061e42ce6b16fa26247f3fb0fea03604fab574b8d6917db36fadbfaadc0115d261f687ac0ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
111KB

MD5
47e3f6aa7323bca9e7e147b58b9e237d

SHA1
8994d8e189e07ee33f4168b50add280af1f422b7

SHA256
417cf2b886ef276fadcbb92cb0b447355e7c7e6da3c17dd98d05eaadeb723b2d

SHA512
039cc11c941ef7daaa8f25ab8e0dcbb94c4ea91e52472e6c3edf47dde0969904b8e26c57ba868ff475e1550c0212086164449e8493821f5c9518e6964b1e2330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe573e12.TMP
Filesize
103KB

MD5
afc1f48d5cc38b4606a6ef572edbfece

SHA1
2a196c3d5cffc9df42bc8d435744fda6eac9cd98

SHA256
e482079ad4a2febd1bdc576aeb70a1ebb77711d0ee049fd195b1ead9ef16b8a3

SHA512
b8097231637cf966f28b554347563a6c42a38176f2795e81b1a5c8d14fcaa2aabe80731306cd62361b38b408be165530fb35c33640c3f958174554cf6832ed5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XovLauncher.exe.log
Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\هذشهذشهذشهذشهذشهذش.exe
Filesize
4.4MB

MD5
f1bd13f3967109836a4f8257e5d97979

SHA1
18e5bbab98dfe3754ccffb2ed245a5ff708c2975

SHA256
aa504264669e5bdbda0aac3ada1cd16964499c92d2b48d036a16ba22d79f44f6

SHA512
0a032445112a74b93334f1fbd017e0e12dac0c4738f2a48eb57ac1b3651bfdf46105df0bb3034a7668c57c0cd259c46be64f36bf5b64efbbe3a166c349d17dc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\هذشهذشهذشهذشهذشهذش.exe
Filesize
4.4MB

MD5
f1bd13f3967109836a4f8257e5d97979

SHA1
18e5bbab98dfe3754ccffb2ed245a5ff708c2975

SHA256
aa504264669e5bdbda0aac3ada1cd16964499c92d2b48d036a16ba22d79f44f6

SHA512
0a032445112a74b93334f1fbd017e0e12dac0c4738f2a48eb57ac1b3651bfdf46105df0bb3034a7668c57c0cd259c46be64f36bf5b64efbbe3a166c349d17dc7

Download Submit
C:\Users\Admin\Downloads\7z2201-x64.exe
Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Users\Admin\Downloads\7z2201-x64.exe
Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Users\Admin\Downloads\Fortnite-Account-Checker-main.zip
Filesize
4.5MB

MD5
c3861a7aeff3f8b7cdb8ef2ec96b27a9

SHA1
b166afd274125850f4482c89cf7f378d609c3ebb

SHA256
473854974519f31cb16710d21572c7523b83ba83a094db6ebe43f30b6a46c1a0

SHA512
acdbc32914f0466151663850d4237698ddea413e5543fececcbf52ae3195c1681741a6ae02f96de9a9f39c163f184c9857c889c70e83bb072b0bd0940827a89a

Download Submit
C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe
Filesize
4.6MB

MD5
6d931fd0a8a1eee52d63480e5705f1f8

SHA1
d9410ab4ced057a0e28666c5f5042edb49321f61

SHA256
00eb4fdc283f10c8bd797f8e79d875e9dc690d6864d47b8f75ef225a7426124c

SHA512
c477a8da05824e67d8eac590f1bb0e6646771f86537e6d5e1bfab5662b76c3bc3a07739568a84666130428cc9d9cab7bf657e95ad02bd85b2c16d43c5b73509b

Download Submit
C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe
Filesize
4.6MB

MD5
6d931fd0a8a1eee52d63480e5705f1f8

SHA1
d9410ab4ced057a0e28666c5f5042edb49321f61

SHA256
00eb4fdc283f10c8bd797f8e79d875e9dc690d6864d47b8f75ef225a7426124c

SHA512
c477a8da05824e67d8eac590f1bb0e6646771f86537e6d5e1bfab5662b76c3bc3a07739568a84666130428cc9d9cab7bf657e95ad02bd85b2c16d43c5b73509b

Download Submit
C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe
Filesize
4.6MB

MD5
6d931fd0a8a1eee52d63480e5705f1f8

SHA1
d9410ab4ced057a0e28666c5f5042edb49321f61

SHA256
00eb4fdc283f10c8bd797f8e79d875e9dc690d6864d47b8f75ef225a7426124c

SHA512
c477a8da05824e67d8eac590f1bb0e6646771f86537e6d5e1bfab5662b76c3bc3a07739568a84666130428cc9d9cab7bf657e95ad02bd85b2c16d43c5b73509b

Download Submit
C:\Users\Admin\Downloads\Fortnite-Account-Checker-main\Fortnite-Account-Checker-main\XovLauncher\XovLauncher.exe
Filesize
4.6MB

MD5
6d931fd0a8a1eee52d63480e5705f1f8

SHA1
d9410ab4ced057a0e28666c5f5042edb49321f61

SHA256
00eb4fdc283f10c8bd797f8e79d875e9dc690d6864d47b8f75ef225a7426124c

SHA512
c477a8da05824e67d8eac590f1bb0e6646771f86537e6d5e1bfab5662b76c3bc3a07739568a84666130428cc9d9cab7bf657e95ad02bd85b2c16d43c5b73509b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 443264.crdownload
Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
\??\pipe\crashpad_4024_VBQERDABOZVBPVMX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\7-Zip\7-zip.dll
Filesize
92KB

MD5
c3af132ea025d289ab4841fc00bb74af

SHA1
0a9973d5234cc55b8b97bbb82c722b910c71cbaf

SHA256
56b1148a7f96f730d7085f90cadda4980d31cad527d776545c5223466f9ffb52

SHA512
707097953d876fa8f25bfefb19bfb3af402b8a6a5d5c35a2d84282818df4466feba63b6401b9b9f11468a2189dcc7f504c51e4590a5e32e635eb4f5710fd80b2

Download Submit
\Program Files\7-Zip\7z.dll
Filesize
1.7MB

MD5
bbf51226a8670475f283a2d57460d46c

SHA1
6388883ced0ce14ede20c7798338673ff8d6204a

SHA256
73578f14d50f747efa82527a503f1ad542f9db170e2901eddb54d6bce93fc00e

SHA512
f68eb9c4ba0d923082107cff2f0e7f78e80be243b9d92cfab7298f59461fcca2c5c944d4577f161f11a2011c0958a3c32896eba4f0e89cd9f8aed97ab5bc74f9

Download Submit
memory/4192-632-0x0000000000DD0000-0x000000000127A000-memory.dmp

Filesize
4.7MB

Download