asyncrat | hxxps://mega[.]nz/file/i0US2KhJ#Bs9Dj2t2yeel8SB-hin8m74o_P5v5qmmXOj4p7bLBP0

Analysis

max time kernel
103s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/i0US2KhJ#Bs9Dj2t2yeel8SB-hin8m74o_P5v5qmmXOj4p7bLBP0

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 34 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3784-281-0x00000000025C0000-0x000000000260A000-memory.dmp	family_asyncrat
behavioral1/memory/3784-344-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-346-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-315-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-342-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-340-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-338-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-336-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-334-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-330-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-328-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-326-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-324-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-322-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-320-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-318-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-312-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-310-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-308-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-306-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-304-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-300-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-296-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-292-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-288-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-286-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-284-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-283-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-332-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-316-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-302-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-298-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-295-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat
behavioral1/memory/3784-290-0x00000000025C0000-0x0000000002605000-memory.dmp	family_asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Infected.exeFortnite Keker.exeFortnite Keker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Infected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Fortnite Keker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Fortnite Keker.exe

Executes dropped EXE 7 IoCs

Processes:

Fortnite Keker.exeInfected.exeFortnite Keker.exeexplorer.exeFortnite Keker.exeInfected.exeFortnite Keker.exe

pid process

4416 Fortnite Keker.exe
3784 Infected.exe
5716 Fortnite Keker.exe
6656 explorer.exe
4700 Fortnite Keker.exe
6248 Infected.exe
6304 Fortnite Keker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

6564 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6572 timeout.exe

pid	process
4416	Fortnite Keker.exe
3784	Infected.exe
5716	Fortnite Keker.exe
6656	explorer.exe
4700	Fortnite Keker.exe
6248	Infected.exe
6304	Fortnite Keker.exe

pid	process
6564	schtasks.exe

pid	process
6572	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings msedge.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

5220 NOTEPAD.EXE
6352 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	msedge.exe

pid	process
5220	NOTEPAD.EXE
6352	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeInfected.exe

pid	process
4784	msedge.exe
4784	msedge.exe
4500	msedge.exe
4500	msedge.exe
3364	identity_helper.exe
3364	identity_helper.exe
5184	msedge.exe
5184	msedge.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe
3784	Infected.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

AUDIODG.EXE7zG.exe7zG.exeInfected.exeFortnite Keker.exeexplorer.exeInfected.exeFortnite Keker.exe

description	pid	process
Token: 33	4536	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4536	AUDIODG.EXE
Token: SeRestorePrivilege	5900	7zG.exe
Token: 35	5900	7zG.exe
Token: SeSecurityPrivilege	5900	7zG.exe
Token: SeSecurityPrivilege	5900	7zG.exe
Token: SeRestorePrivilege	6024	7zG.exe
Token: 35	6024	7zG.exe
Token: SeSecurityPrivilege	6024	7zG.exe
Token: SeSecurityPrivilege	6024	7zG.exe
Token: SeDebugPrivilege	3784	Infected.exe
Token: SeDebugPrivilege	3784	Infected.exe
Token: SeDebugPrivilege	5716	Fortnite Keker.exe
Token: SeDebugPrivilege	6656	explorer.exe
Token: SeDebugPrivilege	6656	explorer.exe
Token: SeDebugPrivilege	6248	Infected.exe
Token: SeDebugPrivilege	6304	Fortnite Keker.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe7zG.exe7zG.exe

pid	process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
5900	7zG.exe
6024	7zG.exe
4500	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4500 wrote to memory of 4392	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 4392	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 3084	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 4784	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 4784	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe
PID 4500 wrote to memory of 1032	4500	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/i0US2KhJ#Bs9Dj2t2yeel8SB-hin8m74o_P5v5qmmXOj4p7bLBP0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c0ef46f8,0x7ff8c0ef4708,0x7ff8c0ef4718
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8118262092237149951,3432278148987650583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:5840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15592:94:7zEvent7268
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5900

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Fortnite_Checker\" -spe -an -ai#7zMap29011:94:7zEvent1205
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\combo.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5220

C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe
"C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4416
- C:\Users\Admin\AppData\Local\Infected.exe
  "C:\Users\Admin\AppData\Local\Infected.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"' & exit
    3⤵
    PID:6456
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"'
      4⤵
      Creates scheduled task(s)
      PID:6564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.bat""
    3⤵
    PID:6472
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:6572
  - - C:\Users\Admin\AppData\Roaming\explorer.exe
      "C:\Users\Admin\AppData\Roaming\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:6656
- C:\Users\Admin\AppData\Local\Fortnite Keker.exe
  "C:\Users\Admin\AppData\Local\Fortnite Keker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5716

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\key.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6352

C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe
"C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4700
- C:\Users\Admin\AppData\Local\Infected.exe
  "C:\Users\Admin\AppData\Local\Infected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6248
- C:\Users\Admin\AppData\Local\Fortnite Keker.exe
  "C:\Users\Admin\AppData\Local\Fortnite Keker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Fortnite Keker.exe

Filesize
348KB

MD5
bed1540cd4a13ef94f1d4022563e123b

SHA1
e4033f1515387c8a3e4f5484f89d14c6b1f4bd7b

SHA256
dbff92734b854594b7da653f7ab1d869e6ea9372f1bb5d877864d2b543ee5c04

SHA512
bae9be08db4b7e92fad4ce5d3f723f01648b7b45ca2172b8cb985145f44e43b3afc76a2dfba43786443c393a6c9bb5f818167de0c424089cf1b426ec420fe02f

Download Submit
C:\Users\Admin\AppData\Local\Infected.exe

Filesize
355KB

MD5
a7674ca8eba8b438c380890004eceb27

SHA1
fb757723841949da5470251cb571ac566cfb9eac

SHA256
6490aebbe2bd44472b05525f69e1e99861c2588fe63b17daa70a6e2bc8ec1ad6

SHA512
00a9e1e3e585311c6f1a0d7761c29789b50289a4ce19ce904f56afcaf04e371cd912e1b0a486f20a28cbfeb0ef1f402931aec9ac15f0447f4c70ef7e330320e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fortnite Keker.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fortnite Keker.exe.log

Filesize
1KB

MD5
5c0513fa2649ec98d5745b0ced25c78a

SHA1
86d0f50355f3e6426f3122accc23f1d55f7f1bca

SHA256
9f6e46cdf07dcc6c0edc9992761261a093ad211cb15c627d1c2a684b1b6682ee

SHA512
a0524c4bb268b6065c589c41ed23166bb3bbf9dbd43885f10717fef587791d9911533bb4bb9cdea3d80152c69d76738749b59638b5ca6fc152cf412086c5d615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Infected.exe.log

Filesize
709B

MD5
78c953005db7fcd4b683f439d9574ac5

SHA1
2251e9e3205a30614e325ac0381b6c6c599cb3f0

SHA256
48bb9920c94e655ddab39401a4c47a09a2b22eb2417ac1fadc11b6dc841bbbb2

SHA512
5d342e413522e9c37a8e6526b9de4e102cfa2a0a1363cbf82e95da5dc2646105837546b2ba2182f194f68cb1ed4684b01ef8ef5cf7d2381f92218c33ce9673f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
bbad4873fc11369f85903bb06fe745f1

SHA1
ae84687651e6772ed8badc293833d72600cc73d6

SHA256
511ad5c413839512918d38eb8e31126f9d0aa9355bf8f64bd7b3c5147c17b843

SHA512
78132b91e201b754b1aec72298fcab48b4aab5f8afbd843f2ab8f3a70f4e5895557004e68c79927bf5f3789ff0a78b460c4687c310e367ece45b026f0fefe2b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
327B

MD5
f8dde3edab7e99be3074a69350f11b32

SHA1
121540c3fd1fd74ca4b6a81806e310cd8615a433

SHA256
2ddc1169da8ab0fac2d3bfc627cc94c1b44d383ed670fb4261ae8dad8ada2cb7

SHA512
89c78f9f7f80af44f4ddfeeb751f8c7c5e34fef20919dc9771d1ed3e8ae00483b185910d82de9ffdf3aeb63e14bddc81452980fda04cf2ebf4c4330817acba73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c42c96477d2120f4b5cc8f5f2ffa8b3

SHA1
b9a91ef16ee25a46dde2463548ea7b10f0e041ac

SHA256
7145516168505ad40145cf56f6bdea672733ec79f975a6145a212f1057e781b3

SHA512
23a12cdcc8164987962a8d7c894ea4edb4f7a31a7268f4078fefbefc0cde46d8b18ff4e3edd133ae3c9a22516f67651cdb3e605111ed3ff42423a57ccf072baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf1452891c1f514a27feb04074252971

SHA1
5d078961b87ec6550073a017dcd052c389938770

SHA256
fe02099334d292dcafee2fc42716f6425b47ba0d28af93496e3f9901c7229586

SHA512
9d843d48e87bfe1f864dd2565fe0f86d6352a6c45b9c2f4227ac8aef0a77a394c85fbfe37e8be70659f96c55e50e55c8de8453a9db18027745bd26628b2fd07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df0a074f14a22461383b59d504f3cb49

SHA1
9ad4617e010d124e04328d5b593002aef888343b

SHA256
b92cc64f51a4c1b3f687317f8e4d4ce7f4521eed45d59026269f0c6deaa38f70

SHA512
3e57f86958b409a27b0ba7e235a77fbb2296aefc39029c4958b8d181998e25d4871e2386dea8775eee9f1b61db4747e25766322928251a7d4f9d059d990d2314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7de9261dfc1b2c6dfd95d140e5207c46

SHA1
7a8aeff6cc5ef641835fc0ac9ed828f2f0cd78ed

SHA256
c8e65e00d8fdfffccf5e16b8217bf485eb1fb700b7df13626a4fac08aa74cf3d

SHA512
202b19618f6a89f41674972ce76b96dea3c9ee8b821983c95375344fcd029af7d3181e22d3c4a3bb9e9c0b77d39698dd4a3cf8d82bf3354667ef844893f8c964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ed94ea7372db5fa7ce6d00d95c69a389

SHA1
24a7eea438fcec02e0258a3604a4e478170f6e36

SHA256
48671dcfbbedcc262298785fe09e84b089eeb3f8c27407dac75f3e18c00fe416

SHA512
431690ee0422019d35c99d8f2cb9e3356828ab7955f0ef080291ef540297ff2f6679cab8b87ce8a2034cc7f2829ecf4e609f3f716c390a5c6a5dcbf4afb73c81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a9cd.TMP

Filesize
48B

MD5
363e6083f9c1c04bdd6d637ed4f2dc70

SHA1
858e17fe7b697ac04632fcc16b0f8a4a4aa1b1f7

SHA256
9c31a2dc84842b81c1838935792eec5ffe66ceb541da5fcd2010538474122e3b

SHA512
a399dd9b5e7fbb504825e0dc46fcdd2412f277a1317004ebde2eb73a8ff0f9efaa14fa21c40922671bf3a19a83ae2ea789c1210a4969f702e9a187980eecb565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
579e7b6e861785ddfb66edf7f25f7061

SHA1
cbc0b47fa1ce1f8ded886524213602b0c189eaae

SHA256
363ed386191ce609936c70a0b42a7811a40543c9bec72c05737d4b7e1cee79c8

SHA512
dde5e18bdc226be41a0d7ecabc29b2a29fa3a3c5c2544d6d413f741f7d0e2b5cfe4653c66b751ec120893d93994533927855074dab78767fc9ba25ec451c548e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58dc80.TMP

Filesize
201B

MD5
a047fcf27a883a36839bc5cb72d94d0a

SHA1
212fd40841a454f79e21de20be5898a36b4a3625

SHA256
2bab214d0fb638965c86f9d176f5038db2b96e337b2e76b318823df6797624ea

SHA512
3caa9e65c169da919d2a2b4f1b2918b96e6b3f0d420175ffb48bf6770b42e9e11f340bb5afe297b17eab1a537c24cb03edde6a4ffa520fb82c9782b3a32d92c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7770646dc6732fbf0879d30510afefc1

SHA1
fc1c387fd2e298e7188c6f2de345004e2375258f

SHA256
5fa0470353f2f6241b5f1fca2d94e8f8f1b048bbd671dedffdfa5533763b106b

SHA512
d88c06bfc03a049522963554ae909fd3f152d716e1793f8104e7365275c252cf80608af54f661f07915dbab1dbfabe8e57c48ab60197b64e75746aaa9b4e3342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
82f18cdda6751842136036fdb8e9d8d3

SHA1
05e90f781efec21de1e6befbec7855c0bac83098

SHA256
1efcf80241435cd1a4dd4b91cd960b1388d389d5c12db004174c96a8cfd22141

SHA512
249ac9df9a849caa3570a7afb1a1738c706a9e728004ca15be6b6172ab7299b082e9e8cd8ede4cce46a303c6c9f816f7a56e730191fb20e226d868400dfeda40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a4e806f66fee20205eaf9d7d32a6d2a5

SHA1
1890bc52b742b63f619fe08d32d6bfb0ae4af464

SHA256
0978b55a395eccb743df10b7164115bef8db3cc0c95a09ab0f66d6202ab0749c

SHA512
aea88c7b9d59b4572b6e45baa2913bf99bb4103fac47fe047e8d632c803d53ce15f3bcb31b2363f2b4ada958891d12da7c259e8afabcd3bdccdb29ea187e31ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD2C.tmp.bat

Filesize
152B

MD5
e101a533c26a8dde72bef5586383b143

SHA1
a962ca247a43c1a1573f378f85621c39ccaebabb

SHA256
338ff90ef91118f991ed0a2f6a274e5550c12769696f0ba40b851fecd443dce9

SHA512
97174237c513f86f94eee28f1f8ac3ee3dc4ff2dd40a7cea2a7ea3f603c83586fb918cf112f5568f89c05abfdb4f64d2a843418bb0a7d0ed72f25d073e562fae

Download Submit
C:\Users\Admin\Downloads\Fortnite_Checker.rar

Filesize
1005KB

MD5
caf3be22450854f6dae3b87ab8be3a8e

SHA1
33ea15bfabddb34b5a6e91e5ddba28549997eed0

SHA256
d9796244114d28e8c6c48d066766b5d025350ea253a50562ef1acd8bd9d68ee6

SHA512
787ebbf6828ed991262c607713e50f16e424bf80a3cdf46498bf51dbfa3ea6c98a0e9018990d385b3ec44841003cac097364706c6ea98afae9b7f338c624337c

Download Submit
C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe

Filesize
747KB

MD5
5ea7a9326b41c93a52ea7024014d03b2

SHA1
1c78d72817fb2e9179fc77a256742a376b12c108

SHA256
94bead2a1bec71f0347928f902ed01dfe691ce85fc0e8065d9354ee92dd26aac

SHA512
72d5ef9efad6017369057ca5df707aa362be9fa091a8bc9edbaab5d35cd6e4d5d005a2f4aac2a0662c217d8bb604e4da7a3588c48aa259264e53e6696e90e89c

Download Submit
C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\combo.txt

Filesize
104KB

MD5
4358430c0048dab17bed76ca459bfef1

SHA1
6057ba09cea6975f8be99624827669608495c90a

SHA256
5882ce2096cbbdea705bb848bb1fd860e0f7b82328e2c4f77e07dd93684d840c

SHA512
18763960ed63f9a2705f1db206a5bf45cc370142253475a182fc972f399d3c4e4f46849cf4d71ad34952e8cc9bb58014277771affb99e72c36937f4235e1fc2b

Download Submit
C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\key.txt

Filesize
15B

MD5
fed800f3f80b105dd3ebcc7cdcacdb8f

SHA1
dc4e69f80acc45d91e7eeb80ea66d210c990eb22

SHA256
b5c519027bbd9bb436af270740ffbadce43730967afd85dabbe8e9fb534d0cc3

SHA512
85c891fb761161ab24502cbef651876661bf5c22ba9264268576469e755cf23157b2187640234eba36a6ada2ced13ea95e8b18aba0e6963c6bdb4bed6fbb176b

Download Submit
\??\pipe\LOCAL\crashpad_4500_WXHLKUNVUUQIUFBG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3784-324-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-283-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-334-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-330-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-328-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-326-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-338-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-322-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-320-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-318-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-312-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-310-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-308-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-306-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-304-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-300-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-296-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-292-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-288-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-286-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-284-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-336-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-332-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-316-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-302-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-298-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-295-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-290-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-571-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/3784-572-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/3784-340-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-279-0x0000000002370000-0x00000000023BC000-memory.dmp

Filesize
304KB

Download
memory/3784-342-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-315-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-346-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-344-0x00000000025C0000-0x0000000002605000-memory.dmp

Filesize
276KB

Download
memory/3784-280-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/3784-281-0x00000000025C0000-0x000000000260A000-memory.dmp

Filesize
296KB

Download
memory/4416-252-0x00000000007F0000-0x00000000008B0000-memory.dmp

Filesize
768KB

Download
memory/5716-282-0x0000000004B20000-0x0000000004BB2000-memory.dmp

Filesize
584KB

Download
memory/5716-578-0x0000000004AE0000-0x0000000004AEA000-memory.dmp

Filesize
40KB

Download
memory/5716-278-0x00000000001D0000-0x000000000022E000-memory.dmp

Filesize
376KB

Download