hxxps://botmek[.]ru/share/?group=Fortnite

Resubmissions

25-09-2024 12:33

240925-prlrzavgrq 8

28-08-2024 10:49

240828-mwvjkaxckq 8

Analysis

max time kernel
197s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://botmek.ru/share/?group=Fortnite

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
4636	Install.exe
2992	Keyran.exe
3636	Keyran.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4636	Install.exe
4636	Install.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Keyran\Keyran.exe.update	Install.exe
File opened for modification	C:\Program Files (x86)\Keyran\logs\all.log	Keyran.exe
File opened for modification	C:\Program Files (x86)\Keyran\dll\dkb32.dll	Keyran.exe
File opened for modification	C:\Program Files (x86)\Keyran\logs\all.log	Keyran.exe
File created	C:\Program Files (x86)\Keyran\Uninstall.exe	Install.exe
File created	C:\Program Files (x86)\Keyran\license.ini	Install.exe
File created	C:\Program Files (x86)\Keyran\dll\keyboard.dll	Keyran.exe
File opened for modification	C:\Program Files (x86)\Keyran\dll\keyboard.dll	Keyran.exe
File created	C:\Program Files (x86)\Keyran\dll\dkb32.dll	Keyran.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keyran.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keyran.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Keyran.exe = "11000"	Keyran.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Keyran.exe = "11000"	Keyran.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Keyran.exe = "11000"	Keyran.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Keyran.exe = "11000"	Keyran.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717412469719091"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "8"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
2992	Keyran.exe
2992	Keyran.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
4160	chrome.exe
3636	Keyran.exe
3636	Keyran.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	chrome.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
2992	Keyran.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
2992	Keyran.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3876	chrome.exe
2992	Keyran.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
808	chrome.exe
3636	Keyran.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2908	1908	chrome.exe	82
PID 1908 wrote to memory of 2908	1908	chrome.exe	82
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 220	1908	chrome.exe	83
PID 1908 wrote to memory of 4644	1908	chrome.exe	84
PID 1908 wrote to memory of 4644	1908	chrome.exe	84
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85
PID 1908 wrote to memory of 2164	1908	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://botmek.ru/share/?group=Fortnite
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffc868cc40,0x7fffc868cc4c,0x7fffc868cc58
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1996,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1748 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4772,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4740,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5360,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5664,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5660,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5100,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5648,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5628,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5960,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6116,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6208,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6244,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5692,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5852,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6640,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6720,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6804,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4592,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6856,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6960,i,1174216386226167574,14716348931395478713,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:808

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3248

C:\Users\Admin\Downloads\Install.exe
"C:\Users\Admin\Downloads\Install.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
PID:4636
- C:\Program Files (x86)\Keyran\Keyran.exe
  "C:\Program Files (x86)\Keyran\Keyran.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2992

C:\Program Files (x86)\Keyran\Keyran.exe
"C:\Program Files (x86)\Keyran\Keyran.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Keyran\logs\all.log
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Keyran\Keyran.exe

Filesize
12.0MB

MD5
c6fcc06155771e085fec058f73c64b6b

SHA1
693904e00fd31a5cd3099650c2e6a3ea1838b225

SHA256
290b8f07676a0a17fe51cf44d86aacb62a73a6d280b77988afca59ad555aafe7

SHA512
16e3f5035931c7bbf231bf94187ae322ef413bbf8278a1369222f850d9e0c3fc5110aa794afc89777830ced8be490c61c03fbb7e6a1b72e74d67862c3f434268

Download Submit
C:\Program Files (x86)\Keyran\Uninstall.exe

Filesize
153KB

MD5
2f51b9b9dd39cf6274dcd0ac1862a7f5

SHA1
96567f96810b32d05092e076ab9f683de031bdbe

SHA256
2b727f62b3032dabbc79e6fea8fb23f5e1215bd13f1e2725ffbb89a1f30db52d

SHA512
2a6233edf5ecd0933a0fc4f7f2a93368204970550cfb05f4ed4438568fbedf0e2e83735fcb411ba1774e072a3dd1e3568bef694dd5762d8410276207e1853832

Download Submit
C:\Program Files (x86)\Keyran\dll\dkb32.dll

Filesize
17KB

MD5
00159601e48ae802c95c4401d58f6b21

SHA1
a37ac553c54596b3c99be15c1131a55d29046119

SHA256
e20830a36025a9032bdec56f77ccd98d35ff71447acb6f73edc90befec513538

SHA512
fb60058291e7fae2f9e81f79775f81479216008efa2eec8a3cd9c78057abc005b3e5f58919332b5d02dc99a65dc7cc6fdb9a4fc1c34e8e5be6cb41ed72eadd61

Download Submit
C:\Program Files (x86)\Keyran\dll\keyboard.dll

Filesize
70KB

MD5
e1e49f1e88edbf630c7e0fe4d02e65c7

SHA1
f7019bbb4af4cf06c204303cbc42e6f8f6037248

SHA256
3d0cd3cf6f0700061308da7e2df5c1679ee01f5e9b95bbef41abf280c96bb54c

SHA512
bd44fdfd1356f6972d96a96705544d71d4bf168ebb1b53ebea22ba10b7ab41f88e2570cd48fd5b120d4db4f4c67601189f68933fd3a55bcd8b5cdfc938f04fb4

Download Submit
C:\Program Files (x86)\Keyran\license.ini

Filesize
95KB

MD5
3f476af62a6232139c09abf45aa80d7c

SHA1
ac976124e4dd5f8fe56adeda304c6226f9a36db7

SHA256
0decdd9208bea0cf9fbf387dd9692e91b508ec6d65fce870d651d941eb67e67f

SHA512
6d12ff9b9e80679c33b065bc687fb6ffb251ed939ae2c4c27b5b31a9188a0283b1328564335b2e05669d510ef0494122170c750734fc44347b7bf772f1701a18

Download Submit
C:\Program Files (x86)\Keyran\logs\all.log

Filesize
775B

MD5
f17aadb82cc51413f0dbdc8f849a4bbf

SHA1
3b7714b63e8d19431863b41ad29ccfadc12b8fb3

SHA256
9a59e0264d2c915ee7abd0ced906e36c671b8392dafc7ebf8ef5c5bb09b8c474

SHA512
bdda3268ac67bb011bcf473b8f8e25a7f8d652c463f0fdf2509967621f0854b6584e599ea3b7250bce5be61b6798d0da51107078c439d6a5136b2b6fc4f1a357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a616938f5d5e5588d1f33e04b836355c

SHA1
94609bbf10992ada7e52f696dc346c65dd6ca990

SHA256
af31bfbec2373ad5ac247f7c396af0aa01e6ef416213c51168555567c040a8cd

SHA512
9dc4b7d3ba1b8b0a91a34e218754f7803a6d5d8aaf94369e026905e991c1b30810d935b40d636931ee6e3dd981bbb2201283abcf38e294a6c0684ce7b3ccc3f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000060

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000065

Filesize
27KB

MD5
6b5c5bc3ac6e12eaa80c654e675f72df

SHA1
9e7124ce24650bc44dc734b5dc4356a245763845

SHA256
d1d3f1ebec67cc7dc38ae8a3d46a48f76f39755bf7d78eb1d5f20e0608c40b81

SHA512
66bd618ca40261040b17d36e6ad6611d8180984fd7120ccda0dfe26d18b786dbf018a93576ebafe00d3ce86d1476589c7af314d1d608b843e502cb481a561348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f71679f665dbd36f6563f40d67b8e439

SHA1
6ff70c8e0b8d7b2aad68a39efe208960045febb9

SHA256
4694e365275fd79724797689f274069854de8398affeb4577e19e233cbffb765

SHA512
2377b26c231bac616cc5d0fd857f64b762ebaf91952944f425ac952df641f75117c1826332c8cf92168b8aae90c332f87be6d3a80af5debcb1c0fc254735f1e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cc842c0d033cc2ea6abf7c77b791ace1

SHA1
63d1da0160141f5d308192471954e7d97823bafd

SHA256
fc71ae1f99f9a52de2f2262c0bfc54c85c8dbd3dda61c9df2a61331ab659acf0

SHA512
8109643286dcf26a8a5e6f8d0f1579c99ce06605418e5eeda163d6773e6a8a9abf1f0de5702275b180ad7f493e360af72f031cadf38e60af28f51e638efc48ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f5a404fe4e642492aad11754be700f2a

SHA1
4770a34c7a7686495083d6ebbd51a8d4cab20c17

SHA256
1c7c2652fd06b5c49a57e8fb29858f512965f1c2b01d7f0b7935c09c7a5c90b0

SHA512
881fe16f0330d0e5e5f2abf899ba7b7d3070a8a68b0e0448005066396f3505faa75f8c7ea23f3422dd523bf9c85adae7011678df86d4a50b1610d7c01247c501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6d7b27cd-2fbb-4911-862d-b3356f9415b0.tmp

Filesize
1KB

MD5
7bf703d8ffe8db54c1021faf826ccca1

SHA1
bfce094ee7f37429ae40c2869996b297594476ec

SHA256
83dce67ba069bdeefeed46295675bf62aa85eb5231d821cf826ced4d5c7cf0ca

SHA512
363495789971d53008de6ae20492f9632ace59f272f8b4b42967ba5e08d4a9271a57d2fd303e76497021c6fc16c720233874c0d694650c74476f11d0063dcf32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
ef660292a92eb7ba982c106b461bfaa8

SHA1
eb8f28634c0408a54fb6af1666cd403ea801c6d0

SHA256
5ae8cf5837c75bb57231ef2a547344bd2736a43affbfb220541c9e6aa79379e1

SHA512
25e70071fd58fb562d013c58e90e05652c3ec62b0e542dcc916fb6018ec6f7d5e2f5881fd442d43ea532fa08791bcafd25afd25e3dbe4c48d8bad9359e7d678d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
c93e5de38bed9e7045e88f427aea8a05

SHA1
57d3ab9d165d42d7b240ed461287592fa474b44e

SHA256
7060acf20d13242a96101b7c8c4c2fa3badc64c6d81fdaa7ccb4f66a04d79db9

SHA512
3d5ef8f3cf51b3d2bd4a2b7f7c1a87ac5b67901e1a494d38d90cb966cce92a4531a506566b6b0520161708014e78a455623eaacca562bc3676ba916347e752e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c15b7244490c3ea312cc94ab5ee51bcb

SHA1
83aab9b9482dba3bb46c79392b250b42f666d4ae

SHA256
f3e84b05d247144c8ae4a41507122e78991f36cc1d0e25a21cd1cf15dbe2f183

SHA512
f0b2b39392d4c442295d1a9718b0334ebae5e2d520b25d791e333ac1eb1a35fade1aefe12d3c33fe2e2c962766b9100a84ccaeb2247fd4ef1b493196f319bc46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5a5a13f7f439150931e57300352f3e3d

SHA1
18d3e3b327a23de68b0c9fe507c165b3fc5a78e4

SHA256
a73ed38f8416c4d6dfb4f885185effe73d90b4edbc7320f209404b2149bc6856

SHA512
1ee5dc7a7f9595e37b1075f07f1996e8a163574f5bddb12c2c0dbab8ddfad574ded6dc584d08f9257fcd40dd8f320ff48b5e299a7b71c66040b5ebdb7eb4d8af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
065f177c0ebb2c0042b019a5e6b7a1ba

SHA1
3e727e6c5b5c8ba44d7bbca48085138bc1c163ad

SHA256
0ba4bbb27e522e3116f91c94145f6e034b5ec8bdf01666f925ac1cf4e55ef08b

SHA512
51e33fef9dce26dfd1cd4f6773c539843593873ecff502be87ebb713afd024e62ca212142508059dd0c596eee18606781c20b943cd73ab570d45b2747b3a80a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
84a00694cd1df162427725fee4fbbec4

SHA1
eb08a647c6b76dd4718559da6c5d3c4f7eabf05c

SHA256
8eaca7482062b03b18305a95bd24e7a8104b8dc5798ce2e30ea1a74b2a06e090

SHA512
9a4277683a4662b9f190cc33b5f3b4fe73f3800a6f3705169afa974681a0af3b5648fa5cdf7b80ec457c1fc62d2c24f146dc8105664ccf72f78afe1a1e7e0575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c9f68654378dd4129fa06be487631579

SHA1
d9b29fb86433a4b9f39847dc35040d0f7b2db5b3

SHA256
a269244637ade85475958bc241d3ebfdf6c72608ed699b5557043d3e5f572a88

SHA512
42ab4ed2e9870d379326b6881c57989dc8b441857985e545d1928a95d39f9e8558828d428af43a180ec7a9a07bf333b2ea85f63b06ef010113548ac5350de4dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c3c37b9cc476e564204509bc292c8b35

SHA1
a606ee85b4fc1da8dc2183142f2520fb63377302

SHA256
ab9d1b48f1c3c42809abfdcb18bd7fd4973e5ca09ab34738b72d8b29b1911310

SHA512
0ea680a990439b2f6fcdaeafc2f99d4fe7f9aea1e3a51bf220864b3d517e43ad20154dd9128df212ee9b6cb64fbef5d041e8d7a157e2708092d1654fab33630a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1d21722996f8ede0c0da0712b8146eaf

SHA1
d74e2867f2c324d41e85e92640531f318fdb7c6a

SHA256
92ebcd8bb0e1535765212191dfd0ec5116537e98bbe9e8b9a0808ab305b0c200

SHA512
cb3d8b4cf92e16848d450a344c56ada086783b785f2dab57d92d4b8bf89676cf73bd513046826965363b1c0c01f487af7f7275c2071682c6e5a01f127a2ed145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8faa16a5f2c92d4d6b5d035d293dc51a

SHA1
7581ae149d5a12be177eb126d1185f6ed5c52dbf

SHA256
f740cc773af1d7600c85f3b51e12db4eda2ff783d5519194f9d131ffbf1f9589

SHA512
0584038050e1294b3035fc5e0c7a52cdf94acffb038737c57cc274c25cf36d4b2bcc144f96a6577725063661aa4151aaa3e33703b7bb32c87392cacaae692f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cb1522e589a33a2c29721b3ea5b6bbe7

SHA1
4a0b743beb4cb9a2ef3470d395448444863e65c3

SHA256
bf6cf51f3ed395305c1b095fddff132ce4685237b907fc9d4b004e8479a6f0e8

SHA512
9c77d736e6e942a5c0566aa1dc82c4090c6aa904939986395eeb613f851d842311ed37be39931419d89b382abd2c72d828bce216039a66b2314ea87884b028b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5341ad4eeae34787f7426d58bc3d9bad

SHA1
8c1bb3aac49cc68c7a8823e6fd7d8bb9fc0b1ca9

SHA256
89ab56b08aa5ef22e30b4538f6bf575caa092f293f4155750f6ff44ce62718e7

SHA512
bd5d585ac3c1aec103f1d02eb693d2ddbc79412f9c51c0dad50db7ab428066f36902b7ef0d75535f0e7d8c825ea3822756449c2b8f57fe3dfc64f87c598e3a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8dd62451ce902e5b7ab7a199f4f420b

SHA1
41cc148fb72f869c7b408ff74270a9a8cc3975a5

SHA256
368ce9f9bd407dd37da59bc1e568b5ed2c99f25607245a998637fdcebfe38458

SHA512
641e65e56b8e4a9f51ee33662dc5dffce0b1659a3ef9cff14f04b556f22db054b5442f0e93383473e970f8c3075da7e2a141cde4e711f7cb94450137f92d9ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ca03bdc6dd5b74bf493a7a4f9573c293

SHA1
741c9e9d36275338b97df69f2d840aba74a63565

SHA256
3f53485fe54e57bf5841594289345f4d64feb491128b5298c939b0992b431c57

SHA512
f80ed76899ab17410d8f68c93d7e3bd38fe2435c3f7e78e0ee69a08d0e2346ec932e4b800aa43b5afd99d343dcf4babedf9447884c5b1c2e6d6c9dcc1406cbe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
11d94b7a3f68b5c3c9b1c6a82af55800

SHA1
9c5926bf76bc54b2ae36d787efbb8e9f3e07a233

SHA256
54d12473b8f197ca704b0f7046c267310da7e854a8f98f1cc7284a0d2ae02222

SHA512
75c173e2745215171e2e637928d54a8b2db51ddb56080d742576a32eb3b7b054d4c71ff29bdbae154713d0234309167bb9c2385d52e8a7cdfcff66a2c52e789d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef8e4923acc5f2dc0e549e28b8b12ea2

SHA1
96de74580c33d9b98fbad4cbce729879bb9935f4

SHA256
4e963f9fc22b82db823593d76733be2c75d3a53aff9b9979cf259afa7c38fd25

SHA512
97a9f747bdf47606e60c7ec8ba794374f3a07ddf6cec04c1280401c7ed25c4e7a70d8d79e135639d6f215571d1a114262ed8ee3d9a76ee270e23e0bc6bed3140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
820db8ae28f8f04833bc92d9c693e5a9

SHA1
b77e22588da4ec20e13de2ce1e7a73d53b24b2fb

SHA256
4f12202458836a68096339c22439f1a02b0f151fb643e19624a5375b6714cc38

SHA512
a800ea01a2faa3cfb2024bcd079982f2e5e96dc6f96eb4476461fc220965096baf275c325256c85b35c8c54483ae7e35bc47162eb3634339ab879203f9bc7138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e98753c74fd1f2dbf3a9c6c872013b52

SHA1
3bcd494f080b3bc8042537a7b856b050ed3a3111

SHA256
5b3d2ddf05bf1644fe9356c14e309f1b451ddadeeacc8386b3f5ccdc4d071d87

SHA512
bad389636de2a43bbb6906160c701223e8baded756f0d2d46a9b8a3e95c2f0e38e76d6a860395da350c04c00641e24a9f64810f4750d399b2bad0be6b18fa016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
96c1d94801bdfdb9222db8497639a150

SHA1
d449dc047cb572693ae5f7a7244c0ecc82bf5b98

SHA256
867f31d144216eebb473523775ef1e692cfecb0c3b434f436bddae67d663315a

SHA512
8f3cca425122264e9e1db1a8796cc02bddb6c9875b8ce99d0111863dc47647aeb76ca88574d2a6a9e30b03a647002aedf5532fd0cdd451aa19d775faa12ac30f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
cd597b59bc9ae2e427ab065dba0ad098

SHA1
01b204c2dd56f39ab7736d1cbef4990c3046926f

SHA256
31b327d1e46712e529f68bd1040e7b47bcaf8106f74306104faaf73f467c8185

SHA512
d2a0c6a5aa9c8f07e9fb4effbc17ea3c1c05167cca95963ca27c9e98e48623f70c1735578647da312311d8a86cf4b6ef631651aabe77523c40c1dbc61104806e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fdf310ff-ee14-4739-8a8f-1685c126cae9.tmp

Filesize
11KB

MD5
6297dbe238f9c8e5c2a9931aca8f2c59

SHA1
041b766d020aea170c4dff99c4d92e3104f8326e

SHA256
702a1af56b4540f64fedbe5d6d03702dde6555f329639c677df3fe0d5cc8ed21

SHA512
fd7aa7e0551aaf8256f6b57e31a16a28463f9b3ee858dff2a4ebb9b123ddd38aa8243237fbf4a472b50f3b821f3561fb10bfc1dc066693a4ac32f3e81da14364

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
86063e4e983fe11ac5bab347d3f6b778

SHA1
cd58c0c3c15eda004eea80931f5a1622dc3e0bd2

SHA256
2b62bca70f8b00f01787a3cf5797eef829aa8e4ef8aedbd46f661f327afef3aa

SHA512
4b7190e0b3475ae840e2dfde6c64263134c1d4592c6ab0659882d9416e1c8afb6c3d67fdb56a7a45478ea04e444bc3c4d56ac830bc920e389dba1b9c88e82fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
cfce5b74a84258eb7e2c2d3eaf1d4050

SHA1
acadb4202c6d86e8bc382fd91f2570f984298e92

SHA256
8b8e3c138dbe9ba21591a5d2ecdb89643873249b96ad9f2c88745ea69fbcf60e

SHA512
cc25dc6e22e83d6f3c1735c21809bbc462added26fa58a47525ac3749fb6a842ef3448f908bb97f90384b25171d5a796360e8439c847fef8bd0942da41604251

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 619230.crdownload

Filesize
4.1MB

MD5
453bee2b8e8a448bdb7ac22c1047230b

SHA1
0f9c74d4b3658e2beb438a5bdef8ac73294e8f52

SHA256
807e72c85ab94278d9e0bb16ce82c18762a609092ab9d35305db042d61cdddfd

SHA512
a2fdf9176446617aadd645a05378eff7716d9855a36e13d1e4081d3695cad2bd8cd4c8ad7b773b7609c1feeb236615e466928b812234ca0ab17b745e9c958fac

Download Submit
memory/2992-677-0x0000000008AF0000-0x0000000008AFA000-memory.dmp

Filesize
40KB

Download
memory/2992-688-0x000000000ECC0000-0x000000000ECE2000-memory.dmp

Filesize
136KB

Download
memory/2992-668-0x0000000000BD0000-0x00000000034F8000-memory.dmp

Filesize
41.2MB

Download
memory/2992-669-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/2992-670-0x0000000008540000-0x0000000008AE4000-memory.dmp

Filesize
5.6MB

Download
memory/2992-671-0x0000000008030000-0x00000000080C2000-memory.dmp

Filesize
584KB

Download
memory/2992-672-0x00000000080D0000-0x0000000008136000-memory.dmp

Filesize
408KB

Download
memory/2992-673-0x0000000007F40000-0x0000000007F4C000-memory.dmp

Filesize
48KB

Download
memory/2992-674-0x0000000008140000-0x00000000081F0000-memory.dmp

Filesize
704KB

Download
memory/2992-675-0x00000000081F0000-0x000000000845E000-memory.dmp

Filesize
2.4MB

Download
memory/2992-676-0x00000000084E0000-0x0000000008528000-memory.dmp

Filesize
288KB

Download
memory/2992-689-0x000000000ED60000-0x000000000F0B4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-679-0x0000000009340000-0x00000000098CC000-memory.dmp

Filesize
5.5MB

Download
memory/2992-680-0x000000000B1D0000-0x000000000BAC8000-memory.dmp

Filesize
9.0MB

Download
memory/2992-681-0x0000000009EE0000-0x0000000009EEA000-memory.dmp

Filesize
40KB

Download
memory/4636-623-0x00007FFFB3930000-0x00007FFFB43F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-590-0x0000016C6AF50000-0x0000016C6B124000-memory.dmp

Filesize
1.8MB

Download
memory/4636-637-0x0000016C6AA20000-0x0000016C6AA3E000-memory.dmp

Filesize
120KB

Download
memory/4636-622-0x00007FFFB3930000-0x00007FFFB43F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-621-0x00007FFFB3930000-0x00007FFFB43F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-611-0x00007FFFB3933000-0x00007FFFB3935000-memory.dmp

Filesize
8KB

Download
memory/4636-591-0x0000016C6CB10000-0x0000016C6CB32000-memory.dmp

Filesize
136KB

Download
memory/4636-667-0x00007FFFB3930000-0x00007FFFB43F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-589-0x00007FFFB3930000-0x00007FFFB43F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-588-0x00007FFFB3930000-0x00007FFFB43F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-587-0x0000016C69F10000-0x0000016C69F86000-memory.dmp

Filesize
472KB

Download
memory/4636-586-0x00007FFFB3930000-0x00007FFFB43F1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-585-0x0000016C69CD0000-0x0000016C69D80000-memory.dmp

Filesize
704KB

Download
memory/4636-584-0x0000016C67BF0000-0x0000016C67BF1000-memory.dmp

Filesize
4KB

Download
memory/4636-583-0x0000016C66F90000-0x0000016C6784A000-memory.dmp

Filesize
8.7MB

Download
memory/4636-582-0x00007FFFB3933000-0x00007FFFB3935000-memory.dmp

Filesize
8KB

Download