Malware Analysis Report

2024-10-19 08:13

Sample ID 240427-yk2dhsfb54
Target Fortnite Checker.exe
SHA256 d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930
Tags
vanillarat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d548ea85db4681de9393a4bd8369283db49f9f0525356d15f8ca06259e4fa930

Threat Level: Known bad

The file Fortnite Checker.exe was found to be: Known bad.

Malicious Activity Summary

vanillarat persistence rat

VanillaRat

Vanilla Rat payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 19:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 19:51

Reported

2024-04-27 19:54

Platform

win7-20240419-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fortnite = "C:\\Users\\Admin\\AppData\\Roaming\\Fortnite.exe" C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420409388" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000019ce00ca51cbc2cce5f48f02fb9c86b73da3cff13ac35abde42d23d842b4830c000000000e8000000002000020000000d45a82d74f2fca0050196ba491f691071b930e0c6f6a89b8251dfb6f625b36f4200000009b82b6f2e68fab01beff843cab018621e66a2f30f270b52a31a4ff5266a6277140000000045a471bec213aa7b7d10ad0338ea76c617c0d08eb0cff07ba1eb77e20441254acbd8a027eede8a4f56584a42f30f76ea67452b38b29c1a3cf8bd9001b74dd3f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206f4372dc98da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8F540BB1-04CF-11EF-B944-E2C1BAF7F8C9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000007ee3b153d8761d06fe4b7a950778be7db3864f4146f8247c5d2e717fb88f92c1000000000e8000000002000020000000ab5e0564ae93b9d4b5f0b4b5b4cd444386c4fb3f7a56e282fa870979e2b10d0990000000c86ef326ca76edb6154a6d1affa40eedabbc7b536fcabc5f2872ef4198c4e87dbfcbde9ba4b8b85d0eca7bd6bb5af0c0c80b4607b4bf2bf2584f6dab1f96bb27780d1b269719b43ecf80c4720d5107b73fa9d418ac432d27450ad08f17ef091768b5c8cb274dd0e051853d6978890c6b14ce47b6ba7b7ada7bb0fb8b4809153fbdc7595f281ac759145578255e58c71a400000006b3994ac0946815e50a6642a16d3880be3cf7b0fa0ac4ba2fa05936b091730cc6fe484ff0fc9bbec813ea77916e121bac7c0e120110904824dcaa05979192cfc C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\Fortnite.exe
PID 1996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 1996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 1996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 1996 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe C:\Users\Admin\AppData\Roaming\FortniteChecker.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2668 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

C:\Users\Admin\AppData\Roaming\Fortnite.exe

"C:\Users\Admin\AppData\Roaming\Fortnite.exe"

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

"C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=FortniteChecker.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp

Files

C:\Users\Admin\AppData\Roaming\Fortnite.exe

MD5 4bd20275a3148a44bf040367a43f6fe2
SHA1 4faa5b6fca5f3b31b00995b4372f635b1ed3a019
SHA256 98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336
SHA512 ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

\Users\Admin\AppData\Roaming\FortniteChecker.exe

MD5 f5d8bedb9dcc17a0a356f2f3f621971e
SHA1 76ed7763602cc198be87b3eb51949f54ae9c0f9b
SHA256 355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe
SHA512 ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

MD5 13ff21470b63470978e08e4933eb8e56
SHA1 3fa7077272c55e85141236d90d302975e3d14b2e
SHA256 16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a
SHA512 56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

memory/2292-46-0x0000000000C70000-0x0000000000C92000-memory.dmp

memory/2292-47-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/2292-48-0x0000000073D60000-0x000000007444E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 19:51

Reported

2024-04-27 19:54

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fortnite = "C:\\Users\\Admin\\AppData\\Roaming\\Fortnite.exe" C:\Users\Admin\AppData\Roaming\Fortnite.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\FortniteChecker.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Fortnite Checker.exe"

C:\Users\Admin\AppData\Roaming\Fortnite.exe

"C:\Users\Admin\AppData\Roaming\Fortnite.exe"

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

"C:\Users\Admin\AppData\Roaming\FortniteChecker.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
DE 138.68.84.55:3086 tcp
US 8.8.8.8:53 g.bing.com udp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp
DE 138.68.84.55:3086 tcp

Files

C:\Users\Admin\AppData\Roaming\Fortnite.exe

MD5 4bd20275a3148a44bf040367a43f6fe2
SHA1 4faa5b6fca5f3b31b00995b4372f635b1ed3a019
SHA256 98efc33ad38ab3a913716402cb445a25e5e578bdd379494c0188b30028430336
SHA512 ba5477c92038704feea1988228b25c82107f1803a3a331ba4337ae48dcdd019b6fc9f3e7fc14ace08b6637ce85ae4ad029a6d1d60ee4daac6a82c0cc1466bc66

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe

MD5 f5d8bedb9dcc17a0a356f2f3f621971e
SHA1 76ed7763602cc198be87b3eb51949f54ae9c0f9b
SHA256 355ae598c711cf98fb78b485fe2bf351233e81d5b98ffd3c81b20470182e6ebe
SHA512 ee5c55a562259481199def67fba592bfa1b524fc4eaa5c9b558f6fbb9609542b0f1a915768f79662a6b7fd2f8127c013aa2fb08a249f5bba89aafad03c9e99eb

C:\Users\Admin\AppData\Roaming\FortniteChecker.exe.config

MD5 13ff21470b63470978e08e4933eb8e56
SHA1 3fa7077272c55e85141236d90d302975e3d14b2e
SHA256 16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a
SHA512 56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8

memory/3416-39-0x0000000000910000-0x0000000000932000-memory.dmp

memory/3416-40-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/2308-41-0x00000000004B0000-0x00000000004CC000-memory.dmp

memory/2308-42-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/3416-43-0x0000000005890000-0x0000000005E34000-memory.dmp

memory/3416-44-0x00000000051E0000-0x0000000005272000-memory.dmp

memory/2308-45-0x0000000002830000-0x000000000283A000-memory.dmp

memory/2308-46-0x0000000005070000-0x0000000005080000-memory.dmp

memory/3416-47-0x0000000005190000-0x00000000051A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\CsvHelper.dll

MD5 c0b9e366d95e367ea4330187439b711b
SHA1 4674c657037b891f2f0cd3977976ef71b578b1b3
SHA256 dffad53f0349e00a1444f71465d7c66aa8758644879d9f628677d5ba8307322a
SHA512 dbd75f3f700f316eabf237235bb148e6098e9ccc313e215922f4b2f6adceea4f4dfb22f933bae6bf6c8693e9387f4dd94aedc8a650e4d8379f70038a7da2afc5

memory/2308-51-0x00000000061C0000-0x00000000061E8000-memory.dmp

memory/1036-52-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-54-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-53-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-64-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-63-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-62-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-61-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-60-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-59-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/1036-58-0x00000282B2A90000-0x00000282B2A91000-memory.dmp

memory/3416-65-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/2308-66-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/2308-67-0x0000000005070000-0x0000000005080000-memory.dmp

memory/3416-68-0x0000000005190000-0x00000000051A0000-memory.dmp