a407d608b441b654f4ba75dd6b8494b584c9a853d6874e8e107c0e8158a0e8f9

Resubmissions

13/05/2024, 23:34 UTC

240513-3kstlaag99 7

13/05/2024, 23:33 UTC

240513-3jy9zsag68 8

Analysis

max time kernel
5s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20240508-de
resource tags

arch:x64arch:x86image:win10v2004-20240508-delocale:de-deos:windows10-2004-x64systemwindows
submitted
13/05/2024, 23:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

injector.exe
Size

7.0MB
MD5

48a7cf9aa9df84e84c0fd813f887f3ce
SHA1

66f3c5d877bc3ecd5e8168f10bd7ede380a5da85
SHA256

a407d608b441b654f4ba75dd6b8494b584c9a853d6874e8e107c0e8158a0e8f9
SHA512

606d3d27776e1f50356267265069f911ba45a1f12ac4ec269ad6619c1bade5b3ca300dc3ca0fb20fc2a3993b171275ad2e27c42bffc5d4c352f981126e5b8011
SSDEEP

24576:+U9QqMVCssGgPUh1VNn9UQ7+YymQAXDdVOaCoua71+J0fgbGSh4s3sXYX7bCiFpo:QxKSzIYH4+YHxWAzuQGKc5zDIT64G

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	injector.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	injector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 63 IoCs

evasion

pid	Process
1256	taskkill.exe
4380	taskkill.exe
768	taskkill.exe
856	taskkill.exe
4828	taskkill.exe
2796	taskkill.exe
1092	taskkill.exe
1160	taskkill.exe
1324	taskkill.exe
2120	taskkill.exe
3084	taskkill.exe
3708	taskkill.exe
1756	taskkill.exe
820	taskkill.exe
3716	taskkill.exe
2460	taskkill.exe
1448	taskkill.exe
2516	taskkill.exe
2132	taskkill.exe
992	taskkill.exe
4392	taskkill.exe
4584	taskkill.exe
4116	taskkill.exe
4116	taskkill.exe
1424	taskkill.exe
792	taskkill.exe
4972	taskkill.exe
1368	taskkill.exe
2908	taskkill.exe
2040	taskkill.exe
2900	taskkill.exe
2204	taskkill.exe
320	taskkill.exe
1972	taskkill.exe
2560	taskkill.exe
3080	taskkill.exe
2144	taskkill.exe
4164	taskkill.exe
4352	taskkill.exe
1156	taskkill.exe
3052	taskkill.exe
4908	taskkill.exe
1280	taskkill.exe
2052	taskkill.exe
3876	taskkill.exe
1216	taskkill.exe
3920	taskkill.exe
4548	taskkill.exe
2828	taskkill.exe
4332	taskkill.exe
4016	taskkill.exe
5064	taskkill.exe
4828	taskkill.exe
216	taskkill.exe
2304	taskkill.exe
5028	taskkill.exe
4292	taskkill.exe
4116	taskkill.exe
1288	taskkill.exe
5040	taskkill.exe
4344	taskkill.exe
2532	taskkill.exe
1560	taskkill.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4812	injector.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeLoadDriverPrivilege	4812	injector.exe
Token: SeDebugPrivilege	2132	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4236	4812	injector.exe	87
PID 4812 wrote to memory of 4236	4812	injector.exe	87
PID 4812 wrote to memory of 3084	4812	injector.exe	89
PID 4812 wrote to memory of 3084	4812	injector.exe	89
PID 4812 wrote to memory of 4896	4812	injector.exe	91
PID 4812 wrote to memory of 4896	4812	injector.exe	91
PID 4812 wrote to memory of 316	4812	injector.exe	94
PID 4812 wrote to memory of 316	4812	injector.exe	94
PID 4236 wrote to memory of 1280	4236	cmd.exe	93
PID 4236 wrote to memory of 1280	4236	cmd.exe	93
PID 4812 wrote to memory of 376	4812	injector.exe	96
PID 4812 wrote to memory of 376	4812	injector.exe	96
PID 3084 wrote to memory of 4548	3084	cmd.exe	98
PID 3084 wrote to memory of 4548	3084	cmd.exe	98
PID 4812 wrote to memory of 2964	4812	injector.exe	99
PID 4812 wrote to memory of 2964	4812	injector.exe	99
PID 4812 wrote to memory of 348	4812	injector.exe	101
PID 4812 wrote to memory of 348	4812	injector.exe	101
PID 4896 wrote to memory of 4344	4896	cmd.exe	103
PID 4896 wrote to memory of 4344	4896	cmd.exe	103
PID 316 wrote to memory of 4972	316	cmd.exe	104
PID 316 wrote to memory of 4972	316	cmd.exe	104
PID 376 wrote to memory of 4828	376	cmd.exe	106
PID 376 wrote to memory of 4828	376	cmd.exe	106
PID 2964 wrote to memory of 4392	2964	cmd.exe	107
PID 2964 wrote to memory of 4392	2964	cmd.exe	107
PID 348 wrote to memory of 4584	348	cmd.exe	108
PID 348 wrote to memory of 4584	348	cmd.exe	108
PID 4812 wrote to memory of 2132	4812	injector.exe	109
PID 4812 wrote to memory of 2132	4812	injector.exe	109
PID 4812 wrote to memory of 4752	4812	injector.exe	111
PID 4812 wrote to memory of 4752	4812	injector.exe	111
PID 4812 wrote to memory of 1324	4812	injector.exe	113
PID 4812 wrote to memory of 1324	4812	injector.exe	113
PID 4812 wrote to memory of 4776	4812	injector.exe	115
PID 4812 wrote to memory of 4776	4812	injector.exe	115
PID 4812 wrote to memory of 3012	4812	injector.exe	117
PID 4812 wrote to memory of 3012	4812	injector.exe	117
PID 4752 wrote to memory of 792	4752	cmd.exe	119
PID 4752 wrote to memory of 792	4752	cmd.exe	119
PID 4812 wrote to memory of 2268	4812	injector.exe	120
PID 4812 wrote to memory of 2268	4812	injector.exe	120
PID 2132 wrote to memory of 3708	2132	cmd.exe	122
PID 2132 wrote to memory of 3708	2132	cmd.exe	122
PID 4812 wrote to memory of 4272	4812	injector.exe	123
PID 4812 wrote to memory of 4272	4812	injector.exe	123
PID 1324 wrote to memory of 2900	1324	cmd.exe	125
PID 1324 wrote to memory of 2900	1324	cmd.exe	125
PID 4776 wrote to memory of 3080	4776	cmd.exe	126
PID 4776 wrote to memory of 3080	4776	cmd.exe	126
PID 3012 wrote to memory of 1448	3012	cmd.exe	127
PID 3012 wrote to memory of 1448	3012	cmd.exe	127
PID 2268 wrote to memory of 2204	2268	cmd.exe	128
PID 2268 wrote to memory of 2204	2268	cmd.exe	128
PID 4272 wrote to memory of 1256	4272	cmd.exe	129
PID 4272 wrote to memory of 1256	4272	cmd.exe	129
PID 4812 wrote to memory of 768	4812	injector.exe	191
PID 4812 wrote to memory of 768	4812	injector.exe	191
PID 4812 wrote to memory of 4120	4812	injector.exe	132
PID 4812 wrote to memory of 4120	4812	injector.exe	132
PID 4812 wrote to memory of 856	4812	injector.exe	134
PID 4812 wrote to memory of 856	4812	injector.exe	134
PID 4812 wrote to memory of 4356	4812	injector.exe	194
PID 4812 wrote to memory of 4356	4812	injector.exe	194

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Sets service image path in registry
- Checks computer location settings
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  PID:4120
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:856
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:4356
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  PID:2644
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  PID:440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  PID:1056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  PID:2660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  PID:2768
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:2404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:4288
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  PID:1224
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  PID:4896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  PID:4792
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  PID:1448
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:4292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  PID:5108
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:5064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:4776
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:4116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:4832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  PID:4224
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    PID:4828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:3716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  PID:4476
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    PID:1216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  PID:2716
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4356
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:2532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  PID:4640
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:3920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:2516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2644
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:1156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:2576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  PID:3940
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  PID:3228
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:1324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  PID:1424
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  PID:4112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:1016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:3676
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  PID:4532
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    PID:4116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  PID:4844
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  PID:1372
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    PID:4352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  PID:4592
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  PID:2752
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:4472
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:1160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:244
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:4908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  PID:1524
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    PID:856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  PID:3508
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  PID:4492
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    PID:1288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
  2⤵
  PID:4400
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM EpicGamesLauncher.exe
  2⤵
  PID:1744
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:5040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_BE.exe
  2⤵
  PID:3996
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM FortniteClient-Win64-Shipping_EAC.exe
  2⤵
  PID:2828
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Kills process with taskkill
    PID:4332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM RiotClientServices.exe
  2⤵
  PID:2176
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM RiotClientServices.exe
    3⤵
    - Kills process with taskkill
    PID:2560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM vgtray.exe
  2⤵
  PID:2848
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM vgtray.exe
    3⤵
    - Kills process with taskkill
    PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill/F /T /IM SteamService.exe
  2⤵
  PID:4392
- - C:\Windows\system32\taskkill.exe
    taskkill /F /T /IM SteamService.exe
    3⤵
    - Kills process with taskkill
    PID:3084

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

No results found

8.8.8.8:53

g.bing.com

dns

280 B
5

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4812-0-0x00007FF7B18A1000-0x00007FF7B1B75000-memory.dmp

Filesize
2.8MB

Download
memory/4812-1-0x00007FF7B18A0000-0x00007FF7B1FA4000-memory.dmp

Filesize
7.0MB

Download
memory/4812-3-0x00007FF7B18A0000-0x00007FF7B1FA4000-memory.dmp

Filesize
7.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.