Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 18:15
Behavioral task
behavioral1
Sample
fortnitecloud.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fortnitecloud.exe
Resource
win10v2004-20241007-en
General
-
Target
fortnitecloud.exe
-
Size
3.1MB
-
MD5
a39f29a2f774febb2c532577de2f407c
-
SHA1
bf97e76565ae9a78f33601c154e97ef9e2631430
-
SHA256
7ce9d2b8f4a344b07a8e3b9bf58ede5a2ba7a85bfa94d8b103179183fbb7c24f
-
SHA512
ca28aa66f392356e19d3fb43327ffb9cf1aae0777c8fcdc3530b02f50b50a0347a12db76f90717c51355f8c25de020a989b722c231a14f0995b7e149303a4fa0
-
SSDEEP
49152:KvYt62XlaSFNWPjljiFa2RoUYIy6jrcFGnoGdoXuTHHB72eh2NT:Kv062XlaSFNWPjljiFXRoUYIy6HcFKo
Malware Config
Extracted
quasar
1.4.1
fortnite cloud
roham:9999
34f9808a-f860-420a-9060-bdcca871577f
-
encryption_key
C98F5FD72C77D3C38A5C7ECBED91435EDD8177FE
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
fortnite updater cloud
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1140-1-0x0000000000DF0000-0x0000000001114000-memory.dmp family_quasar behavioral2/files/0x000a000000023c73-6.dat family_quasar -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 12 IoCs
pid Process 2232 Client.exe 3712 Client.exe 2180 Client.exe 1448 Client.exe 2632 Client.exe 4244 Client.exe 3316 Client.exe 3176 Client.exe 3012 Client.exe 3532 Client.exe 3224 Client.exe 5032 Client.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir\Client.exe fortnitecloud.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File created C:\Windows\system32\SubDir\Client.exe fortnitecloud.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2816 PING.EXE 112 PING.EXE 1132 PING.EXE 32 PING.EXE 1636 PING.EXE 1404 PING.EXE 4392 PING.EXE 2996 PING.EXE 2604 PING.EXE 5016 PING.EXE 4728 PING.EXE 1532 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 1132 PING.EXE 5016 PING.EXE 32 PING.EXE 1636 PING.EXE 2816 PING.EXE 1404 PING.EXE 2996 PING.EXE 112 PING.EXE 2604 PING.EXE 4728 PING.EXE 1532 PING.EXE 4392 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2956 schtasks.exe 220 schtasks.exe 2824 schtasks.exe 2064 schtasks.exe 2196 schtasks.exe 3616 schtasks.exe 3652 schtasks.exe 1832 schtasks.exe 2916 schtasks.exe 3168 schtasks.exe 464 schtasks.exe 2828 schtasks.exe 4340 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1140 fortnitecloud.exe Token: SeDebugPrivilege 2232 Client.exe Token: SeDebugPrivilege 3712 Client.exe Token: SeDebugPrivilege 2180 Client.exe Token: SeDebugPrivilege 1448 Client.exe Token: SeDebugPrivilege 2632 Client.exe Token: SeDebugPrivilege 4244 Client.exe Token: SeDebugPrivilege 3316 Client.exe Token: SeDebugPrivilege 3176 Client.exe Token: SeDebugPrivilege 3012 Client.exe Token: SeDebugPrivilege 3532 Client.exe Token: SeDebugPrivilege 3224 Client.exe Token: SeDebugPrivilege 5032 Client.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2232 Client.exe 3712 Client.exe 2180 Client.exe 1448 Client.exe 2632 Client.exe 4244 Client.exe 3316 Client.exe 3176 Client.exe 3012 Client.exe 3532 Client.exe 3224 Client.exe 5032 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1140 wrote to memory of 2828 1140 fortnitecloud.exe 83 PID 1140 wrote to memory of 2828 1140 fortnitecloud.exe 83 PID 1140 wrote to memory of 2232 1140 fortnitecloud.exe 85 PID 1140 wrote to memory of 2232 1140 fortnitecloud.exe 85 PID 2232 wrote to memory of 4340 2232 Client.exe 86 PID 2232 wrote to memory of 4340 2232 Client.exe 86 PID 2232 wrote to memory of 4884 2232 Client.exe 89 PID 2232 wrote to memory of 4884 2232 Client.exe 89 PID 4884 wrote to memory of 2276 4884 cmd.exe 91 PID 4884 wrote to memory of 2276 4884 cmd.exe 91 PID 4884 wrote to memory of 2996 4884 cmd.exe 92 PID 4884 wrote to memory of 2996 4884 cmd.exe 92 PID 4884 wrote to memory of 3712 4884 cmd.exe 106 PID 4884 wrote to memory of 3712 4884 cmd.exe 106 PID 3712 wrote to memory of 2196 3712 Client.exe 107 PID 3712 wrote to memory of 2196 3712 Client.exe 107 PID 3712 wrote to memory of 5104 3712 Client.exe 110 PID 3712 wrote to memory of 5104 3712 Client.exe 110 PID 5104 wrote to memory of 4016 5104 cmd.exe 112 PID 5104 wrote to memory of 4016 5104 cmd.exe 112 PID 5104 wrote to memory of 112 5104 cmd.exe 113 PID 5104 wrote to memory of 112 5104 cmd.exe 113 PID 5104 wrote to memory of 2180 5104 cmd.exe 115 PID 5104 wrote to memory of 2180 5104 cmd.exe 115 PID 2180 wrote to memory of 3616 2180 Client.exe 118 PID 2180 wrote to memory of 3616 2180 Client.exe 118 PID 2180 wrote to memory of 4284 2180 Client.exe 121 PID 2180 wrote to memory of 4284 2180 Client.exe 121 PID 4284 wrote to memory of 1676 4284 cmd.exe 123 PID 4284 wrote to memory of 1676 4284 cmd.exe 123 PID 4284 wrote to memory of 2604 4284 cmd.exe 124 PID 4284 wrote to memory of 2604 4284 cmd.exe 124 PID 4284 wrote to memory of 1448 4284 cmd.exe 127 PID 4284 wrote to memory of 1448 4284 cmd.exe 127 PID 1448 wrote to memory of 3652 1448 Client.exe 128 PID 1448 wrote to memory of 3652 1448 Client.exe 128 PID 1448 wrote to memory of 4880 1448 Client.exe 131 PID 1448 wrote to memory of 4880 1448 Client.exe 131 PID 4880 wrote to memory of 1056 4880 cmd.exe 133 PID 4880 wrote to memory of 1056 4880 cmd.exe 133 PID 4880 wrote to memory of 1132 4880 cmd.exe 134 PID 4880 wrote to memory of 1132 4880 cmd.exe 134 PID 4880 wrote to memory of 2632 4880 cmd.exe 136 PID 4880 wrote to memory of 2632 4880 cmd.exe 136 PID 2632 wrote to memory of 1832 2632 Client.exe 137 PID 2632 wrote to memory of 1832 2632 Client.exe 137 PID 2632 wrote to memory of 2908 2632 Client.exe 140 PID 2632 wrote to memory of 2908 2632 Client.exe 140 PID 2908 wrote to memory of 1944 2908 cmd.exe 142 PID 2908 wrote to memory of 1944 2908 cmd.exe 142 PID 2908 wrote to memory of 5016 2908 cmd.exe 143 PID 2908 wrote to memory of 5016 2908 cmd.exe 143 PID 2908 wrote to memory of 4244 2908 cmd.exe 145 PID 2908 wrote to memory of 4244 2908 cmd.exe 145 PID 4244 wrote to memory of 2916 4244 Client.exe 146 PID 4244 wrote to memory of 2916 4244 Client.exe 146 PID 4244 wrote to memory of 1816 4244 Client.exe 149 PID 4244 wrote to memory of 1816 4244 Client.exe 149 PID 1816 wrote to memory of 1988 1816 cmd.exe 151 PID 1816 wrote to memory of 1988 1816 cmd.exe 151 PID 1816 wrote to memory of 4728 1816 cmd.exe 152 PID 1816 wrote to memory of 4728 1816 cmd.exe 152 PID 1816 wrote to memory of 3316 1816 cmd.exe 154 PID 1816 wrote to memory of 3316 1816 cmd.exe 154 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fortnitecloud.exe"C:\Users\Admin\AppData\Local\Temp\fortnitecloud.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IL39P9Kfq28f.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2276
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2996
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcm8gQq1004G.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:112
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jbo2W8fmaChB.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2604
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LRDJ27nevoUU.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1132
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqqeSLKZCc33.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1944
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5016
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\21pc4HndnpaH.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1988
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4728
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3316 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xawIUTgJSCuC.bat" "15⤵PID:1500
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:5080
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:32
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3176 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vBDOYRm8Fu6M.bat" "17⤵PID:3068
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3492
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1636
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TeGbe9JiVwlY.bat" "19⤵PID:1416
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1536
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGvV8zmtXWXE.bat" "21⤵PID:4924
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3080
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4392
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6kMSGX34y9ya.bat" "23⤵PID:4308
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1804
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1404
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fortnite updater cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\73YcYBPzEDWb.bat" "25⤵PID:4856
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
196B
MD559b5e7f2d0faa5cb795a1f9e13c5dd59
SHA121ee1da8b42f0c812d45a5af0116d6c06604405f
SHA2560dc0ff5fdb0fb9ccb25eb82a395dc10b5035686c61f39c62c213520298bd4cc6
SHA5121b47f0b288477d9f21a70d7eb3bb793385772b57d39685cfe4d4916e726e378e9dd92eefd6244e2f4527705fd0f114b3e132c9e343b3da03271663055159e859
-
Filesize
196B
MD5bbf069abf3ef333f6215fcd731ead819
SHA1f09efaa868d09a8ef73e91dced889a2381a2996a
SHA256c56d8250c3b290634318bf1ceae72fa4864d16c3f80f5ed847f4eec496c08e94
SHA512a42d71c506ff05f77d2784716ab403ec20b3df29afd7a5a017516cd7bacd57f8bdef678d5d3107ff1d2d488d043b2e1ca80f9929a8367b670e57e2c7104c4540
-
Filesize
196B
MD54a34471e85ee74570f164c5ad4498b4b
SHA1e8e917504aa75b4d49e334ef638d506878829897
SHA2564d44699908be8a4786b3122a146b97fffdbf3c56cf56a53848960e87244d2e8f
SHA512a0d27e0bedac6f9bf342768cdc588bff045ce5a65b9831d8ec88311e42b53b7124cbbf6793c24b992c60da3ee6804354cdfcaa96d27e28df48895ddd8b175144
-
Filesize
196B
MD5c05586f0d8533bc422166a2e695be515
SHA11a585c6bc925f17f8bed6bb290f96ed51114be35
SHA2564c6af2fcba087751000ffc19e430329239ba701081f237a313e877c9dc621bf6
SHA51280c23e1b29f411bc9c3d53d80764349a786735cb666cb816f41d1998499092442ccadd0c3f39438ccb03aff329256f2321b2b799406a96dcf24fff0e06f94337
-
Filesize
196B
MD5f35d349e4fe4f9fb57eb6a4929f8bead
SHA15398c15c680855fbc811c8ff1607d0cf76cd4495
SHA2567e87dd8d39abe17b5c05ed04e701d5ca79037d24e93333aa2643d079613f6f67
SHA5126def9116a2a76958bb49840ee4c9f3276bd20ad9919bd6809f5b0c6a53db39bc0e5d479b883b83351ce3e8e8496171c8532062ea68f9f9e3a558379647ad9ba9
-
Filesize
196B
MD56d0b5b06335dca1ab7132948fcc2533e
SHA13e44dd76345f2b9b60e8db3f444daedecfc678f7
SHA256a15ce3b51e9466569846e69fe1650e23563423c647fdf5fbd9efbe42d6d42102
SHA512690a406f3ac330d8c3216a4b4f1b6972f7421e0e41847a5d7aceba7de2a6038fdec30f9166c6bf132ab57ed3b5d93df0017538c9e621e7e4c24dcdebe8696612
-
Filesize
196B
MD57933c7c5d77ee9b73e9321e4def07632
SHA1345d670665b7729ff2612790a4d09a8f46bbb994
SHA256c335cd7777d50cdd4b8618b7804a932b8c2b368069bcd46f9e5ed9a35d86468c
SHA512a9652aeb9ebcd0f823d1ca668479a8559785ee0036ab5fc7d27628733e0b27ca63531a7fb4df7b846d5ec2f358529239009efab92cf60ba1251472e8488aebc9
-
Filesize
196B
MD5f521d045b481d4d333e76358af0e4c31
SHA1fccce3da9d3894d43a894b4079aff2159df84b01
SHA2562ea667483dcf142dd17c573f62f91103dab767cf7c5752f94ad9b0d4f050b972
SHA512cd538828654ae2b392bd9d9305ba2cca15d82e44468596cb355b77e74c4a3c00e4cc508304b2c5d9fed8efcf01256b0150a26fa1dc445bd5ae3fca3ab22f613a
-
Filesize
196B
MD506ef7f9e8879dbcd593b561ef0c2580f
SHA187281488b3d07823b79ab9b838d240f11e6434e7
SHA256eddc55724dd73cb8ee4971ebd004118fd2d9d21a03d7eab26e4c7714886e6f72
SHA512d752102773ecf9936c51170ebbdb534215023c6ad5c9a0dcd9b0e53d0e84764332ae232ec7d16d8f97a016c5dd20ba5b981c74f4eae366b7370d45b84f48db0d
-
Filesize
196B
MD56f4aa3728d01325a045fed72c74ca3fe
SHA1d96ba083387ccc9ff1dc3d49b7eea3a6a97a1dc1
SHA2569c213ad2d992c4c27cd3abec12a26735ddf0bc681810cff8c31e77daa1cb2509
SHA512a8958a058f1b5f74b27db3899470397b090b13efda228cbc89545f04361f38f1da674d6c024226b6e58ab54c5be2f76a4d09c358d58f3fa60b61e4eb41030a5f
-
Filesize
196B
MD5f311747ef42caa71066636ceb45cb5b2
SHA19c9a049e5f4e75f78d8acff8785f6d6da5c4c480
SHA256643c81e4b312342bd8781363ccaf2ae9739b2e86b006806f5853e31b3a0c97ab
SHA5121aad43909e06ad9bd0ed32a9b527897553824a2445979fb1ee0872b7d05a58c665d78fbca907c45d4422ff9b0fb7d3f90ec04089290d20bf468a3eac4e3d194e
-
Filesize
196B
MD5f6c87161abfd79cdc74bb7e2bcde3950
SHA1a49ea07365ca1293b27e5c32e022d10de80d7573
SHA256d78bd9fefd7046347fa0a547d6ad1f9e4f78563437265ab4d9b34a41084e1af0
SHA512f6798599b68fc69cb1463c9d38453645507589947752fd2e2e1a255527df54c8811841e615d72ebfbc1dc6625757844a593ec52bf70f58253079c676e101ddef
-
Filesize
3.1MB
MD5a39f29a2f774febb2c532577de2f407c
SHA1bf97e76565ae9a78f33601c154e97ef9e2631430
SHA2567ce9d2b8f4a344b07a8e3b9bf58ede5a2ba7a85bfa94d8b103179183fbb7c24f
SHA512ca28aa66f392356e19d3fb43327ffb9cf1aae0777c8fcdc3530b02f50b50a0347a12db76f90717c51355f8c25de020a989b722c231a14f0995b7e149303a4fa0