skuld | hxxps://gofile[.]io/d/RgE9FK

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2025 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/RgE9FK

Score

10^/10

skuld discovery persistence stealer

Malware Config

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1342136216686039140/rIlidp79JXOwMsOPFGTR4P0LuqjLBq1TfI9OHpMrSNxdLTadTsj-JjjFKrf5t-Ko3AcH

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Downloads MZ/PE file 1 IoCs

flow	pid	Process
42	848	msedge.exe

Executes dropped EXE 24 IoCs

pid	Process
1176	FortniteStripper1.4.exe
2996	FortniteStripper1.4.exe
2400	FortniteStripper1.4.exe
1908	FortniteStripper1.4.exe
4428	FortniteStripper1.4.exe
4216	FortniteStripper1.4.exe
4204	FortniteStripper1.4.exe
4760	FortniteStripper1.4.exe
1484	FortniteStripper1.4.exe
1660	FortniteStripper1.4.exe
4964	FortniteStripper1.4.exe
3656	FortniteStripper1.4.exe
2872	FortniteStripper1.4.exe
2036	FortniteStripper1.4.exe
2424	FortniteStripper1.4.exe
4240	FortniteStripper1.4.exe
1164	FortniteStripper1.4.exe
824	FortniteStripper1.4.exe
852	FortniteStripper1.4.exe
1172	FortniteStripper1.4.exe
5080	FortniteStripper1.4.exe
3864	FortniteStripper1.4.exe
1420	FortniteStripper1.4.exe
1872	FortniteStripper1.4.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	FortniteStripper1.4.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 424319.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
848	msedge.exe
848	msedge.exe
856	msedge.exe
856	msedge.exe
5088	identity_helper.exe
5088	identity_helper.exe
1876	msedge.exe
1876	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1176	FortniteStripper1.4.exe
Token: SeDebugPrivilege	2400	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1908	FortniteStripper1.4.exe
Token: SeDebugPrivilege	4428	FortniteStripper1.4.exe
Token: SeDebugPrivilege	4216	FortniteStripper1.4.exe
Token: SeDebugPrivilege	4204	FortniteStripper1.4.exe
Token: SeDebugPrivilege	4760	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1484	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1660	FortniteStripper1.4.exe
Token: SeDebugPrivilege	4964	FortniteStripper1.4.exe
Token: SeDebugPrivilege	3656	FortniteStripper1.4.exe
Token: SeDebugPrivilege	2872	FortniteStripper1.4.exe
Token: SeDebugPrivilege	2036	FortniteStripper1.4.exe
Token: SeDebugPrivilege	2424	FortniteStripper1.4.exe
Token: SeDebugPrivilege	4240	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1172	FortniteStripper1.4.exe
Token: SeDebugPrivilege	824	FortniteStripper1.4.exe
Token: SeDebugPrivilege	852	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1164	FortniteStripper1.4.exe
Token: SeDebugPrivilege	5080	FortniteStripper1.4.exe
Token: SeDebugPrivilege	3864	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1420	FortniteStripper1.4.exe
Token: SeDebugPrivilege	1872	FortniteStripper1.4.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 700	856	msedge.exe	86
PID 856 wrote to memory of 700	856	msedge.exe	86
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 184	856	msedge.exe	87
PID 856 wrote to memory of 848	856	msedge.exe	88
PID 856 wrote to memory of 848	856	msedge.exe	88
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89
PID 856 wrote to memory of 60	856	msedge.exe	89

Views/modifies file attributes 1 TTPs 11 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
116	attrib.exe
4548	attrib.exe
3348	attrib.exe
1448	attrib.exe
3244	attrib.exe
1660	attrib.exe
3344	attrib.exe
232	attrib.exe
1268	attrib.exe
1868	attrib.exe
1520	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/RgE9FK
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8197746f8,0x7ff819774708,0x7ff819774718
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:1520
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:116
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:232
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:4548
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:3348
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
  2⤵
  PID:2544
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:3244
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:1660
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:1268
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:3344
- C:\Users\Admin\Downloads\FortniteStripper1.4.exe
  "C:\Users\Admin\Downloads\FortniteStripper1.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\Downloads\FortniteStripper1.4.exe
    3⤵
    - Views/modifies file attributes
    PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,9733818408525739660,16446957963167084522,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b5cfebecbfd715cf1c2e86aaba6753c

SHA1
c2d783bdd82fcfb68e8d566bcd34ead327ed7c13

SHA256
6fca1fe2a780fb27f0493353a73b9ae02e9671b51a50b07566a322abe3b25cbf

SHA512
b6ba779a8bb083a12f7f100c4c338d5902f2e2762654f70fb578dae4c0dccba1c7eec4cb0b5cbc1d8567fbb02624a077fe9f60573dbd12b78da4e5ae618a751f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a690d53f0215760186aa07b114ac4561

SHA1
601015b3d5837e99e481db0dcdb0ea33fa80cefc

SHA256
8ee92ce70ce780b9af998d760d7226892a37c4a7ca5bddfaaaa5da016dbedd93

SHA512
935db7966c0c541b2894b83af14586dfffe138a2a18dc60bfd9d076fb724410841b5536261a090ce57525f8a7dc25e4bc3b133fce61569beebf4efb126607a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
da12178e4c63fe21d07a3befdee48aed

SHA1
259a40f530945e3b92f46f81046d2bdb938969db

SHA256
c0f581a537e3710444a6cdf1c7dd10d710e1ff15a15e858479c89bbc7a5425aa

SHA512
b87c2abeeeabac4fae08b3bc37cdf98bf3ba1b877a6d3a22b8133f345c7f9ff8ca1ffaf0edbeca6a0697e7d5d1fffcad076c35934017b41e952767eca9f923c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
864B

MD5
fbef390ce0619193c94a2fd3322e2781

SHA1
d250dce59bb9981857274b2637f413f665921c00

SHA256
2f2901eadd9bb5ee4bdb14aab98c5e42a420dc2b5e6260bdbcd8cbdb1e2d2f58

SHA512
156e8672ae479c291e6a9974c2ee93314dd859a56b35d3d5415350ac7d68c9c7116665940209c4fb6acd09efa1b52a485fc46f401e4992d5dbf2fb4adaa128c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6b132072c6b756943edbcc1626162ee9

SHA1
4e64c8c2ccd7ec0d9b116e02e14d6e1e0eee90ae

SHA256
59d2780882310034e5049f61a6a57ed0dddee83de10d32e3682707c0a0e6a7a3

SHA512
e9d1872c4fdf62af4d86df64012969e8a46cdf3a6ee7c0f7c4122b38618bc5730ef7051de106cc9e3a90276172907a03299c033f068778f2fe9e8b05a5c137f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bbaa934ac340e07a53c777fa2047f5fc

SHA1
630e82336d269dbd1421bf486e71518bb6a6ab5c

SHA256
b911ecc7eabf49c8c40b39dafd9c77ea5d9a01ed993865068b2d8f6949d22d3a

SHA512
30332265b00e85276f938ea44474b607a5482d8a0c116ea6b14e420d8900f71debaf7eaff0553a2592035524642b678fd259ded2add52ee2f0e8e448d2591ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9ac7d64ba533facf33c12b2972d57175

SHA1
0ebaf3c94cc3e9b9b02d7547a09bb717a947fdb3

SHA256
3a40027ca447bdbc4a277cc817c600cb359e26ff350c7bacf4c87e8b35f556a2

SHA512
96c4f83e1963bc4f6367b8916a97c8185cdbd9e33dcc89a541f1688103296226c017c84e3e41fbaff1ed197563871183f620562a02f1f0bcdee117247a878e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0ab653963fc9fee231e2e6e5fd2dea2f

SHA1
98987899db9147b4038a46b618d72db35bc2d38f

SHA256
586118fa72fdc669d52be05d14b573850ac885d9bd60a881e20323a9e2e92e88

SHA512
6a8cc83339ca776b94998df971dffc66dabc22c996200cc87b0c78d07c04373ea8d5176cb3c37001fad0468780951307c906af21c066b6d58e82bf93229d56d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d8082b1dde4875761d711ab262279035

SHA1
5fff2121c5f5a22acf5cf55adb141c4d9d6397e5

SHA256
e20fc5a289ca5d7b9f7decb7a000e68c70d7cdcb06ec3fa188552f9412cd9b2a

SHA512
97345c1578e2a4408734ee1b767a8f4405026d674f3be439b5c9ecb74699ac47eb66803c0cc7943666819bfebe88f428506673689f9c7b6d6f04344c5c920637

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.0MB

MD5
771e017276c43b3599cabf3f48b87214

SHA1
9a0ddd54aea104fbf7772a9181a6b37510f2f2ca

SHA256
d72a4ee9bdaf7757628854926818a895ea3fc90945a31b04b1059467e38fc163

SHA512
9f31ec492669e030c39742b61f941f417f0f8a4123bf6d0e3e83b3a5562074cde2695bdfcde28c279d535b97f3c14bc2dc237e1c6a44f14e59c68afda3b10ac9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 424319.crdownload

Filesize
10.3MB

MD5
60f8eab2b0a1667f76523ed5b83e6b90

SHA1
47d99a1be92c19f2c0c4e4bc65c0daba50292650

SHA256
32db76e6760a79ebf96b772ede3aaedbc1bb6b01c19e4fca5ddced26fb26073f

SHA512
d151e8c2a08e0851f8c1d9eacdba5f4702d0eb8c58ac2dd5a6812129db553e4f0fed18fbbac169fa84b830bb0b376100905d6870cec36976a561c66c911e20b1

Download Submit