crealstealer | 8599a5c62399e298ef5b855dc06d1163e3baaf8599520826af516c8ffd53bfb1

Analysis

max time kernel
1798s
max time network
1800s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

true.exe
Size

330KB
MD5

9c7e29c46aeea4af73bf5382f1b0bcf4
SHA1

2568ab3b2dd12fdfa9e4b2cd788b97106df1071e
SHA256

8599a5c62399e298ef5b855dc06d1163e3baaf8599520826af516c8ffd53bfb1
SHA512

1cc7f710b203f03ab64ef563eb3093ccb2e2c8beb5ea565e153fed5093e3a0583c525b06b9a1154f31ebaaf848d1f575f7c5738b5d8b6ff44d3c544a0eb8bb81
SSDEEP

3072:9sBTZQFLWx8MzI4IXoSuF/q9Q50t1YAQHmxqHd4HtMUsFTAG5bM:9sLQUxTI4IXo3F9GIGM2H2Us

Score

10^/10

crealstealer xworm persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

aes.plain

Signatures

An infostealer written in Python and packaged with PyInstaller. 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016ca5-21.dat	crealstealer

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001650c-13.dat	family_xworm
behavioral1/memory/2744-16-0x0000000000BC0000-0x0000000000BD0000-memory.dmp	family_xworm
behavioral1/memory/2108-97-0x0000000000230000-0x0000000000240000-memory.dmp	family_xworm
behavioral1/memory/1588-104-0x0000000000DA0000-0x0000000000DB0000-memory.dmp	family_xworm
behavioral1/memory/700-114-0x0000000000E80000-0x0000000000E90000-memory.dmp	family_xworm
behavioral1/memory/2268-121-0x00000000010E0000-0x00000000010F0000-memory.dmp	family_xworm
behavioral1/memory/808-131-0x0000000001120000-0x0000000001130000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
crealstealer
An infostealer written in Python and packaged with PyInstaller.
stealer crealstealer

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\epicgameslauncher.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\epicgameslauncher.lnk	XClient.exe

Executes dropped EXE 31 IoCs

pid	Process
2744	XClient.exe
2108	epicgameslauncher
1588	epicgameslauncher
2184	epicgameslauncher
1900	epicgameslauncher
700	epicgameslauncher
2836	epicgameslauncher
2268	epicgameslauncher
1572	epicgameslauncher
3048	epicgameslauncher
808	epicgameslauncher
1168	epicgameslauncher
2120	epicgameslauncher
948	epicgameslauncher
2964	epicgameslauncher
1892	epicgameslauncher
2428	epicgameslauncher
1736	epicgameslauncher
2604	epicgameslauncher
2756	epicgameslauncher
824	epicgameslauncher
1188	epicgameslauncher
1276	epicgameslauncher
3060	epicgameslauncher
1828	epicgameslauncher
2680	epicgameslauncher
2992	epicgameslauncher
2356	epicgameslauncher
1960	epicgameslauncher
2448	epicgameslauncher
2760	epicgameslauncher

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\epicgameslauncher = "C:\\Users\\Admin\\AppData\\Roaming\\epicgameslauncher"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1636	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
944	powershell.exe
1448	powershell.exe
1088	powershell.exe
2000	powershell.exe
2744	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	XClient.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2744	XClient.exe
Token: SeDebugPrivilege	2108	epicgameslauncher
Token: SeDebugPrivilege	1588	epicgameslauncher
Token: SeDebugPrivilege	2184	epicgameslauncher
Token: SeDebugPrivilege	1900	epicgameslauncher
Token: SeDebugPrivilege	700	epicgameslauncher
Token: SeDebugPrivilege	2836	epicgameslauncher
Token: SeDebugPrivilege	2268	epicgameslauncher
Token: SeDebugPrivilege	1572	epicgameslauncher
Token: SeDebugPrivilege	3048	epicgameslauncher
Token: SeDebugPrivilege	808	epicgameslauncher
Token: SeDebugPrivilege	1168	epicgameslauncher
Token: SeDebugPrivilege	948	epicgameslauncher
Token: SeDebugPrivilege	2964	epicgameslauncher
Token: SeDebugPrivilege	1892	epicgameslauncher
Token: SeDebugPrivilege	2428	epicgameslauncher
Token: SeDebugPrivilege	1736	epicgameslauncher
Token: SeDebugPrivilege	2604	epicgameslauncher
Token: SeDebugPrivilege	2756	epicgameslauncher
Token: SeDebugPrivilege	824	epicgameslauncher
Token: SeDebugPrivilege	1188	epicgameslauncher
Token: SeDebugPrivilege	1276	epicgameslauncher
Token: SeDebugPrivilege	3060	epicgameslauncher
Token: SeDebugPrivilege	1828	epicgameslauncher
Token: SeDebugPrivilege	2680	epicgameslauncher
Token: SeDebugPrivilege	2992	epicgameslauncher
Token: SeDebugPrivilege	2356	epicgameslauncher
Token: SeDebugPrivilege	1960	epicgameslauncher
Token: SeDebugPrivilege	2448	epicgameslauncher
Token: SeDebugPrivilege	2760	epicgameslauncher

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2520	AcroRd32.exe
2520	AcroRd32.exe
2744	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2744	2216	true.exe	31
PID 2216 wrote to memory of 2744	2216	true.exe	31
PID 2216 wrote to memory of 2744	2216	true.exe	31
PID 2216 wrote to memory of 1980	2216	true.exe	29
PID 2216 wrote to memory of 1980	2216	true.exe	29
PID 2216 wrote to memory of 1980	2216	true.exe	29
PID 2216 wrote to memory of 2556	2216	true.exe	30
PID 2216 wrote to memory of 2556	2216	true.exe	30
PID 2216 wrote to memory of 2556	2216	true.exe	30
PID 1980 wrote to memory of 2668	1980	cmd.exe	32
PID 1980 wrote to memory of 2668	1980	cmd.exe	32
PID 1980 wrote to memory of 2668	1980	cmd.exe	32
PID 2556 wrote to memory of 2520	2556	rundll32.exe	34
PID 2556 wrote to memory of 2520	2556	rundll32.exe	34
PID 2556 wrote to memory of 2520	2556	rundll32.exe	34
PID 2556 wrote to memory of 2520	2556	rundll32.exe	34
PID 2744 wrote to memory of 944	2744	XClient.exe	36
PID 2744 wrote to memory of 944	2744	XClient.exe	36
PID 2744 wrote to memory of 944	2744	XClient.exe	36
PID 2744 wrote to memory of 1448	2744	XClient.exe	38
PID 2744 wrote to memory of 1448	2744	XClient.exe	38
PID 2744 wrote to memory of 1448	2744	XClient.exe	38
PID 2744 wrote to memory of 1088	2744	XClient.exe	41
PID 2744 wrote to memory of 1088	2744	XClient.exe	41
PID 2744 wrote to memory of 1088	2744	XClient.exe	41
PID 2744 wrote to memory of 2000	2744	XClient.exe	43
PID 2744 wrote to memory of 2000	2744	XClient.exe	43
PID 2744 wrote to memory of 2000	2744	XClient.exe	43
PID 2744 wrote to memory of 1636	2744	XClient.exe	45
PID 2744 wrote to memory of 1636	2744	XClient.exe	45
PID 2744 wrote to memory of 1636	2744	XClient.exe	45
PID 1128 wrote to memory of 2108	1128	taskeng.exe	47
PID 1128 wrote to memory of 2108	1128	taskeng.exe	47
PID 1128 wrote to memory of 2108	1128	taskeng.exe	47
PID 1128 wrote to memory of 1588	1128	taskeng.exe	50
PID 1128 wrote to memory of 1588	1128	taskeng.exe	50
PID 1128 wrote to memory of 1588	1128	taskeng.exe	50
PID 1128 wrote to memory of 2184	1128	taskeng.exe	51
PID 1128 wrote to memory of 2184	1128	taskeng.exe	51
PID 1128 wrote to memory of 2184	1128	taskeng.exe	51
PID 1128 wrote to memory of 1900	1128	taskeng.exe	52
PID 1128 wrote to memory of 1900	1128	taskeng.exe	52
PID 1128 wrote to memory of 1900	1128	taskeng.exe	52
PID 1128 wrote to memory of 700	1128	taskeng.exe	53
PID 1128 wrote to memory of 700	1128	taskeng.exe	53
PID 1128 wrote to memory of 700	1128	taskeng.exe	53
PID 1128 wrote to memory of 2836	1128	taskeng.exe	54
PID 1128 wrote to memory of 2836	1128	taskeng.exe	54
PID 1128 wrote to memory of 2836	1128	taskeng.exe	54
PID 1128 wrote to memory of 2268	1128	taskeng.exe	55
PID 1128 wrote to memory of 2268	1128	taskeng.exe	55
PID 1128 wrote to memory of 2268	1128	taskeng.exe	55
PID 1128 wrote to memory of 1572	1128	taskeng.exe	56
PID 1128 wrote to memory of 1572	1128	taskeng.exe	56
PID 1128 wrote to memory of 1572	1128	taskeng.exe	56
PID 1128 wrote to memory of 3048	1128	taskeng.exe	57
PID 1128 wrote to memory of 3048	1128	taskeng.exe	57
PID 1128 wrote to memory of 3048	1128	taskeng.exe	57
PID 1128 wrote to memory of 808	1128	taskeng.exe	58
PID 1128 wrote to memory of 808	1128	taskeng.exe	58
PID 1128 wrote to memory of 808	1128	taskeng.exe	58
PID 1128 wrote to memory of 1168	1128	taskeng.exe	59
PID 1128 wrote to memory of 1168	1128	taskeng.exe	59
PID 1128 wrote to memory of 1168	1128	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\true.exe
"C:\Users\Admin\AppData\Local\Temp\true.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Dredded'sMT.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2668
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\microsoft.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\microsoft.py"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2520
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\epicgameslauncher'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epicgameslauncher'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "epicgameslauncher" /tr "C:\Users\Admin\AppData\Roaming\epicgameslauncher"
    3⤵
    - Creates scheduled task(s)
    PID:1636

C:\Windows\system32\taskeng.exe
taskeng.exe {5A14F544-2FD4-4544-BC3E-4FADAF7763F0} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Users\Admin\AppData\Roaming\epicgameslauncher
  C:\Users\Admin\AppData\Roaming\epicgameslauncher
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e729cac65377789ee5a5174e5ee1f781

SHA1
d645f2229eb85ef96bd313be4b2c10389d36f349

SHA256
701d43e610ff90d31bf38ccf78e773dc1ef5c080fb0679be1404484dac0ad872

SHA512
53d1645088a386ad59e75468517fcab922fd44e74904f86f6ae1cabd593e6936170558b54c69ad323a2ead980627fd7c5a613567523f6918e49ddc4b86f4dace

Download Submit
C:\Users\Admin\AppData\Roaming\Dredded'sMT.bat

Filesize
5KB

MD5
ac876bbb38218601fd9b705fcd55cb51

SHA1
69cfba3eeabec0e03ddda6ae5f2533acbfa94685

SHA256
4895833c82a991b73d5d7cf0e73ffcb4159d6fbcd21ac98681002f03469ff086

SHA512
807fce9a386a62da7d84138cb1f94236f17cead5cf3825f7a8f8e38aa40722b38475c26d3b7930d2031701958d46777f3bbd41136bbfb8ae2045c23c650575eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8921a1bfd21c28d9c54bb878d934edcb

SHA1
db89ea6c286e8d6b26d068cb0299b9fb4603fe8d

SHA256
f3c6397003a5b06efac7cc26eb88aba200929c25d08221c75ecdcba100f403a5

SHA512
d0cf8a9ffd371bddd618a8980b94c50b3409afec9ebc1d2d237737297990081bdf69d00589ce023d0d3161d5f2280c31f9acd1a07eb6c6f6b0ecbc56344a8e04

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
41KB

MD5
8bc14b0327de65a2f2296686eb3f3fe2

SHA1
3a4ae540a7c5f79aafb28968a72764f50043c5f9

SHA256
e6a420464f7c877c5421d7b336705a19609161f84560711e441b2ab48bb54abf

SHA512
ec1156de64c29f818c5b2a243f7ab8fd0beab5975b0ceaa7b81514a9be7d6c30211a8cd325655387ffe33bfb0b824fa30e14987e61301bf63ad2d532fc9a016c

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft.py

Filesize
78KB

MD5
56858a6f2411a10b07e553dafc76f2cc

SHA1
51fde952fd7ac4a4ad5afe00ee77116120c1f60b

SHA256
ad2c20dc31883ca97884043544fe004cc370270be97ba1bf447b9358c4bd5f92

SHA512
62e529809f42460bd13752fa97c0fc6a19b33e82d8350be10d187e336638d1abf12325ebba79535d22d6666d97698a234d0dcc86c542f97bcf80d34b403676cb

Download Submit
memory/700-116-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/700-115-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/700-114-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/808-132-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/808-131-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/944-27-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/944-28-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

Filesize
9.6MB

Download
memory/944-30-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

Filesize
9.6MB

Download
memory/944-31-0x00000000021D0000-0x0000000002250000-memory.dmp

Filesize
512KB

Download
memory/944-32-0x00000000021D0000-0x0000000002250000-memory.dmp

Filesize
512KB

Download
memory/944-33-0x00000000021D0000-0x0000000002250000-memory.dmp

Filesize
512KB

Download
memory/944-34-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

Filesize
9.6MB

Download
memory/944-29-0x00000000021D0000-0x0000000002250000-memory.dmp

Filesize
512KB

Download
memory/944-26-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1088-61-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1088-55-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/1088-56-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1088-57-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/1088-58-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/1088-59-0x0000000002D40000-0x0000000002DC0000-memory.dmp

Filesize
512KB

Download
memory/1088-54-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

Filesize
9.6MB

Download
memory/1448-40-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1448-41-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1448-47-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/1448-46-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/1448-45-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/1448-44-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/1448-43-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/1448-42-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/1448-48-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/1572-126-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1572-125-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1588-104-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/1588-105-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1588-106-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-111-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-112-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2000-69-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2000-74-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-72-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2000-73-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2000-70-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-71-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2000-68-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

Filesize
9.6MB

Download
memory/2108-101-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-97-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2108-98-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-108-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2184-109-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-1-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-19-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-0-0x00000000002F0000-0x0000000000348000-memory.dmp

Filesize
352KB

Download
memory/2268-121-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/2268-123-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-122-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2744-78-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2744-60-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2744-17-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2744-16-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2744-20-0x000000001B310000-0x000000001B390000-memory.dmp

Filesize
512KB

Download
memory/2836-119-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-118-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/3048-128-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/3048-129-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download