Malware Analysis Report

2024-10-24 17:05

Sample ID 240124-vwszqsecb9
Target true.exe
SHA256 8599a5c62399e298ef5b855dc06d1163e3baaf8599520826af516c8ffd53bfb1
Tags
crealstealer xworm persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8599a5c62399e298ef5b855dc06d1163e3baaf8599520826af516c8ffd53bfb1

Threat Level: Known bad

The file true.exe was found to be: Known bad.

Malicious Activity Summary

crealstealer xworm persistence rat stealer trojan

Detect Xworm Payload

An infostealer written in Python and packaged with PyInstaller.

Xworm

crealstealer

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 17:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 17:20

Reported

2024-01-24 18:23

Platform

win7-20231129-en

Max time kernel

1798s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\true.exe"

Signatures

An infostealer written in Python and packaged with PyInstaller.

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

crealstealer

stealer crealstealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\epicgameslauncher.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\epicgameslauncher.lnk C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\epicgameslauncher = "C:\\Users\\Admin\\AppData\\Roaming\\epicgameslauncher" C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\epicgameslauncher N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2216 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Windows\system32\rundll32.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Windows\system32\rundll32.exe
PID 2216 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\true.exe C:\Windows\system32\rundll32.exe
PID 1980 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1980 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1980 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2556 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2556 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2556 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2556 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2744 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 2744 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 2744 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\XClient.exe C:\Windows\System32\schtasks.exe
PID 1128 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1588 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2184 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 2268 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 808 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1168 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1168 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher
PID 1128 wrote to memory of 1168 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\epicgameslauncher

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\true.exe

"C:\Users\Admin\AppData\Local\Temp\true.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Dredded'sMT.bat" "

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\microsoft.py

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\microsoft.py"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\epicgameslauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epicgameslauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "epicgameslauncher" /tr "C:\Users\Admin\AppData\Roaming\epicgameslauncher"

C:\Windows\system32\taskeng.exe

taskeng.exe {5A14F544-2FD4-4544-BC3E-4FADAF7763F0} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

C:\Users\Admin\AppData\Roaming\epicgameslauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp
DE 193.161.193.99:34206 tcp

Files

memory/2216-0-0x00000000002F0000-0x0000000000348000-memory.dmp

memory/2216-1-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 8bc14b0327de65a2f2296686eb3f3fe2
SHA1 3a4ae540a7c5f79aafb28968a72764f50043c5f9
SHA256 e6a420464f7c877c5421d7b336705a19609161f84560711e441b2ab48bb54abf
SHA512 ec1156de64c29f818c5b2a243f7ab8fd0beab5975b0ceaa7b81514a9be7d6c30211a8cd325655387ffe33bfb0b824fa30e14987e61301bf63ad2d532fc9a016c

C:\Users\Admin\AppData\Roaming\Dredded'sMT.bat

MD5 ac876bbb38218601fd9b705fcd55cb51
SHA1 69cfba3eeabec0e03ddda6ae5f2533acbfa94685
SHA256 4895833c82a991b73d5d7cf0e73ffcb4159d6fbcd21ac98681002f03469ff086
SHA512 807fce9a386a62da7d84138cb1f94236f17cead5cf3825f7a8f8e38aa40722b38475c26d3b7930d2031701958d46777f3bbd41136bbfb8ae2045c23c650575eb

memory/2744-16-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

memory/2744-17-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2216-19-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2744-20-0x000000001B310000-0x000000001B390000-memory.dmp

C:\Users\Admin\AppData\Roaming\microsoft.py

MD5 56858a6f2411a10b07e553dafc76f2cc
SHA1 51fde952fd7ac4a4ad5afe00ee77116120c1f60b
SHA256 ad2c20dc31883ca97884043544fe004cc370270be97ba1bf447b9358c4bd5f92
SHA512 62e529809f42460bd13752fa97c0fc6a19b33e82d8350be10d187e336638d1abf12325ebba79535d22d6666d97698a234d0dcc86c542f97bcf80d34b403676cb

memory/944-26-0x000000001B680000-0x000000001B962000-memory.dmp

memory/944-27-0x0000000002250000-0x0000000002258000-memory.dmp

memory/944-29-0x00000000021D0000-0x0000000002250000-memory.dmp

memory/944-28-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

memory/944-30-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

memory/944-31-0x00000000021D0000-0x0000000002250000-memory.dmp

memory/944-32-0x00000000021D0000-0x0000000002250000-memory.dmp

memory/944-33-0x00000000021D0000-0x0000000002250000-memory.dmp

memory/944-34-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8921a1bfd21c28d9c54bb878d934edcb
SHA1 db89ea6c286e8d6b26d068cb0299b9fb4603fe8d
SHA256 f3c6397003a5b06efac7cc26eb88aba200929c25d08221c75ecdcba100f403a5
SHA512 d0cf8a9ffd371bddd618a8980b94c50b3409afec9ebc1d2d237737297990081bdf69d00589ce023d0d3161d5f2280c31f9acd1a07eb6c6f6b0ecbc56344a8e04

memory/1448-40-0x000000001B650000-0x000000001B932000-memory.dmp

memory/1448-41-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/1448-42-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

memory/1448-43-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/1448-44-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

memory/1448-45-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/1448-46-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/1448-47-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/1448-48-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

memory/1088-55-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1088-54-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

memory/1088-59-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1088-58-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1088-57-0x0000000002D40000-0x0000000002DC0000-memory.dmp

memory/1088-56-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

memory/1088-61-0x000007FEEEE50000-0x000007FEEF7ED000-memory.dmp

memory/2744-60-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2000-68-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

memory/2000-69-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2000-71-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2000-70-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

memory/2000-73-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2000-72-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2000-74-0x000007FEEE4B0000-0x000007FEEEE4D000-memory.dmp

memory/2744-78-0x000000001B310000-0x000000001B390000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e729cac65377789ee5a5174e5ee1f781
SHA1 d645f2229eb85ef96bd313be4b2c10389d36f349
SHA256 701d43e610ff90d31bf38ccf78e773dc1ef5c080fb0679be1404484dac0ad872
SHA512 53d1645088a386ad59e75468517fcab922fd44e74904f86f6ae1cabd593e6936170558b54c69ad323a2ead980627fd7c5a613567523f6918e49ddc4b86f4dace

memory/2108-97-0x0000000000230000-0x0000000000240000-memory.dmp

memory/2108-98-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2108-101-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/1588-104-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/1588-105-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/1588-106-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2184-108-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2184-109-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/1900-111-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/1900-112-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/700-114-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/700-115-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/700-116-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2836-118-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2836-119-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2268-121-0x00000000010E0000-0x00000000010F0000-memory.dmp

memory/2268-122-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2268-123-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/1572-125-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/1572-126-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/3048-128-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/3048-129-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/808-131-0x0000000001120000-0x0000000001130000-memory.dmp

memory/808-132-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp