epsilon | d4990f7bcb35710c9a38dfb8c6cb324e43c47c72c6bb9c48d16d6b192fae4957

Analysis

max time kernel
244s
max time network
367s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BetaUnfated.exe
Size

139.8MB
MD5

8a648d6aa159c835df037c21917b28bf
SHA1

80678dfdf60594f022fb00cb0123b109c36a1f94
SHA256

705dc4d21549b6603587ef120e0849814871bdd5fcd10c5fb6235e0ff779b6df
SHA512

76a44f60afd1f0383ccb7f997fec5f38db6953b83fcc3ea26fcad982ebaf52984bd080fa16dc1b3c229e082b20fd61e075eb09da054a5b13f85ecdd20a2fa99c
SSDEEP

786432:sSfg0tbLs2cRE3FsdxwBFyAaZZiljQWohhjbj6S46P845IPD:sSj5szmFcxwBFyAaZ4jMhhXcyC

Score

10^/10

epsilon evasion persistence spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Detects executables referencing combination of virtualization drivers 1 IoCs

resource	yara_rule
behavioral8/files/0x000700000002357c-6.dat	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	BetaUnfated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	BetaUnfated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	BetaUnfated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	BetaUnfated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	BetaUnfated.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	BetaUnfated.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	BetaUnfated.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BetaUnfated.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	BetaUnfated.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	BetaUnfated.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BetaUnfated.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BetaUnfated.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	BetaUnfated.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	BetaUnfated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	BetaUnfated.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Wine	BetaUnfated.exe

Loads dropped DLL 3 IoCs

pid	Process
3576	BetaUnfated.exe
3576	BetaUnfated.exe
3576	BetaUnfated.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	ipinfo.io
55	ipinfo.io

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	BetaUnfated.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1360	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3484	tasklist.exe
4368	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4616	taskkill.exe
4116	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3576	BetaUnfated.exe
3576	BetaUnfated.exe
2416	BetaUnfated.exe
2416	BetaUnfated.exe
1140	BetaUnfated.exe
1140	BetaUnfated.exe
3780	BetaUnfated.exe
3780	BetaUnfated.exe
3780	BetaUnfated.exe
3780	BetaUnfated.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: 36	636	WMIC.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeIncreaseQuotaPrivilege	636	WMIC.exe
Token: SeSecurityPrivilege	636	WMIC.exe
Token: SeTakeOwnershipPrivilege	636	WMIC.exe
Token: SeLoadDriverPrivilege	636	WMIC.exe
Token: SeSystemProfilePrivilege	636	WMIC.exe
Token: SeSystemtimePrivilege	636	WMIC.exe
Token: SeProfSingleProcessPrivilege	636	WMIC.exe
Token: SeIncBasePriorityPrivilege	636	WMIC.exe
Token: SeCreatePagefilePrivilege	636	WMIC.exe
Token: SeBackupPrivilege	636	WMIC.exe
Token: SeRestorePrivilege	636	WMIC.exe
Token: SeShutdownPrivilege	636	WMIC.exe
Token: SeDebugPrivilege	636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	636	WMIC.exe
Token: SeRemoteShutdownPrivilege	636	WMIC.exe
Token: SeUndockPrivilege	636	WMIC.exe
Token: SeManageVolumePrivilege	636	WMIC.exe
Token: 33	636	WMIC.exe
Token: 34	636	WMIC.exe
Token: 35	636	WMIC.exe
Token: 36	636	WMIC.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe
Token: SeShutdownPrivilege	3576	BetaUnfated.exe
Token: SeCreatePagefilePrivilege	3576	BetaUnfated.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3576	BetaUnfated.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4520	3576	BetaUnfated.exe	88
PID 3576 wrote to memory of 4520	3576	BetaUnfated.exe	88
PID 4520 wrote to memory of 636	4520	cmd.exe	90
PID 4520 wrote to memory of 636	4520	cmd.exe	90
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1944	3576	BetaUnfated.exe	91
PID 3576 wrote to memory of 1140	3576	BetaUnfated.exe	92
PID 3576 wrote to memory of 1140	3576	BetaUnfated.exe	92
PID 3576 wrote to memory of 2416	3576	BetaUnfated.exe	93
PID 3576 wrote to memory of 2416	3576	BetaUnfated.exe	93
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97
PID 3576 wrote to memory of 4012	3576	BetaUnfated.exe	97

C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe
"C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe
  "C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetaUnfated" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1792,12133695891083018676,1225112381750048952,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe
  "C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetaUnfated" --mojo-platform-channel-handle=2064 --field-trial-handle=1792,12133695891083018676,1225112381750048952,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe
  "C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\BetaUnfated" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2444 --field-trial-handle=1792,12133695891083018676,1225112381750048952,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe
  "C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\BetaUnfated" --mojo-platform-channel-handle=2144 --field-trial-handle=1792,12133695891083018676,1225112381750048952,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
  2⤵
  PID:628
- - C:\Windows\system32\taskkill.exe
    taskkill /IM chrome.exe /F
    3⤵
    - Kills process with taskkill
    PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:1916
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:2200
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4120
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:540
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:3392
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:4616
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3872
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
  2⤵
  PID:2912
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
    3⤵
    - Adds Run key to start application
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3100
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3484
- C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe
  "C:\Users\Admin\AppData\Local\Temp\BetaUnfated.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\BetaUnfated" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1792,12133695891083018676,1225112381750048952,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x240
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3afdcb8d-6501-4181-9a74-1118778837f3.tmp.node

Filesize
163KB

MD5
b0e113443ddc1ee234acbf0eb0e6f8a0

SHA1
84cc562b82570ec05df6dbbfc8f29fbb16ec68c7

SHA256
8d6f5cab1d6a99ac49772080c6f383f33a9bb983e0f8d02d0f3de4b2bdd26215

SHA512
306e89ec66fdf8b0de19d5bcda01f69809d83f464a9c21fda4b470e81ad3b722aa6cb6086fb4c2af59504fe4332c1f9efff27168598cc00be0f28fed45dde8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\72bcbb8f-d976-4019-8bc5-06cefea84db1.tmp.node

Filesize
2.7MB

MD5
08b28072c6d59fdf06a808182efed01f

SHA1
35253af00af3308a64cff1eda104fd7227abb2f4

SHA256
7c999c84852b1f46a48f75b130fea445280d7032a56359dffecf36730366abc5

SHA512
f2592ade5053b674dbe4191c7001748a801dca3b19e97e19b440a3e944011c87926b0ef21c87e98b48e038889a32e01c1d74949124be3144834e2f06d9781198

Download Submit
C:\Users\Admin\AppData\Local\Temp\98b9854c-3dea-4a97-8f9c-a36bd59914da.tmp.node

Filesize
652KB

MD5
aeeb49ada6f1fb805239308e4c6adb55

SHA1
9f309664c10b4e181e0637cbb1f9b954bbf8ca00

SHA256
b314ee85e8f31cb13b5ed4d602615814cf1615646dc76b8eec7dc27551d8ba33

SHA512
e49bbeb8ec7a003667db17bc129a806053e7b1b139ad5d5c86472ca8f9c20a31fb90aae79313cc17685473b909381b5931d7e34a1228d5e624b1c742dccfc843

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
240B

MD5
810ae82f863a5ffae14d3b3944252a4e

SHA1
5393e27113753191436b14f0cafa8acabcfe6b2a

SHA256
453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

SHA512
2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Roaming\BetaUnfated\Network\Network Persistent State

Filesize
393B

MD5
e03c399a6edab87b418fc8c2310cafeb

SHA1
1e9d90a04eccdafc9210f05b00277627dc04aa44

SHA256
5f76e249c1c616535e54d8f06c17c1669a0ec773d0b4c9b357c8d0baf49ca752

SHA512
1be4dc09663b2ca820189380408ede381e4dab76c68b04dcc4d8c792ef46f7ca339cf81edcb44b1a8ad2c4673d4afacd4c3cd734f2e1e8787eaadde5bd22ded1

Download Submit
C:\Users\Admin\AppData\Roaming\BetaUnfated\Network\Network Persistent State~RFe5cdb06.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1944-10-0x00007FFE8DBC0000-0x00007FFE8DBC1000-memory.dmp

Filesize
4KB

Download
memory/1944-24-0x0000018FBAD60000-0x0000018FBB49F000-memory.dmp

Filesize
7.2MB

Download
memory/3780-178-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-170-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-172-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-171-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-176-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-177-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-179-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-181-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-180-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/3780-182-0x000002A437C90000-0x000002A437C91000-memory.dmp

Filesize
4KB

Download
memory/4012-61-0x00000283A02C0000-0x00000283A09FF000-memory.dmp

Filesize
7.2MB

Download