epsilon | 39c42e05315d4c367c767b3a00cb3477b4d57536177c270bef214e300dbefa74

Analysis

max time kernel
25s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240611-fr
resource tags

arch:x64arch:x86image:win10v2004-20240611-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
13-06-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

140.1MB
MD5

b1ccbfbedc38786e9a0e9605b876c38b
SHA1

6be127d660dc19d8abaaa0b7a1fc61e6c4c1cef8
SHA256

ce0fcb2457ffa323e7a9aa65fb7aa3e5cd62bb09faadad83dde9882db04b9f14
SHA512

eb3f5a4e4e801b2d22d1ea8a2d9445430cf49eca895b9583e4fb0f1add3354de9f032d4e50d00d47425e983fc589aa28c3dd1a263a68cb3b6979d8186667c624
SSDEEP

1572864:42Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:/aodJFek8+k

Score

10^/10

epsilon spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
1256	setup.exe
1256	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipinfo.io
20	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1700	WMIC.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2056	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1256	setup.exe
Token: SeCreatePagefilePrivilege	1256	setup.exe
Token: SeIncreaseQuotaPrivilege	2120	WMIC.exe
Token: SeSecurityPrivilege	2120	WMIC.exe
Token: SeTakeOwnershipPrivilege	2120	WMIC.exe
Token: SeLoadDriverPrivilege	2120	WMIC.exe
Token: SeSystemProfilePrivilege	2120	WMIC.exe
Token: SeSystemtimePrivilege	2120	WMIC.exe
Token: SeProfSingleProcessPrivilege	2120	WMIC.exe
Token: SeIncBasePriorityPrivilege	2120	WMIC.exe
Token: SeCreatePagefilePrivilege	2120	WMIC.exe
Token: SeBackupPrivilege	2120	WMIC.exe
Token: SeRestorePrivilege	2120	WMIC.exe
Token: SeShutdownPrivilege	2120	WMIC.exe
Token: SeDebugPrivilege	2120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2120	WMIC.exe
Token: SeRemoteShutdownPrivilege	2120	WMIC.exe
Token: SeUndockPrivilege	2120	WMIC.exe
Token: SeManageVolumePrivilege	2120	WMIC.exe
Token: 33	2120	WMIC.exe
Token: 34	2120	WMIC.exe
Token: 35	2120	WMIC.exe
Token: 36	2120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2120	WMIC.exe
Token: SeSecurityPrivilege	2120	WMIC.exe
Token: SeTakeOwnershipPrivilege	2120	WMIC.exe
Token: SeLoadDriverPrivilege	2120	WMIC.exe
Token: SeSystemProfilePrivilege	2120	WMIC.exe
Token: SeSystemtimePrivilege	2120	WMIC.exe
Token: SeProfSingleProcessPrivilege	2120	WMIC.exe
Token: SeIncBasePriorityPrivilege	2120	WMIC.exe
Token: SeCreatePagefilePrivilege	2120	WMIC.exe
Token: SeBackupPrivilege	2120	WMIC.exe
Token: SeRestorePrivilege	2120	WMIC.exe
Token: SeShutdownPrivilege	2120	WMIC.exe
Token: SeDebugPrivilege	2120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2120	WMIC.exe
Token: SeRemoteShutdownPrivilege	2120	WMIC.exe
Token: SeUndockPrivilege	2120	WMIC.exe
Token: SeManageVolumePrivilege	2120	WMIC.exe
Token: 33	2120	WMIC.exe
Token: 34	2120	WMIC.exe
Token: 35	2120	WMIC.exe
Token: 36	2120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1256	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 4924	1256	setup.exe	83
PID 1256 wrote to memory of 2564	1256	setup.exe	84
PID 1256 wrote to memory of 2564	1256	setup.exe	84
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85
PID 1256 wrote to memory of 1728	1256	setup.exe	85

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2400 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:3888
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:2628
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:3228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:5076
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:5080
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4592
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:3256
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4d7f4640-235a-4fff-b13f-228cdcaf1ad3.tmp.node

Filesize
2.6MB

MD5
083fd9f2e3e93e1f2c599a2b609c9e5e

SHA1
6db2b6ce3e60d828ca32a6000c270c09224f3139

SHA256
5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd

SHA512
08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6da713bf-6b73-4346-8a67-ba04aea8625d.tmp.node

Filesize
642KB

MD5
4c8d6ba1b9e1141bfc8f700a9aa543c0

SHA1
66717fc5b64efb94b61f5476bb3d041c619580ea

SHA256
0a1ce9b4eaf029f7b13e5b677bb8ad3192c0e3088d854a21bbe304e857f677b4

SHA512
ee79d8435276650c87664b87b50ec06597630c2f996f68a95e62cec5188e787e5fe35181c4282dda9960039fe17cdb38b0e8a6a5abc39701abec9e2731fcda47

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
249B

MD5
cf7e4a12f932a3fddddacc8b10e1f1b0

SHA1
db6f9bc2be5e0905086b7b7b07109ef8d67b24ee

SHA256
1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b

SHA512
fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_Default.txt

Filesize
216B

MD5
3850dcbdfccef2b2579651cbf2e766f7

SHA1
dd26947e7dc339059d9de4a7aa4a2b09ed621f13

SHA256
c57f2081f932cd5c03d755090fef4d3ac56494a90b425a4d546a0885a98b18e3

SHA512
67fda6f0d08e466caaa7d18fb7b43da4ce5b575c584565718895048c1b4ccc1bf4559ff83b1f063030baa8970c8abbec1ab477fd1c0d46f391f10c21bcb2ce4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Passwords\All Passwords.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
memory/1728-26-0x00007FFF696F0000-0x00007FFF696F1000-memory.dmp

Filesize
4KB

Download
memory/1728-25-0x00007FFF6A1A0000-0x00007FFF6A1A1000-memory.dmp

Filesize
4KB

Download
memory/4924-6-0x00007FFF6ABE0000-0x00007FFF6ABE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads