epsilon | 35c82cfd52b4ceab73e4647412e82cc0a33a0eacdb66c61ba110bbc99a1aa7e5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EpsilonClassic.exe
Size

140.1MB
MD5

d60aed1b86f5ce34c81ffacaf4c2635a
SHA1

f0caed459f1c85f653d11cf4510d0f3cf9b82179
SHA256

532b43f7e8e9f89b203e8198792383395b9e47767db0e5d91779d918722a710f
SHA512

01f789d5ac3526a73b578ed559109eb26df543f7ce45c9b0a41803c929b5cb3db392c324cd1ad0da059e919b6ca5d3785801836f39e164eec81a463ac09bf98a
SSDEEP

1572864:42Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:/aodJFek8+k

Score

10^/10

epsilon spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	EpsilonClassic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	EpsilonClassic.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	EpsilonClassic.exe
2360	EpsilonClassic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ipinfo.io
24	ipinfo.io

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1568	tasklist.exe
1772	tasklist.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	EpsilonClassic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	EpsilonClassic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	EpsilonClassic.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3196	EpsilonClassic.exe
3196	EpsilonClassic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	tasklist.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeDebugPrivilege	1772	tasklist.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe
Token: SeShutdownPrivilege	2360	EpsilonClassic.exe
Token: SeCreatePagefilePrivilege	2360	EpsilonClassic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	EpsilonClassic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 1060	2360	EpsilonClassic.exe	85
PID 2360 wrote to memory of 4312	2360	EpsilonClassic.exe	86
PID 2360 wrote to memory of 4312	2360	EpsilonClassic.exe	86
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87
PID 2360 wrote to memory of 3672	2360	EpsilonClassic.exe	87

C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
"C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1884,i,17992284727472572320,13672210869366554518,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --mojo-platform-channel-handle=2160 --field-trial-handle=1884,i,17992284727472572320,13672210869366554518,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4312
- C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2416 --field-trial-handle=1884,i,17992284727472572320,13672210869366554518,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3672
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryla\WinSCP 2\Sessions"
  2⤵
  PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4272
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4456
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonClassic.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonClassic" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2872 --field-trial-handle=1884,i,17992284727472572320,13672210869366554518,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10816747-aa19-47a9-9aa7-b9089463181e.tmp.node

Filesize
2.6MB

MD5
083fd9f2e3e93e1f2c599a2b609c9e5e

SHA1
6db2b6ce3e60d828ca32a6000c270c09224f3139

SHA256
5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd

SHA512
08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3963f822-a766-4622-a880-bf3d7b2186ee.tmp.node

Filesize
642KB

MD5
ab4a1c882f829aaeb65be643caa4e88a

SHA1
a5ebfe571aa30feae9ff52cbf18f7b0ae3cccb12

SHA256
9e29441fc2b83a9f2457f7e4e4c829970883b34a891533228c85fdff3e703db8

SHA512
548055c6eaddaf2aa66abc53ede4e311aa942d2d33ee6bf47e694e32b4c54bde73322f5d88b3192fde4f9226f265dd0d156573b2434ace8af5d6e36af182a880

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Autofill Data\All Autofill Data.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Roaming\EpsilonClassic\Network\Network Persistent State

Filesize
296B

MD5
0157796824da1e3e67078937e4ff3d19

SHA1
b233d24a6de6e3b1f94cfa8c101c9296b10c9915

SHA256
b0551afe82304f318f9a2fb3bfe47975677ee4d79dd3be91d54694a42612b6ca

SHA512
13c3e953349159a0feb58240727ec8532977266d39977612d84f762caf999b85db5fb7d49d4eec83818c77b9a3eaf94e3c043effa512cbe10d52b05be0cb95aa

Download Submit
C:\Users\Admin\AppData\Roaming\EpsilonClassic\Network\Network Persistent State~RFe58c119.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1060-6-0x00007FFCDDDA0000-0x00007FFCDDDA1000-memory.dmp

Filesize
4KB

Download
memory/3196-136-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-135-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-134-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-140-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-141-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-146-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-145-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-144-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-143-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3196-142-0x0000018C4C330000-0x0000018C4C331000-memory.dmp

Filesize
4KB

Download
memory/3672-112-0x000002141BA20000-0x000002141BACD000-memory.dmp

Filesize
692KB

Download
memory/3672-25-0x00007FFCDDB60000-0x00007FFCDDB61000-memory.dmp

Filesize
4KB

Download
memory/3672-26-0x00007FFCDE840000-0x00007FFCDE841000-memory.dmp

Filesize
4KB

Download