epsilon | c35d052840a11e04e79b507fbc5c6e086bc9101ab602ac745d9ed343f2cee488

Resubmissions

01-06-2024 21:48

240601-1nsa5age89 10

01-06-2024 21:40

01-06-2024 21:33

01-06-2024 21:10

01-06-2024 20:55

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

my-app-1.0.0.exe
Size

169.1MB
MD5

b43efe56dd3c84590056c8c87ad3e6f4
SHA1

9e490bbec3f132b7eb8ac39dd4d001da8b275b58
SHA256

d851af974512dc132e8931f8a5d9f443af614e7eb45c140fc8c8971dbb960d78
SHA512

0800a75016ba6b81de945aed51cac599b21fc24fd416ed360599f585d95a20781b7fa11cd9d7225a30b544ae768f0a38da1f427a42d406e21024b1a742fcaf74
SSDEEP

1572864:kKrstWwz6PqazPK3qyBcr35JBNLDD/FaCA7pmLMzCOtoAJnn/N0wIbyraIjR:8W0qr26byra

Score

10^/10

epsilon spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	my-app-1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	my-app-1.0.0.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	screenCapture_1.3.2.exe

Loads dropped DLL 2 IoCs

pid	Process
2852	my-app-1.0.0.exe
2852	my-app-1.0.0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ipinfo.io
25	ipinfo.io

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4320	WMIC.exe
4544	WMIC.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5040	taskkill.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
1664	my-app-1.0.0.exe
1664	my-app-1.0.0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2852	my-app-1.0.0.exe
Token: SeCreatePagefilePrivilege	2852	my-app-1.0.0.exe
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe
Token: 36	2688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: 36	1732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4544	WMIC.exe
Token: SeSecurityPrivilege	4544	WMIC.exe
Token: SeTakeOwnershipPrivilege	4544	WMIC.exe
Token: SeLoadDriverPrivilege	4544	WMIC.exe
Token: SeSystemProfilePrivilege	4544	WMIC.exe
Token: SeSystemtimePrivilege	4544	WMIC.exe
Token: SeProfSingleProcessPrivilege	4544	WMIC.exe
Token: SeIncBasePriorityPrivilege	4544	WMIC.exe
Token: SeCreatePagefilePrivilege	4544	WMIC.exe
Token: SeBackupPrivilege	4544	WMIC.exe
Token: SeRestorePrivilege	4544	WMIC.exe
Token: SeShutdownPrivilege	4544	WMIC.exe
Token: SeDebugPrivilege	4544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4544	WMIC.exe
Token: SeRemoteShutdownPrivilege	4544	WMIC.exe
Token: SeUndockPrivilege	4544	WMIC.exe
Token: SeManageVolumePrivilege	4544	WMIC.exe
Token: 33	4544	WMIC.exe
Token: 34	4544	WMIC.exe
Token: 35	4544	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	my-app-1.0.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4320	2852	my-app-1.0.0.exe	88
PID 2852 wrote to memory of 4320	2852	my-app-1.0.0.exe	88
PID 2852 wrote to memory of 2480	2852	my-app-1.0.0.exe	89
PID 2852 wrote to memory of 2480	2852	my-app-1.0.0.exe	89
PID 2852 wrote to memory of 3684	2852	my-app-1.0.0.exe	91
PID 2852 wrote to memory of 3684	2852	my-app-1.0.0.exe	91
PID 2852 wrote to memory of 4176	2852	my-app-1.0.0.exe	93
PID 2852 wrote to memory of 4176	2852	my-app-1.0.0.exe	93
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4724	2852	my-app-1.0.0.exe	96
PID 2852 wrote to memory of 4488	2852	my-app-1.0.0.exe	97
PID 2852 wrote to memory of 4488	2852	my-app-1.0.0.exe	97
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98
PID 2852 wrote to memory of 3516	2852	my-app-1.0.0.exe	98

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:4320
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2480
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  PID:4176
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
  "C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
  "C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=2316,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
  "C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2608,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
  "C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=3504,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
  2⤵
  PID:4556
- - C:\Windows\system32\taskkill.exe
    taskkill /IM chrome.exe /F
    3⤵
    - Kills process with taskkill
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "
  2⤵
  PID:4220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:1852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77B0.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC1E2B26B7F9D143B9BF46175E33925CB.TMP"
      4⤵
      PID:4432
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"
    3⤵
    - Executes dropped EXE
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:4868
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:4468
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4952
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:2840
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:964
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2412
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:2340
- C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
  "C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1400,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x408
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\767fb449-bf06-4d17-8c03-8002f5b780fe.tmp.node

Filesize
2.2MB

MD5
8b0ee0b40dc18dd5638c45dd2299ae65

SHA1
83a8b245a64332225d8762d18f661c88df0c4968

SHA256
808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c

SHA512
738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES77B0.tmp

Filesize
1KB

MD5
680af19d0f28b9bee751a99b1a48777b

SHA1
4d2d620bd741bcabf4b121cb0f896366437644f1

SHA256
94ca09e9c918e6cdd20fcd7405b1230c8852026222a9cf9374139795025704d4

SHA512
2d381e9ad297caca01755bb31d6c1ac353959b4e82671a80a794cd4759a998e6cdc5135a5aecfa36b3dc6f9a3891b80eb92a87374e873ee9858a1052b8c33d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guwyjov1.inm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed76f495-1f13-4829-a569-d5a8fe811d09.tmp.node

Filesize
1.6MB

MD5
1e5b6635e09e662d01e9a97c69f1cc27

SHA1
08e3a9e35940ee1ecd37ad762909529c64bc04b5

SHA256
b440ea84c0814e48b20433a8046087b997ab988eef9aacef896a4fd490150c6b

SHA512
1a7f835a51b62d5b512a2008830861bfb3892aa349379e3334c9c8aa5808ac5dd9dfcc5fb2c05736474ca5728347003a60e234e4044dc79d688ab35168b4bbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
1KB

MD5
698a35da81736fce6e1521788d24f28c

SHA1
9e5ea5f4de84582507b8081e3e8d51b2972333b3

SHA256
b2d8ddde8a147f931cf5ba65a4afd3ca582107aca8c163b5427b17af9b3a0886

SHA512
09d2bed13c87d3ffcb55a3417de69830d141900289059d601a7a32cbdedd740ad9d239b29e747485efbf70741c03bd9d72b9324b9f0b18c53d5ddb669569b91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
1KB

MD5
9ef0cbfa739a8cd4daa50041e13da0b6

SHA1
f8f96c8ddae556e86c65b14ec96976eb2b11db55

SHA256
168781455be4ffbca7bd2ae3c0b765a5953f52fdf0d8e56f7d817630ae27be21

SHA512
afc76f3026b64041e5d964d6445f627c69b9ad6c2db479f02d157d764e57176ec469ca85226ef3bb22871e00d6ee771f2a4fd2f674aed933f83b03d146bb6e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png

Filesize
424KB

MD5
938e2d93bc40d7b2bc3531a16f2d912d

SHA1
3e7944db86287536ff39126bcb6a999d1afbd097

SHA256
7917e491a5fb541c7132d80bbe8a4605f5394f7a1d534a115af7d91a587e98c4

SHA512
f79981999848199020e77ad3931b017e4492cedcdd7855dcc3f84d01e846113d990123275161df3c781c048dc627cc2761a6db872e698ac04a6fa9d8df9c48ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
6c92860e20e30a84e14b6bfd7fb47d23

SHA1
969a5aadc8ea194ce00f9953c8116902ce815c6f

SHA256
391b23557fcf31beb78ac58df952388c892a3590c7a227781cc1cbd338e57507

SHA512
fe45c97a7f26988fd1eef417334cf6174650a1fb1e9c9f95ffdcafacf870603bd22463b71696b1a0e8744aadedc84dbf95244dd64585cd053d34fffada64d474

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\68f2e9b4-82ff-4abe-8b7e-396a74c9d202.tmp

Filesize
300B

MD5
7bc6c15c812e63a277ed441720fd1351

SHA1
d5fa529575a428ba1d5ae710da207ba33893adaf

SHA256
8341cc1f5b2bdc9bc7ce1ffefd103a10cca2fd34ab22092c6005a53b16277512

SHA512
280ed51259c4ac097db7f6ada09d47c2375fe1350b37f6d91ec2a67ee18975e8e6036e2098466e93fb7624435fa46976c844c3e697fe41748fdd6db3e0a4a679

Download Submit
C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State~RFe5896bd.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC1E2B26B7F9D143B9BF46175E33925CB.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
memory/1220-130-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/1664-193-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-181-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-183-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-182-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-187-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-188-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-192-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-191-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-190-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/1664-189-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Filesize
4KB

Download
memory/3516-34-0x00007FFD260B0000-0x00007FFD260B1000-memory.dmp

Filesize
4KB

Download
memory/3516-35-0x00007FFD25EF0000-0x00007FFD25EF1000-memory.dmp

Filesize
4KB

Download
memory/4712-75-0x000001A5521F0000-0x000001A552212000-memory.dmp

Filesize
136KB

Download