metasploit | c8c7710c055d6fd4a7040d9c699d989a393ad8d960baec3fd652798929052152

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

V-removebg-preview.png
Size

28KB
MD5

fc462405f5f045e51f514f7d1bb655da
SHA1

b3c0e39c11364968c243383789950195e95fefdb
SHA256

c8c7710c055d6fd4a7040d9c699d989a393ad8d960baec3fd652798929052152
SHA512

6e3c64c47afd0ee92db58ef586105deaaa90dfc13f740b2479cec62c24d2729e237dd68c29ed5a8a3f6b2fd617704be793ae6b50e20511449764623eeafa9acf
SSDEEP

768:Tsz7+3ysh2gZ4+a0idR8uDOr3gYwqmMsiEmS2JdW0D1h/3mS4E3:wz7dshPq+wDOrAqKfL81hX53

Score

10^/10

metasploit seon backdoor bootkit persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/rd41q22U http://goldeny4vs3nyoht.onion/rd41q22U 3. Enter your personal decryption code there: rd41q22U1P1mmdFFcdnhm4r6BDSMKavab3Q2Uh1cf4oxVQ3fEGgCmsamAoj2pkfKNBQbxmT8yhRCUsSrsEjzz5jDQBXkvmoE

URLs

http://golden5a4eqranh7.onion/rd41q22U

http://goldeny4vs3nyoht.onion/rd41q22U

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
5932	GoldenEye.exe
5984	GoldenEye.exe
1848	sc.exe
596	ByteCodeGenerator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	sc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1848	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1873812795-1433807462-1429862679-1000\{5858345F-56C3-4D1D-974F-FEBB97E711EA}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{444d439f-ee9d-44f0-9cf2-3a095d3e2086}\sc.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{adcc37f5-ea8c-4fb6-aa2c-d3f7e78ca271}\ByteCodeGenerator.exe\:SmartScreen:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 691386.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 231707.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2188	msedge.exe
2188	msedge.exe
3360	msedge.exe
3360	msedge.exe
4548	identity_helper.exe
4548	identity_helper.exe
3288	msedge.exe
3288	msedge.exe
4864	msedge.exe
4864	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1848	sc.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 3348	3360	msedge.exe	100
PID 3360 wrote to memory of 3348	3360	msedge.exe	100
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 4004	3360	msedge.exe	102
PID 3360 wrote to memory of 2188	3360	msedge.exe	101
PID 3360 wrote to memory of 2188	3360	msedge.exe	101
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103
PID 3360 wrote to memory of 3144	3360	msedge.exe	103

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\V-removebg-preview.png
1⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc36db46f8,0x7ffc36db4708,0x7ffc36db4718
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:5932
- - C:\Users\Admin\AppData\Roaming\{444d439f-ee9d-44f0-9cf2-3a095d3e2086}\sc.exe
    "C:\Users\Admin\AppData\Roaming\{444d439f-ee9d-44f0-9cf2-3a095d3e2086}\sc.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Launches sc.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:5984
- - C:\Users\Admin\AppData\Roaming\{adcc37f5-ea8c-4fb6-aa2c-d3f7e78ca271}\ByteCodeGenerator.exe
    "C:\Users\Admin\AppData\Roaming\{adcc37f5-ea8c-4fb6-aa2c-d3f7e78ca271}\ByteCodeGenerator.exe"
    3⤵
    - Executes dropped EXE
    PID:596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10581108000225219231,2953102079231599685,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6564 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4156

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:5496

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {374DE290-123F-4565-9164-39C4925E467B} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:5484

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:916

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {1CF1260C-4DD0-4EBB-811F-33C572699FDE} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:3260

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:5440

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:5500

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e2ccfab839773d721e3a3113203ca327

SHA1
103d8b4d0f47a4a0502e186b432cc86cb564801c

SHA256
1e420cede8ee3a93b84882c9f5d8edde08c9976e02bbc5db6f9a77627379c52d

SHA512
57a750d8452d7e50d6fc2ee610ce680384aa8fc3ced405a9367f010996f6be1a403a166f4a9b6407d0f185f67bd27fedd0d0d6f0047a8dac0b07edc9e5509833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0e88b4602ea4bbf59a7e9e96b98e97a6

SHA1
aded6d6036cc81381356037448476191fcf97bf2

SHA256
1a058beb72a0ec84f3d804a444a0fae19d306a32e4a3b088fbdf158e40aff40e

SHA512
e62b03ef4392e744fb9902273c2354f8ef802fd922b1f10392e7777722cc8735f38a1142ecb201365741762020ec3f2cee61a58d386c7e1b5f9fed4e6692ae17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
782B

MD5
dff3f1e03ed652a7b1d0b06b2d1c00ed

SHA1
661869350aa43994c12850c1866777b9e6a6d0e4

SHA256
b076d5f9c8ca7577224f4df684f6c1753f3b21fdadd545327a5a5a57dcf75f07

SHA512
484a12cb5dd577ea069cabce81ba957a7de9e819c50c3b05a2561c3dffd31bd32b278c296d19053c4174800321bd4dbe8ea4cdec68369c31d5508421d1cfaf8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9965047f9bfad19aa67d44f04dc1a376

SHA1
e250e57180a7e59a10cde604293c82dc8953dc57

SHA256
ef6da6cfa5fb2c8517051d731a45ea16b9711e0c5e5b3fa503072a04f35a6fa3

SHA512
f6d972f64ac4cfd0490ba1c5d85c3d221523a403531000d8edf6289ecc445137fe805c3c64344c434eb40dd93995f2ff5ecbc1b0314fc0373990984fdaa9edbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a95c4b99f95101ea71581f674ea6ff82

SHA1
1ba75556b93e23739ae39d08aebe06ecb18177bb

SHA256
92707cbc91b572af2d22bdb6a2790be123a8258f26b586bb0797d32433e883b3

SHA512
77d875166da6310345b2fd8b42bdf41e810f487f3288b8285cd0ca9f58d3af6ccee7c3213b879514840f88f8ff5d008ff5892a6b11af8d509d754a7a5b61bdcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
172e555bae0c70a55a489231f6b5f71a

SHA1
b3fabb8ad8b2b918c2c07ce13ec1122522787491

SHA256
f600f6389ac80fd98339e6ed049042052752a58998f1f048e67bbd3357600853

SHA512
ee38ba394a9caf476f7c499fb400d6fb7b43c6172d396815346a1da005760373e5677d02637c3367e97d22bfe68118ee399fcd3842bf3ff5f8590b65e8fc5243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b75ac6c9386eed1b58f60cc4d3138ed9

SHA1
ec585789af06c7a5282e21a886ac00d42c7061ff

SHA256
610aee853c9aa79c5ce53a2049b63dc079f9094eec6086684b77df51beb78b36

SHA512
03f889acb94f13e90b10bf59f437e79174a38f52a665cf7ee16b3b8e220f972061109b5ed9f25d706c421346d8fe3e8208279c71ec5c1c5d00e9fd50c3e06d65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92297f793e1735f0f6eb959ae15285eb

SHA1
e745b4c99e93a9ca66353e3155c88d2ac13ff676

SHA256
8ce01c50151824881c35056fee763eed73dd096318a89e83e0c65eef8a3dfd5a

SHA512
e08a86b5dece3e8a01a538d2c5f859a06f18bc851f4bb9f40fb598bc69066987fcd39252fce21514e7bc4bb31f9d93f8a51c6bdcd1c0f6c506927563707c4520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10943b342f16ed608b8569d3190e2743

SHA1
4ac871a9135151b150865b62a1547c4aeeaefff7

SHA256
c242e4aeb93457df91af6e2fef2fcf55030d7b53560ce05d1417553609779e47

SHA512
3d9fd08ff69efb6aca8668690570234f481c483264c69bd6c83b7f2effb251edfbf70843a0b604c6e4c52f77b3db6e69f5e769ae4270be67f918e887d3307484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e8a55f34e714100f49439f31c3d7fa2f

SHA1
8ade35e85e8b8d04e1d819338dc29a705afb8913

SHA256
4c94b6f129733e650097033202a47d3cfe8742fee1a333e88f1ead4ec946643d

SHA512
e6a632d91ea1a9bbd67cb462559d13fcc06f14ff88de51fe76af4c2436d7df644aaa2bb71a88bc28042933539b1773cdcaa1b3ab85108b43395fd3a297246459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9dbffd3227f336c052cbdd20f5b46fdb

SHA1
a6b39fe57b36385198e807b4074aee1578988804

SHA256
373920bea9d58871b965802a437c30253d29b4385a0191e76b3b431136828e13

SHA512
e29b7bb0dc3c2c40592851a09fdc7c972d6ecfe996da7e5115d2908524d5a067e6a20e5186d89501bd47c89bdde9039751a2af0b33e2436e5a759e071c1c8a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9d47323b83e1ac9256ad5c800248d64b

SHA1
402f2c6be7ca39aeed25af50b1e88045bf921a83

SHA256
562d8d0c17211efca40bbf94da070999c3b84a473db9c2abde36eef999210cdc

SHA512
5d648966ad789b3110a76b4effa1ec72f0330ebc2e20a6a34c88bc42174434dc3b4977bb41119a5b43d5d6b899ec622c2d0cd5c523917425fba7639d4acd5185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
04e24a738818485a2e41ee81f81aa142

SHA1
24ded908bf94b5259d3e376da6c9bf46201c9304

SHA256
b291ab1094dea9a663af9c3e36fcbf4df77316eed9e3e4978ca1f5893b8b64c0

SHA512
86a7a7f1ffcd406b7c673ee006cd6fa070449848f76539d22e770df95d9a47f387a7eea0a3ac4f76093d5760a03519cf1b31cbdb85e70b0aae1cc7cb12384a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
75c4c44ea3a4abd37e923b4b07f131cd

SHA1
f93cd24a3d71ccfc028225d906c3a91c357f8db2

SHA256
e85dd0238e46e2a79b9d4a141bcd011fc02d2a5181d0c561827e39f737bfdbff

SHA512
7e09a0bb1c8d54216a367b232b83a4ba26e302f3463ac870a67b69c44d8ed94a80de412a552c2d4ebbae2b5385ee192ea6e6c318d41683dccb13c5b846e7275f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582edb.TMP

Filesize
1KB

MD5
401642c3b4d61ee148d2440019b85034

SHA1
4a2411bc3b9ee112a6de314b4a358cec653c49e7

SHA256
d7e7c4ca7765da6bcf9b3ae1ae587e1b616005ca27a2beb463137ded1bc3a63a

SHA512
fb901e20cf30027c6944ab9626f36dfcd2482040a27ca529def6d53530a62be1eeadf14afe0793059a77d0aedbf8337043380199ba72582e166a88f2fde2e45d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eb0c207ff05457a63d0b57249d46dae9

SHA1
150e0f477d14501c102bcebaf1835278b2064dbb

SHA256
f7c33f05581dd8f06534fc14f1107a65e10bf311e6b46d4c8137210467fe79f7

SHA512
24c1e38de3054998e252065fb6c08964bf3734c986f49bc60a2dc5f86357e831e55925267383a4fd33d2770fc13fb264eede9bc729ad23a1016af6c99189a843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
88f3a0d1b93d6f9e47d7566961b67e33

SHA1
ed79fd152474a73b6fe11f895265b57c65c7a2ad

SHA256
288cd70c5ab8262b44289b0113fd54152c55e154964179f25b5a5d9e9fe886d8

SHA512
eb3d909f5f70b5f49b5ad860003154189c04832c457dda2c1d258ea3f0f9764c8b29d91b4035bab1e08a0e5373e85f055022d7eeb9115b0f804af4c4fc4f2209

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133422951295765007.txt

Filesize
78KB

MD5
f67ca07131d2ab1c63ea5a07a06a54ae

SHA1
434fedfdaa0c73ca008dfafebaca3b67d9394a56

SHA256
b3fcef045e8550a7c3a06527c46c7306256061d4e6d37330c5bcea6cffceb4dd

SHA512
715fe4e71b26450caeb9dec213e0436c3aa55b62fc856da3ac5f1f41316341228389bccb4377d75bba4c874bed9de41de248c820249df3f180716d0f052a8429

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133422951827052359.txt

Filesize
53KB

MD5
ec44689981484204e2f55f9e57be2f37

SHA1
fa10701b62108efd436ef95da3615333f0d76d37

SHA256
d19c57d88a90328d0f921fdbbf8c6bedb62c649aa082e4fdd3c619967b3d0f3c

SHA512
eb81b591ff46645afbecbe5c54b9e653553298245e95cd19b652beefca5648c2a8927dfc2b6e9ace68468d8fc2779194b9db5afdffb983c0a0229b4a445b70cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133422960300910301.txt

Filesize
64KB

MD5
354371afd06e3ef7cbe26d5a2ab6be54

SHA1
9160e8f1c9e7976ef2e2e4865bb0d088b5828563

SHA256
d94252ca4e6d550247c79c61375f8ce37755f99b6c937893cba0ebf8b3191fd2

SHA512
f3e23284513082055909577c9b62c7a2b323056ba255bc6eb7a8ad09e52800bda4cfecd3e7ad485fe6b4d22a4093d37a671bb2df328fa616de4953f1eaa9faf1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133422964458202372.txt

Filesize
75KB

MD5
bfe202968b5a082663023fa283b33e90

SHA1
ea81819ed58613cb824918eb2b8bfb9bba2c5134

SHA256
f1209a51f09a36ba7ed57bc45a98025c6a1934011fcc84f431a403b8f559bc9c

SHA512
06ac5ab7de569a4d4894505972bd2958fb765e0cf0d41307b24ff0c1034e591f35aa3752d2371e7d7d35a55de61c447c05514cc63fdc128697c444e6e361155a

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\settings.dat

Filesize
8KB

MD5
11436d2fb79aa2e454d74e323c6acfb6

SHA1
0a2d71c842c12f78056952e4cff821510ae01595

SHA256
2fe3b4bdb24e59ab418790101a47117c6012786efa99a5d97e433fc5bea702bc

SHA512
33601d622e368d04e8021174f5b1a4725f243588c2b6c6e65ee7dcd44e5ce7016de36470de2273328166f0946ea15ec90bbca78df3875268b990c3c2c3e73912

Download Submit
C:\Users\Admin\AppData\Roaming\{444d439f-ee9d-44f0-9cf2-3a095d3e2086}\sc.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\{444d439f-ee9d-44f0-9cf2-3a095d3e2086}\sc.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\{adcc37f5-ea8c-4fb6-aa2c-d3f7e78ca271}\ByteCodeGenerator.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\AppData\Roaming\{adcc37f5-ea8c-4fb6-aa2c-d3f7e78ca271}\ByteCodeGenerator.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
26a78072b78ee64312e2e2eb1e8763f2

SHA1
c8b9fc29d7a0549bf44cae2c87eb6824b74907ad

SHA256
aa72f7e51a0d2521ea054016caa79af5316f45100cf5bd46d5b74ef69aabcd21

SHA512
120933c150b0e31bddfe4da8298e09480f72f32b25ec05539ad60816825ddfee82e208c965f388601d2202b417dd8c61d27f5a270dd8499ee6b41f10f245dabf

Download Submit
memory/596-533-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/596-537-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/596-730-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/1848-531-0x00000000007E0000-0x00000000007FA000-memory.dmp

Filesize
104KB

Download
memory/5932-502-0x00000000021F0000-0x000000000220A000-memory.dmp

Filesize
104KB

Download
memory/5932-497-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/5984-522-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download