metasploit | fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

max time kernel
121s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28242123ed2cf6000f0aa036844bd29.dll
Size

87KB
MD5

b28242123ed2cf6000f0aa036844bd29
SHA1

915f41a6c59ed743803ea0ddde08927ffd623586
SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
SHA512

08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
SSDEEP

1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Score

10^/10

metasploit backdoor bootkit persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4912	GoldenEye.exe
2068	dcomcnfg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
60	raw.githubusercontent.com
69	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dcomcnfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	1424	WerFault.exe	80

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{9DEA1972-6F10-425C-9490-E03E99604C31}	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{1a2f446d-911f-4e29-899e-94be703039dd}\dcomcnfg.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{1a2f446d-911f-4e29-899e-94be703039dd}\dcomcnfg.exe\:Zone.Identifier:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 486167.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
3312	msedge.exe
3312	msedge.exe
2688	msedge.exe
2688	msedge.exe
1200	identity_helper.exe
1200	identity_helper.exe
5100	msedge.exe
5100	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2068	dcomcnfg.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 1424	3360	regsvr32.exe	80
PID 3360 wrote to memory of 1424	3360	regsvr32.exe	80
PID 3360 wrote to memory of 1424	3360	regsvr32.exe	80
PID 4256 wrote to memory of 1656	4256	msedge.exe	89
PID 4256 wrote to memory of 1656	4256	msedge.exe	89
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 4960	4256	msedge.exe	90
PID 4256 wrote to memory of 3312	4256	msedge.exe	91
PID 4256 wrote to memory of 3312	4256	msedge.exe	91
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92
PID 4256 wrote to memory of 1868	4256	msedge.exe	92

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 452
    3⤵
    - Program crash
    PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1424 -ip 1424
1⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff855f23cb8,0x7ff855f23cc8,0x7ff855f23cd8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1656 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6844 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8168185586597703277,15295604875590713867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:4912
- - C:\Users\Admin\AppData\Roaming\{1a2f446d-911f-4e29-899e-94be703039dd}\dcomcnfg.exe
    "C:\Users\Admin\AppData\Roaming\{1a2f446d-911f-4e29-899e-94be703039dd}\dcomcnfg.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of AdjustPrivilegeToken
    PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
31KB

MD5
bece038422ccc92d498cdb88950ed3cc

SHA1
743ef43ca2a84ec9d7a3aafd7550c3e6b0b48798

SHA256
c8f101aaa8ced4bf4d49828c264536ce42759e1dbf926c0628377b4939eabfd2

SHA512
b11014d24aec1f37ddc3160a5e15c8d17a365ee603e267405d38dd1afeb7e1df357b7ada92559ddec72df7d6e291dfce3f2b792320ae2a4f14e34dc2815933da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
f07899b2fa8398870c2dcb5d7fe44fc5

SHA1
6efd418ec9d45e731cf848b75b52cfb6124e773b

SHA256
732fe8afbf4fda320d34ed9bb0d4d4f5525879ed87784870face53eb50ffbaeb

SHA512
0b30a0d01277d2f3abcb85f3fc16be3b07fd826e9cb523b73fd9e45bc5cacab03e6f0486ce84cdeab01adb70810d6891d87dae036e525959a4e97114588a900f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0289b86f89413c5f5c9c873fb7457e12

SHA1
c66381fab2128f724ca60205bb3d1f19c4e8cfd2

SHA256
b7f3c397b1bc421e8bf1385f1a3f1b58eae970db52ed34c2d1f45640b33667aa

SHA512
d96add27ad43a71fd1a4cad4d5563d4bb0c2abd2d5d179e750f9989b089f82a3e421c102645eabb404c9da2ad3ab28757f1d30d6caa25f3c3e0175251978d045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6433fe7d71f0a61cfdf71c1896292aed

SHA1
3dde773daa438f1a423ab6425dd29cf06bf1edb9

SHA256
41b12cf7888f714b2bebcd2fed3eef079ac944be7b143cc99e32b658e52d89bf

SHA512
fdaaa515032e82372a03c98fad891d1d86d19a48b0f609813295395f547227f8b289fc610a2002b5b9f9ce3262a639bd2da56c11d01186ec0a763b8668d89a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f8d619c6b17feb311685ffaa7c6b5a6b

SHA1
92b8c41ad3a17c82423e213aefc3febb82feeec3

SHA256
e4924d58dd3de21234d73d3b4eee73bc8de71772c7e2b307ee22c2e1cf1dcfe0

SHA512
2a027196db1e110ba72641866895e75715abead2f85bafbb727673a5f31af48ee94c3c3752dba01a0afca05c493f12f3486becbab042ef1736508d777a234a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6ed83bddd3c41b7b6201beed0f0e4aac

SHA1
ddce548592a370a86477858c7d6e962cb00b3ec7

SHA256
d7238de8f65314a93c91e2d45a4e58ddf084416ca46d1424c1142275abc10b93

SHA512
222579141cf3f970c949d4115af387ff7e4199bae99de676cdacb123a42c996d25d00dd77570666f1f242b7f51234feeb6bf3efafb939a38c4522ef9f85d839f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c287b12f6f35761d61fe7839ac0734aa

SHA1
4604ea61411782e89483ab36ebc5be1fae6f9dc5

SHA256
a78d101afaac1319454e0f87aaafd8388847360da81f7e909758b50f9e63fa27

SHA512
641c8cad477528bcbd7d96c522810f1b55d34a22ef83df06a7ff830440f0af72412d4e940a8bfc7d6da496da6ded6b9a020e7c7caec56a5f5f0b14b0f5f33563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
604cc8e4ce1b01ecda84749c34e1159c

SHA1
ff4dbdaf94203019b73bef22003918f32e661e60

SHA256
aaa3db3a7b9943dffa742190e07522b5cebb2b42080fbf1dd722c33a823f2588

SHA512
d1f7f9c680849f74996fc9e34e0e8dd49b42c1571a7aa5ba2a28e662f8a43c40abc376b6752207925a087c459c8dbeda975e63cefb80b86853317bf35bf55707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8409a90a0249415688c078cd440bf0a3

SHA1
ba6e507e275efc0afa261e22744a7fbc4cc03520

SHA256
3a345da7aee201fe9a73652c317af2be206ea4dd19e111fe2a031495a042c9b3

SHA512
cab20ce74c34f830533f67a11fb32c146f884088505aec0b106502d6a1c8ea8822f0142e7fc20f05654d7049403d03a2eedead1f0a7d9f417c965b7506af50df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1d079d3a0df7101f273fa5e761cdb8e

SHA1
fbc1ca27248ca2a2fbe59e7bb71eeb304e41dfaf

SHA256
09588f5b6cad6cfe89add02b2ea85905743ad0067c6255b116ed4fdff1113d14

SHA512
729f8abae2d019c61a17f59efc847fd5d1e7703fc26077dc9b9d9e5aab4fa2f495505a264850cf4d9e3dc68ec2aa5cfaafb9a7e7323909109c938a25abeab8c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b01cfca024585edc2a203f96619feb21

SHA1
046c0c150b312f608e08115d95c0f340ae941f2c

SHA256
33cc563e9252d24e672c32791bf0858cfdd71e4683e5209ca25800af39c9be34

SHA512
4bcc86850f581a4db042928891fa2b040778c9096142c206c22c77074897cb6c53a007adfc16cecb5e9cd7ae3e914fbea56b229c10a716190a6d813fe6263874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
118923551ac318dcb72673432355a718

SHA1
e159f4de8ad5b5b4a0d428ddb1fb892f4848097e

SHA256
6a4908ca65d7f69882593ea48659e309549ac6d39c38390242c5e4e195475a50

SHA512
7156af1b5db4b14fdf19d8599f3c744e6f2f883e45fd902a57208d4981f800bd9bc8ba752e84ef00bb78886bc6f110e6d92833277f36d98a27de0e2608081612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b90aa3931e470399753a6996957b141

SHA1
5e22f95dfa1d8de23238c87010ab96628c253811

SHA256
3649976f58c57df329bf3d5de1d5e15d38e5d79c4404a24f8b81f6737c160622

SHA512
cf8e90621878585354581d5dd542033691fda75f89770244d59324e630ee7bf10ea4581c9aabf4812a4d230f30d753b96129da49d66b1083a028ff7cedae9272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0bbd96a0b8b157dec8bc39ae13d26834

SHA1
808db4a0935476f6e9dcc871f034c589c2764c18

SHA256
c2e4ec7f263c16ad8f61299ea69634b6d7da72da40b93b08d3af37a211a0c151

SHA512
aa8201449be9b11ddd71027821bd528903baace1e81b22930cc907481f41f47ab081ece8bae2d7f3f29a98ab049f6d3b22ddb6af878d27b0ff9be12c39f7e352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6d503806534171a726dc5b3ac5fe1514

SHA1
9cf4731340f513d44c56439624772cf4690e754d

SHA256
8b7d48b33ec126076591688d00953b8efd332fdee276772d20f27dd114d23574

SHA512
ee881349aa22407658356d4048e54fa8942b77cd10f514f661b5396c3997b5ebf9413392d6c5c28fc979bd0d7dfbd39495e55c1d8669fa744e76aa6f20353381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4491d5e0f60f2fd43885a03255c2784c

SHA1
29dda1689ec3717dfc5e788030f73df0841d8d15

SHA256
1953b775b1dbcede689ed1262e9493814d35917a33a6053d02eb168643b4c82a

SHA512
2080fcd2c6ec6ff2fd5c9a51121318362a964e7d4b8f68f3e0880568fed6f007608a300a9d81b88e1b56ca3cfb3988c307d5582834ae99e3c2bdc8415b597e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc37574c78217e52a7ad54bce7fd56fc

SHA1
f9b816c0f571c9248af4f94912af209b6eda6e95

SHA256
999e4318e3c71c0c1fa501b96f059c479bd85b8ccf2de09e073eba1fea7c48c0

SHA512
40a180aad97d180023456c6142d2f85d1baaf726ff0e6049e32bf0a3442db065d48976ba63ffda00e1db4b30539e895ea2a3151cde75ebdbe5e0fde4909fe016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2649d7d21d4e2832d9eb5973028df63e

SHA1
b1242cb7249b50d85ddddebdeb3a6298d26bb112

SHA256
3ad9bc730baf6f37fbf41dfd2f5a1d1925df8203f49ed74bc2ea8379b7d60e7f

SHA512
6f59e6384449309a8293f25b287a292e022f22e32e2fe9b9db9e3ae1b79e0022f184545f339f35315b663a779fd09877f035ab1f9a21b3bd42c0f4eeb108bc23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d5fd.TMP

Filesize
1KB

MD5
254a76803d9ec1a2376572e673c1edf7

SHA1
dff384d5c20bd1578cf9e63162a439d743ee716d

SHA256
76b05e91a4e0adeaf330d68eb1da52d58557ab48dcd2f2c4e567dc63b0da5782

SHA512
b9ed9abcf98151c6d092e30d5d05cbd6d391d494f93b773f633b9d616dd7075a655fba9b0ea5710407d8ee3fa40d6d112b84956638e8c3afb81e32de37f747be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0678b1ac6242ed89ffa77fcebd8641bc

SHA1
1e33ceddd0d6e450d8da2d043ec4d284be9986fc

SHA256
97ef034c7194e9882c28c77b43caba5e17ee84ef20327ef4182f1230d869ccdd

SHA512
d36d609d568267b2ea38914415b578f021b936a34066c97c14894ba2ce14670759265ffd59688f65a0b0f108658c779aab56f4a6a721f5a86a803cab1f5c264b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f7a1cffdc8be60c218a04ec659d1c1ec

SHA1
c881d5501abb4b679cdef6f900a914f526f6f1f3

SHA256
021d093f99859b8bf4f5a9f096187273db49a07f1f57624eeed7178cdbe42c6d

SHA512
0969bd874d8efe6425ec7cb4b15bf0d73cc0ad92a67965db96cafe55fe9c577153d81458e4cf8458c77fb3859cb055c552ef7b4055f378137f791f2b5b107f87

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier

Filesize
131B

MD5
ae8ce25bccb08454b90751b0fa33098e

SHA1
6ae42642d7ea731a65a35b33ca66e1a35f247b01

SHA256
4dd80eefed3f5bf0e6a1e8229e5838377f9b757fcceb95c88f51cc095afbce8f

SHA512
f943579913b355cadcc54fa679f8535727b74ed14fcce8cbd5be0b502944a8214bf9f937e1ec68ff093bb5fe514f415d8e76a396ec93039ea2eb4842491a4633

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 486167.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
memory/1424-0-0x0000000000680000-0x00000000006C3000-memory.dmp

Filesize
268KB

Download
memory/2068-1057-0x0000000000710000-0x000000000072A000-memory.dmp

Filesize
104KB

Download
memory/4912-1042-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/4912-1043-0x00000000009E0000-0x00000000009FA000-memory.dmp

Filesize
104KB

Download
memory/4912-1056-0x00000000009E0000-0x00000000009FA000-memory.dmp

Filesize
104KB

Download