08e17fb8c4ad78d79d50fdda2d4415a7a62a07545ce92bf7125d0ab04676788d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 22:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Size

180KB
MD5

309589c06a00682b259f27c71d503ada
SHA1

11f79ffc3e7c67c6380a7bdf397ccdaf0c273179
SHA256

08e17fb8c4ad78d79d50fdda2d4415a7a62a07545ce92bf7125d0ab04676788d
SHA512

6fd1adce8a1a12e66f69661ecdc6249b29317295a58fdf19f4bc9ad3d5027c4c4bd2a49e65be1c7dd432c6aca962cee086b289304beab6bd03755a208ed4f34f
SSDEEP

3072:jEGh0oIlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGql5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 18 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023229-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002322f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016928-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016928-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016928-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e5eb-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e5eb-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016928-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e401-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002339b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002339b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e401-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e401-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e587-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e587-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233bc-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000234cd-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234d1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}\stubpath = "C:\\Windows\\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe"	{81B51771-D818-4501-8392-A5476E623B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F62878-60C6-477a-89D2-07806B89CEC9}	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F62878-60C6-477a-89D2-07806B89CEC9}\stubpath = "C:\\Windows\\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe"	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D394FAF6-63E8-4056-9761-B002A0ECE352}	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D394FAF6-63E8-4056-9761-B002A0ECE352}\stubpath = "C:\\Windows\\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe"	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B51771-D818-4501-8392-A5476E623B96}	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC992634-4FF5-4c42-871D-51902B17C887}\stubpath = "C:\\Windows\\{BC992634-4FF5-4c42-871D-51902B17C887}.exe"	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}\stubpath = "C:\\Windows\\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe"	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC992634-4FF5-4c42-871D-51902B17C887}	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}	{81B51771-D818-4501-8392-A5476E623B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22BAE551-4089-4421-B53A-64B9D1A3842C}	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22BAE551-4089-4421-B53A-64B9D1A3842C}\stubpath = "C:\\Windows\\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe"	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}\stubpath = "C:\\Windows\\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe"	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B51771-D818-4501-8392-A5476E623B96}\stubpath = "C:\\Windows\\{81B51771-D818-4501-8392-A5476E623B96}.exe"	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}\stubpath = "C:\\Windows\\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe"	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E3B258-C471-4579-9B86-3DEB29BA8451}\stubpath = "C:\\Windows\\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe"	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}\stubpath = "C:\\Windows\\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe"	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}\stubpath = "C:\\Windows\\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe"	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E3B258-C471-4579-9B86-3DEB29BA8451}	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe

Executes dropped EXE 12 IoCs

pid	Process
4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
944	{81B51771-D818-4501-8392-A5476E623B96}.exe
3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
4484	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
4028	{BC992634-4FF5-4c42-871D-51902B17C887}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
File created	C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
File created	C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
File created	C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
File created	C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
File created	C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	{81B51771-D818-4501-8392-A5476E623B96}.exe
File created	C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
File created	C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
File created	C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
File created	C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
File created	C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
File created	C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
Token: SeIncBasePriorityPrivilege	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
Token: SeIncBasePriorityPrivilege	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
Token: SeIncBasePriorityPrivilege	944	{81B51771-D818-4501-8392-A5476E623B96}.exe
Token: SeIncBasePriorityPrivilege	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
Token: SeIncBasePriorityPrivilege	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
Token: SeIncBasePriorityPrivilege	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
Token: SeIncBasePriorityPrivilege	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
Token: SeIncBasePriorityPrivilege	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
Token: SeIncBasePriorityPrivilege	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
Token: SeIncBasePriorityPrivilege	4484	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4244	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	99
PID 3412 wrote to memory of 4244	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	99
PID 3412 wrote to memory of 4244	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	99
PID 3412 wrote to memory of 3648	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	98
PID 3412 wrote to memory of 3648	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	98
PID 3412 wrote to memory of 3648	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	98
PID 4244 wrote to memory of 2336	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	100
PID 4244 wrote to memory of 2336	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	100
PID 4244 wrote to memory of 2336	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	100
PID 4244 wrote to memory of 3360	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	101
PID 4244 wrote to memory of 3360	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	101
PID 4244 wrote to memory of 3360	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	101
PID 2336 wrote to memory of 4088	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	106
PID 2336 wrote to memory of 4088	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	106
PID 2336 wrote to memory of 4088	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	106
PID 2336 wrote to memory of 1452	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	105
PID 2336 wrote to memory of 1452	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	105
PID 2336 wrote to memory of 1452	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	105
PID 4088 wrote to memory of 944	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	108
PID 4088 wrote to memory of 944	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	108
PID 4088 wrote to memory of 944	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	108
PID 4088 wrote to memory of 4244	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	107
PID 4088 wrote to memory of 4244	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	107
PID 4088 wrote to memory of 4244	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	107
PID 944 wrote to memory of 3772	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	110
PID 944 wrote to memory of 3772	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	110
PID 944 wrote to memory of 3772	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	110
PID 944 wrote to memory of 528	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	109
PID 944 wrote to memory of 528	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	109
PID 944 wrote to memory of 528	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	109
PID 3772 wrote to memory of 3136	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	113
PID 3772 wrote to memory of 3136	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	113
PID 3772 wrote to memory of 3136	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	113
PID 3772 wrote to memory of 4340	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	112
PID 3772 wrote to memory of 4340	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	112
PID 3772 wrote to memory of 4340	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	112
PID 3136 wrote to memory of 4776	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	115
PID 3136 wrote to memory of 4776	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	115
PID 3136 wrote to memory of 4776	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	115
PID 3136 wrote to memory of 4756	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	114
PID 3136 wrote to memory of 4756	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	114
PID 3136 wrote to memory of 4756	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	114
PID 4776 wrote to memory of 3188	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	118
PID 4776 wrote to memory of 3188	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	118
PID 4776 wrote to memory of 3188	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	118
PID 4776 wrote to memory of 2760	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	117
PID 4776 wrote to memory of 2760	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	117
PID 4776 wrote to memory of 2760	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	117
PID 3188 wrote to memory of 2460	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	123
PID 3188 wrote to memory of 2460	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	123
PID 3188 wrote to memory of 2460	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	123
PID 3188 wrote to memory of 5044	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	122
PID 3188 wrote to memory of 5044	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	122
PID 3188 wrote to memory of 5044	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	122
PID 2460 wrote to memory of 1256	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	127
PID 2460 wrote to memory of 1256	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	127
PID 2460 wrote to memory of 1256	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	127
PID 2460 wrote to memory of 3048	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	128
PID 2460 wrote to memory of 3048	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	128
PID 2460 wrote to memory of 3048	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	128
PID 1256 wrote to memory of 4484	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	130
PID 1256 wrote to memory of 4484	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	130
PID 1256 wrote to memory of 4484	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	130
PID 1256 wrote to memory of 4892	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3648
- C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
  C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
    C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D394F~1.EXE > nul
      4⤵
      PID:1452
  - - C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
      C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D23~1.EXE > nul
        5⤵
        
        PID:4244
    - - C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe
        
        C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81B51~1.EXE > nul
        6⤵
        
        PID:528
      - C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
        
        C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D28C~1.EXE > nul
        7⤵
        
        PID:4340
        
        C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
        
        C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22BAE~1.EXE > nul
        8⤵
        
        PID:4756
        
        C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
        
        C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD8C3~1.EXE > nul
        9⤵
        
        PID:2760
        
        C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
        
        C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69F62~1.EXE > nul
        10⤵
        
        PID:5044
        
        C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
        
        C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
        
        C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2454F~1.EXE > nul
        12⤵
        
        PID:4892
        
        C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
        
        C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe
        
        C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe
        13⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29E3B~1.EXE > nul
        13⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52BD0~1.EXE > nul
        11⤵
        
        PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71E5F~1.EXE > nul
    3⤵
    PID:3360

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

100.5.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.5.17.2.in-addr.arpa

IN PTR

Response

100.5.17.2.in-addr.arpa

IN PTR

a2-17-5-100deploystaticakamaitechnologiescom
DNS

100.5.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.5.17.2.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR
DNS

24.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.134.221.88.in-addr.arpa

IN PTR

Response

24.134.221.88.in-addr.arpa

IN PTR

a88-221-134-24deploystaticakamaitechnologiescom
DNS

210.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.135.221.88.in-addr.arpa

IN PTR

Response

210.135.221.88.in-addr.arpa

IN PTR

a88-221-135-210deploystaticakamaitechnologiescom
DNS

202.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.178.17.96.in-addr.arpa

IN PTR

Response

202.178.17.96.in-addr.arpa

IN PTR

a96-17-178-202deploystaticakamaitechnologiescom
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR
DNS

196.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.178.17.96.in-addr.arpa

IN PTR

Response

196.178.17.96.in-addr.arpa

IN PTR

a96-17-178-196deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301155_1GGY831Y9L2UBT9JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301155_1GGY831Y9L2UBT9JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 803376
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1FA98564B8B64FD8819B886FE93B4DD5 Ref B: LON04EDGE0915 Ref C: 2024-01-18T22:47:43Z
date: Thu, 18 Jan 2024 22:47:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 665717
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5FEBACEF0777476C8FCFD2FEECAB1C22 Ref B: LON04EDGE0915 Ref C: 2024-01-18T22:47:43Z
date: Thu, 18 Jan 2024 22:47:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301564_1NPXYTFO6Z76HH02K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301564_1NPXYTFO6Z76HH02K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 615853
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C3603D13DCF24788A8E7E3441C1C3CC3 Ref B: LON04EDGE0915 Ref C: 2024-01-18T22:47:43Z
date: Thu, 18 Jan 2024 22:47:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301081_14MOG3T9LL16YF9W6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301081_14MOG3T9LL16YF9W6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 818103
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 819D91845D9148C688299693FB65B03B Ref B: LON04EDGE0915 Ref C: 2024-01-18T22:47:43Z
date: Thu, 18 Jan 2024 22:47:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 532229
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8A194F2FEC2247FDA12A6B4F2A8BF497 Ref B: LON04EDGE0915 Ref C: 2024-01-18T22:47:43Z
date: Thu, 18 Jan 2024 22:47:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301514_11TXO42RPUE9AOYNQ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301514_11TXO42RPUE9AOYNQ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

28.160.77.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.160.77.104.in-addr.arpa

IN PTR

Response

28.160.77.104.in-addr.arpa

IN PTR

a104-77-160-28deploystaticakamaitechnologiescom
DNS

28.160.77.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.160.77.104.in-addr.arpa

IN PTR

Response

28.160.77.104.in-addr.arpa

IN PTR

a104-77-160-28deploystaticakamaitechnologiescom
DNS

204.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

204.178.17.96.in-addr.arpa

IN PTR

Response

204.178.17.96.in-addr.arpa

IN PTR

a96-17-178-204deploystaticakamaitechnologiescom
DNS

204.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

204.178.17.96.in-addr.arpa

IN PTR

Response

204.178.17.96.in-addr.arpa

IN PTR

a96-17-178-204deploystaticakamaitechnologiescom
DNS

50.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.134.221.88.in-addr.arpa

IN PTR

Response

50.134.221.88.in-addr.arpa

IN PTR

a88-221-134-50deploystaticakamaitechnologiescom
DNS

50.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.134.221.88.in-addr.arpa

IN PTR

Response

50.134.221.88.in-addr.arpa

IN PTR

a88-221-134-50deploystaticakamaitechnologiescom
DNS

191.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.178.17.96.in-addr.arpa

IN PTR

Response

191.178.17.96.in-addr.arpa

IN PTR

a96-17-178-191deploystaticakamaitechnologiescom
DNS

191.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

191.178.17.96.in-addr.arpa

IN PTR

Response

191.178.17.96.in-addr.arpa

IN PTR

a96-17-178-191deploystaticakamaitechnologiescom
DNS

91.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.65.42.20.in-addr.arpa

IN PTR

Response
DNS

91.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.65.42.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301514_11TXO42RPUE9AOYNQ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

137.9kB
3.9MB
2806
2802

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301155_1GGY831Y9L2UBT9JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301060_1R4MHRP0LUJX09GMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301564_1NPXYTFO6Z76HH02K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301081_14MOG3T9LL16YF9W6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301493_1LBG6KMWNFIA52WWP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301514_11TXO42RPUE9AOYNQ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

132 B
90 B
2
1

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

140.32.126.40.in-addr.arpa

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

219 B
147 B
3
1

DNS Request

133.211.185.52.in-addr.arpa

DNS Request

133.211.185.52.in-addr.arpa

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

213 B
135 B
3
1

DNS Request

41.110.16.96.in-addr.arpa

DNS Request

41.110.16.96.in-addr.arpa

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

219 B
147 B
3
1

DNS Request

104.219.191.52.in-addr.arpa

DNS Request

104.219.191.52.in-addr.arpa

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

241.154.82.20.in-addr.arpa

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

100.5.17.2.in-addr.arpa

dns

138 B
131 B
2
1

DNS Request

100.5.17.2.in-addr.arpa

DNS Request

100.5.17.2.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

173.178.17.96.in-addr.arpa

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

24.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

24.134.221.88.in-addr.arpa
8.8.8.8:53

210.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

210.135.221.88.in-addr.arpa
8.8.8.8:53

202.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

202.178.17.96.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

58.99.105.20.in-addr.arpa

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

196.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

196.178.17.96.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
346 B
2
2

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

142 B
314 B
2
2

DNS Request

55.36.223.20.in-addr.arpa

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

28.160.77.104.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

28.160.77.104.in-addr.arpa

DNS Request

28.160.77.104.in-addr.arpa
8.8.8.8:53

204.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

204.178.17.96.in-addr.arpa

DNS Request

204.178.17.96.in-addr.arpa
8.8.8.8:53

50.134.221.88.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

50.134.221.88.in-addr.arpa

DNS Request

50.134.221.88.in-addr.arpa
8.8.8.8:53

191.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

191.178.17.96.in-addr.arpa

DNS Request

191.178.17.96.in-addr.arpa
8.8.8.8:53

91.65.42.20.in-addr.arpa

dns

140 B
312 B
2
2

DNS Request

91.65.42.20.in-addr.arpa

DNS Request

91.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe

Filesize
180KB

MD5
efe1b0f061bcaab8be5a40b94794806c

SHA1
a800386437940256ff347fae242d544d6004f2b2

SHA256
ccfdb3b7ae720a180adc92bb5129c67b6f731852409b95dedb7eff1483041d2d

SHA512
05012c736a0cb8c6948c7ae55c0585d2125c388ab50280df805aaf483a77475d539b6923279032633b6da8685b63c4b41a21c4dcf9a6ff0f58c2541fa136b408

Download Submit
C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe

Filesize
180KB

MD5
f3d4b38575b8a3bb19125f9b071a67be

SHA1
b36d2a36bd1bfd1878d44d2e5c6b7c431b6e67e2

SHA256
88045c4432b4fa6967a851d97b35eae9e706edbd1cdd203d97de27defad35957

SHA512
a695f12fe3399a9a24b5832060aacf724ff33682a6513f3e814355ea930992cd8cd393807b3f1ee34201203e3ab832d72909a9d73b19e91114acc9ceacacd27a

Download Submit
C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe

Filesize
180KB

MD5
bbdc7aa551238e1949f28b4864701f0b

SHA1
d83d012703f6c3f21188ae6eeb4c7f92ddd1545c

SHA256
e5a3fc0767b79950c78fa31b6a90a67ab5f57900c0f81fd050b6ab402a839e6c

SHA512
baad9de7452fd0a86cf87e673cfe72fe2ddb28b00889b8e23faa0ea79bdd7b10aa62c153c0fac2e0a9a3af436db363960fb1446c61215dcad807c31c5a680e42

Download Submit
C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe

Filesize
50KB

MD5
6c17d24497eecf9a8a3c49924fcccc32

SHA1
ae98dd006c1db54ee30ef2cf306bca6ea62ef595

SHA256
93a1d586d71afb9b1b5597c7435fb97f95591adade4e2343c607070093374819

SHA512
049634d70938cd503b6467cd9094b2c1065d2f6ee2c955794b94f78518e31e611d778604e2249d4aeb109706472c7c73de477b676153d26caedd77663ff44e71

Download Submit
C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe

Filesize
76KB

MD5
47f0046362df05e50050f9a1d8d6ec73

SHA1
5143335dda2aa4d2ebc8787747a1377ff85df95f

SHA256
6e6cc59c56c7df3e8c50867e5058225b80da3551e4352a416270b18dd3501675

SHA512
c1de8b43d5d68e540a61e5e35b23bf2b94223144fc9c12ecb7c4bd5593014a8cfed8844082ad75c60dc7edd6bfc7feabce6602c593b9e14821a59283151e6bcf

Download Submit
C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe

Filesize
79KB

MD5
151bd51414080f20132e457d2f2bc6d9

SHA1
a3d398287be1646afac2d80ac299b6530719b26f

SHA256
e0bc5868a55ad61297c49b069a971326807b25be5bee8728dfd15c9192ebd4c3

SHA512
8279d1563edd3d0a12b99f359b67e5e4e8c8c7b76e37580ed6ff4561c2b9d3e5b367010c7cfbed234611d02e492837d321faceedcffa014224714fac98279c55

Download Submit
C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe

Filesize
122KB

MD5
8af89a0dbc081ae9f4664bb3b8d87f11

SHA1
8c454be53ff27ff1123c85f6d01b2c1a7091dd46

SHA256
f85e946e3121806f403804bd43ed9c39162a97a95c84ccceece146a115326efa

SHA512
fffdefc60325a53d824f13bad870a6a70f375d61b3b862ead04f0a2b1c80ea5cc5f8b19839769a9d2d0e13a40e43d11462dd9b0256859c3b39db8271994b5352

Download Submit
C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe

Filesize
180KB

MD5
78feba3b0aa616f92deb86dd7b72a6bb

SHA1
cb8884f560e95694fdf3e6a903f4df32e42a8c27

SHA256
8c95169a54d9aae6f46e2abec159ac195c08068adfdb593d9b0a19a8f7655731

SHA512
c6b7007859d5b90e376b24481d4f559439d4c08f4e4198d0f65610d910c8b0625fa1dcc8b0a82ad23632f2789aa28de0fa9ddaf9bb18ae3b01f1f87c91e99b6a

Download Submit
C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe

Filesize
27KB

MD5
dd6309a73fc5ff9016456083fda42736

SHA1
901d29243324f3976463a8cc438038ea58c72e07

SHA256
86e9f3bbe7da6586a45b27f02f64e0d3e658e4feedce04545150fbe8616d2462

SHA512
bca87176cdc552545d45da9e8040a19f7d4a94582e1c20c408b8737b0f5d90bf1396311932b910ddabe01f8d2d303e6fc952a65b16c4fe79feb6c503c392ab02

Download Submit
C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe

Filesize
20KB

MD5
2f51cda59b50790a8ae46077e60fc6ed

SHA1
cbc14f66b8ac6e71dd6c4f3142ed83f1608ed5a8

SHA256
ad334b8927d0c2c923e83f2a36cafa9f618ea09bddc2be0b59a636851fa8f285

SHA512
1e8dae6d3c56ac8cb69eecd1899961f3a2dcaa775883793ba18d65a22252b188bc97ad7cc96aac91814e658796296f7b1875f41e1ddbe51eb9c165cf7e4a7f12

Download Submit
C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe

Filesize
180KB

MD5
73c730682ad3a648e4194e7a2abce090

SHA1
2e4412098c0838bd56e47b93c732f2cc673e7ae3

SHA256
20de5e371a4ea59d66832d9b0175c725a082702a38fc5cfd3ce873247c27b5e0

SHA512
a50a17c81efc086a8357a513d9bae7dcda47ba42b565d890622ccfb501289721583333f0e97fe0c17bc0c14d7b7b31fc2ce560db677e112ddbedd42e4518d9f0

Download Submit
C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe

Filesize
177KB

MD5
2faaa0ba226dbe1d6b2f981131cc908e

SHA1
e74b5eec63d89a871cf3a4ed1cab2b98de9e6dc6

SHA256
a2ab0bc8a942a4ea14df2da705170b97ce1e842ebc183e259442e0f01843d88f

SHA512
ed2a1ffb737480dbf1b88608ec0a65307498829199708502ce8e446fd121ce8fee09164fbb9e12b64c2d7c35af80c7bd097c1c235147a3622f59f12b7c5921ea

Download Submit
C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe

Filesize
180KB

MD5
5b3744f2221d3ecf5a58fab1c8ed10ef

SHA1
9ae1cde4deb4c54655ce6e2a6e08dbc98b247c09

SHA256
bd0aa00a5acd0dd50c4cb88e65e6a7aca260814bf44e5492d70ccecf1f7dab5a

SHA512
be932cc522340a757eea936c83ce803db663bf4d3d2744b8850c937b3719dd4b0aa2b8a5bcbff8680715092c3f204d6278c0e7bbe2adbaedc710dc73bc77055a

Download Submit
C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe

Filesize
174KB

MD5
a283cea5a60057526de255bd1a86202d

SHA1
69735e13d7e0e4679929877de35c12e23cb7afe2

SHA256
61cb2856ab311e99dbc1f81b1502373c11b49b4b15588023df404d03424214e8

SHA512
24fb6d2a9a6785c56e6ab20ff14ec9b1388ec4a64c690ce663bc0179b802e00ea351cc4cb70a6cf31bb982b96b4fa8439bba93a1d822e705e84cc5da76431c44

Download Submit
C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe

Filesize
64KB

MD5
ae075957f46952c33c9fb8440424edd6

SHA1
765118e7727b0547bcf5a1017b8e42335e91b9b6

SHA256
cc655139a24afc95dbef36db24b0fd398535d9ab20499df773eb56ceee67afae

SHA512
666c508ef7cbd804855fba985a16dccebe1c137b89c0986f0a774a6ee8ce49523b8d2924b34bbe810843381c08b589821ab4f1e9b37201bb99cbdfde27503624

Download Submit
C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe

Filesize
180KB

MD5
07173987ceef1bbc82138c329be0b2d9

SHA1
55831f248982fe1a9cf6c75ea0ab3c4ffaf8dda7

SHA256
03ca1491380c0179fa7d8957979e9ef74aeef311d3212f2a5b809db51d5dd659

SHA512
ccafca1329a56545b0e0464c7c0308513e3ab1c2a9a6dd9f0c017e26eafdc95096ee81c6088ec7b326b16a651beb3286ee112a9f13ed260064a9d1540c99aa40

Download Submit
C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe

Filesize
180KB

MD5
faebd5fe9996644feda600da63b3c8da

SHA1
8518f0d8426edfdf28fabbbef9687eb74873cd0d

SHA256
68b97b3385f2c3966e26265ad60035872456d0082a94c367fa73655f4bb93164

SHA512
391c51dd089720fd3d5e0a424225abb5c76c7847d93c893943c9b7b2f30051e0519594b165a60c784a455629973e174137fb79b133f50742480b8952e4b778a5

Download Submit
C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe

Filesize
180KB

MD5
e226b5415c479c0564d834c124090e3e

SHA1
bc9eab827f9c7b19406963096c121d61241b0b75

SHA256
9021b7231aa42b5c7969170cc8b742b376e0744df8553dc064846b2914042118

SHA512
39cd9ff9089b3d53e9bf096da6a5c3da8f65aef3e246fe98dc156bd78d650eeab3fbc6261a723e06c1de06a3f7cec708dccc0165055d68ba2c02000d47cca5c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.