6ec5d25dbc6d6660a7e9198c4cc385fc1e4af5ff5d1b24e82ef68bad9790074c

Analysis

max time kernel
151s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 11:54 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Size

408KB
MD5

f505d3e7ca60e7462c7bebb3cc2e217f
SHA1

f99e476cf714ac9b066fee8da25859f44bbf85b7
SHA256

6ec5d25dbc6d6660a7e9198c4cc385fc1e4af5ff5d1b24e82ef68bad9790074c
SHA512

9a0cda05ef092b71ef583e0630606ff19e7515782f0ff1997db1a360ccad964111add0d946c27bf95aff9992128e0fbf578533a60461dd298c7236a8d2b3873c
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023258-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023264-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023119-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023119-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002326b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023119-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d0c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d09-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d0c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}\stubpath = "C:\\Windows\\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe"	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{593C204C-C5F6-49d1-83CC-07384BFE83FB}	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DAC629-13A2-4c37-A6B6-C45491950DF3}	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96E114C2-2965-4f45-85ED-5741AE2C0173}\stubpath = "C:\\Windows\\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe"	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D725C91B-7C59-4128-BA04-59181A2C5CA2}	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D725C91B-7C59-4128-BA04-59181A2C5CA2}\stubpath = "C:\\Windows\\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe"	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D346106-5EE9-46ea-887D-129F74815BA6}\stubpath = "C:\\Windows\\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe"	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}\stubpath = "C:\\Windows\\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe"	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{593C204C-C5F6-49d1-83CC-07384BFE83FB}\stubpath = "C:\\Windows\\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe"	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D346106-5EE9-46ea-887D-129F74815BA6}	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}\stubpath = "C:\\Windows\\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe"	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}\stubpath = "C:\\Windows\\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe"	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DAC629-13A2-4c37-A6B6-C45491950DF3}\stubpath = "C:\\Windows\\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe"	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}\stubpath = "C:\\Windows\\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe"	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96E114C2-2965-4f45-85ED-5741AE2C0173}	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}\stubpath = "C:\\Windows\\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe"	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}\stubpath = "C:\\Windows\\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe"	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
1684	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
1456	{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
File created	C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
File created	C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
File created	C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
File created	C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
File created	C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
File created	C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
File created	C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
File created	C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
File created	C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
File created	C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
File created	C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
Token: SeIncBasePriorityPrivilege	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
Token: SeIncBasePriorityPrivilege	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
Token: SeIncBasePriorityPrivilege	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
Token: SeIncBasePriorityPrivilege	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
Token: SeIncBasePriorityPrivilege	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
Token: SeIncBasePriorityPrivilege	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
Token: SeIncBasePriorityPrivilege	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
Token: SeIncBasePriorityPrivilege	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
Token: SeIncBasePriorityPrivilege	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
Token: SeIncBasePriorityPrivilege	1684	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1964	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	101
PID 4744 wrote to memory of 1964	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	101
PID 4744 wrote to memory of 1964	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	101
PID 4744 wrote to memory of 4784	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	102
PID 4744 wrote to memory of 4784	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	102
PID 4744 wrote to memory of 4784	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	102
PID 1964 wrote to memory of 4608	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	108
PID 1964 wrote to memory of 4608	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	108
PID 1964 wrote to memory of 4608	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	108
PID 1964 wrote to memory of 4500	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	109
PID 1964 wrote to memory of 4500	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	109
PID 1964 wrote to memory of 4500	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	109
PID 4608 wrote to memory of 1868	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	111
PID 4608 wrote to memory of 1868	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	111
PID 4608 wrote to memory of 1868	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	111
PID 4608 wrote to memory of 2964	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	112
PID 4608 wrote to memory of 2964	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	112
PID 4608 wrote to memory of 2964	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	112
PID 1868 wrote to memory of 216	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	115
PID 1868 wrote to memory of 216	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	115
PID 1868 wrote to memory of 216	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	115
PID 1868 wrote to memory of 2300	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	116
PID 1868 wrote to memory of 2300	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	116
PID 1868 wrote to memory of 2300	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	116
PID 216 wrote to memory of 3116	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	117
PID 216 wrote to memory of 3116	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	117
PID 216 wrote to memory of 3116	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	117
PID 216 wrote to memory of 4912	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	118
PID 216 wrote to memory of 4912	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	118
PID 216 wrote to memory of 4912	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	118
PID 3116 wrote to memory of 224	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	120
PID 3116 wrote to memory of 224	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	120
PID 3116 wrote to memory of 224	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	120
PID 3116 wrote to memory of 1352	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	121
PID 3116 wrote to memory of 1352	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	121
PID 3116 wrote to memory of 1352	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	121
PID 224 wrote to memory of 2704	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	122
PID 224 wrote to memory of 2704	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	122
PID 224 wrote to memory of 2704	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	122
PID 224 wrote to memory of 2288	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	123
PID 224 wrote to memory of 2288	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	123
PID 224 wrote to memory of 2288	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	123
PID 2704 wrote to memory of 2880	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	124
PID 2704 wrote to memory of 2880	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	124
PID 2704 wrote to memory of 2880	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	124
PID 2704 wrote to memory of 972	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	125
PID 2704 wrote to memory of 972	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	125
PID 2704 wrote to memory of 972	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	125
PID 2880 wrote to memory of 224	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	133
PID 2880 wrote to memory of 224	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	133
PID 2880 wrote to memory of 224	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	133
PID 2880 wrote to memory of 1924	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	134
PID 2880 wrote to memory of 1924	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	134
PID 2880 wrote to memory of 1924	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	134
PID 224 wrote to memory of 3736	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	136
PID 224 wrote to memory of 3736	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	136
PID 224 wrote to memory of 3736	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	136
PID 224 wrote to memory of 4308	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	137
PID 224 wrote to memory of 4308	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	137
PID 224 wrote to memory of 4308	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	137
PID 3736 wrote to memory of 1684	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	138
PID 3736 wrote to memory of 1684	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	138
PID 3736 wrote to memory of 1684	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	138
PID 3736 wrote to memory of 3956	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	139

C:\Users\Admin\AppData\Local\Temp\2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
  C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
    C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
      C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
        
        C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
        
        C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
        
        C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
        
        C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
        
        C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
        
        C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
        
        C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
        
        C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe
        
        C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe
        13⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D923~1.EXE > nul
        13⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE00~1.EXE > nul
        12⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C1AD~1.EXE > nul
        11⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D346~1.EXE > nul
        10⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D725C~1.EXE > nul
        9⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{593C2~1.EXE > nul
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E49C7~1.EXE > nul
        7⤵
        
        PID:1352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96E11~1.EXE > nul
        6⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA5C~1.EXE > nul
        5⤵
        
        PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9B7AD~1.EXE > nul
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{45DAC~1.EXE > nul
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4736

Network

DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3741514EA462662E22314573A5826747; domain=.bing.com; expires=Thu, 03-Apr-2025 11:54:30 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6F68A0E5EEDC4C1B85A32C2FF02F3BDD Ref B: LON04EDGE1105 Ref C: 2024-03-09T11:54:30Z
date: Sat, 09 Mar 2024 11:54:30 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3741514EA462662E22314573A5826747

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=eThk71buKGfuZjaFP0AYZCs7pR0aFKUBGb9O07vUguU; domain=.bing.com; expires=Thu, 03-Apr-2025 11:54:30 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A552DC8E2A934539A1AA124A8E197795 Ref B: LON04EDGE1105 Ref C: 2024-03-09T11:54:30Z
date: Sat, 09 Mar 2024 11:54:30 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3741514EA462662E22314573A5826747; MSPTC=eThk71buKGfuZjaFP0AYZCs7pR0aFKUBGb9O07vUguU

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3B14945585074AA89E3F5F6D25A726EC Ref B: LON04EDGE1105 Ref C: 2024-03-09T11:54:30Z
date: Sat, 09 Mar 2024 11:54:30 GMT
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

175.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

175.178.17.96.in-addr.arpa

IN PTR

Response

175.178.17.96.in-addr.arpa

IN PTR

a96-17-178-175deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301409_1O8VP6TH939POQOPO&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301409_1O8VP6TH939POQOPO&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 313621
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7A4948EC373D425B93C994A60829E6D8 Ref B: LON04EDGE1217 Ref C: 2024-03-09T11:56:12Z
date: Sat, 09 Mar 2024 11:56:11 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300976_175WPYH13KO5QTHY0&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300976_175WPYH13KO5QTHY0&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 342941
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C7BAE5DC39D7473CA122F17BFF03D629 Ref B: LON04EDGE1217 Ref C: 2024-03-09T11:56:12Z
date: Sat, 09 Mar 2024 11:56:11 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 431671
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1F00B1EBCFEC4752806BA34E172A6B31 Ref B: LON04EDGE1217 Ref C: 2024-03-09T11:56:12Z
date: Sat, 09 Mar 2024 11:56:11 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 369915
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BF6789EF4C7A4D61815B357E956E6BEF Ref B: LON04EDGE1217 Ref C: 2024-03-09T11:56:12Z
date: Sat, 09 Mar 2024 11:56:11 GMT

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

HTTP Response

204
216.58.201.106:443

46 B
40 B
1
1
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&w=1080&h=1920&c=4

tls, http2

57.9kB
1.5MB
1119
1115

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301409_1O8VP6TH939POQOPO&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300976_175WPYH13KO5QTHY0&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418540_1UQTKN6JO04LNXB5Q&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418539_1KFG8UNZE5MUR2Y24&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14

8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

175.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

175.178.17.96.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe

Filesize
408KB

MD5
e84caee5874bd104e6a4ccc1dad4d229

SHA1
a8afb8d209d2cb32b67cc7dc624b7f1aebcda601

SHA256
a73c4e3aaf531c99936be21fe949df0e21fe57741afd6114d033be3a96f21c86

SHA512
acb1c49b7fb25787c70a69d3191d8048783bddc84e9cb7f82835fcfb1f237f418aacab74cc222c65ebe90fed97a624101fe18dfbeb30c233cb593745ee991af9

Download Submit
C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe

Filesize
408KB

MD5
de641b397cec687c0c00e5f74d8cde1e

SHA1
1ff36cb861caaf5629fd36ef4d83535cee5c699b

SHA256
596245ebdad1e900c9819bd90b17378628a9a11332564121b01c83bdd5cd9187

SHA512
5423490fa0a2f5a6e16e96a5ffc0d8b0c492b542f48435ec52e8759adff66dfff32019944b8adfa3c88043cd6d72657d36d7e581827157f67c7924506e6130fe

Download Submit
C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe

Filesize
408KB

MD5
8863acffb19e9134cfa97ac122a30ed6

SHA1
42bfc8e08f55137e476b8a722f09eeb84d548d0c

SHA256
becdb2fea5cebb610eadc3eb386298be6dceb10c49adca33751b1cb003d06d63

SHA512
940ad2c8e124f226f8b5f1e9a0b10b8e17ebbd65dfec22d303063b21cbb26d6e927140900381d75ec44f7bcfed2f48a1421f76a94193894b84792d369497d7f5

Download Submit
C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe

Filesize
408KB

MD5
2c691bbeb8d30e6b6de68667ff753b22

SHA1
739aa18b660cd989feef2110887d28403051b23a

SHA256
5cf50622668b7c8f4f6202297ff3d5046a105406293019842c88ecacef9954fb

SHA512
ed79f26aa13c37295fe07bce9ee60cd91c6e58f9cd085e8bc0109ffc41e3566e1e6e83d9ce974f0bdd407f29b3b908fd65bcc9684ffd84e868911c3050204f29

Download Submit
C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe

Filesize
408KB

MD5
fc8c59e2f2323eff2c5ca3ec746a72ad

SHA1
c85cc6f7bec9c739b3c155ec9b1ca163c1d9e114

SHA256
297323dfe68675bafdba95174cecba0f389d5d1c10ccb3b2de72d255600dc3db

SHA512
d8f179c77b84e5dbee855d1df879dbe215b66fbec102158205b00ed71a81d51c2aad177017d6d38ce896638fbc326cd0111fbb7fe5c82c606dd0511d2274f354

Download Submit
C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe

Filesize
408KB

MD5
1d7b06e29cb18cd00d6692cfcdd8c887

SHA1
b5df65f3a2d52cbc07ef760a9ca3540b304c518c

SHA256
9d7a90ea10ec9957c26249e8d00e155000738ada2037a375647ae2f07392ca7d

SHA512
6e702e73e63fa1d19408d6ce31ada6a1bdfad4fb9f355fc03e8bb101da77bec782fc0c667aff180ee7d490c0a4ee5f26fe725c3f6f93d706d9ad1ac471a50464

Download Submit
C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe

Filesize
408KB

MD5
9adde507cd431b021a6de1e592a70c22

SHA1
59f36e22ad888cd31bbc7c6f73ac52310d1e278a

SHA256
ab3c9b8995cc987f92a42ac446b139c96b1212824ceaf0e3b301d1eec7693fbf

SHA512
37e8df0ba0d0665ec04adaca8f65eb9789ff983e691ec3b60bbae97094ddfd63e79fbd6dfa557dc18597aedb9002dbaa71d4b3d836e7697b290e4ec3244ed643

Download Submit
C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe

Filesize
408KB

MD5
68706bf07f98926de08840013074c2e2

SHA1
f748d84ca40fb95518ab9a8ad64644ed770f6911

SHA256
2b36be5770846346d6638e69fd4184c5723b50143832c992071fdb08beaa4243

SHA512
bcbe221b9751302c8c91ab723d0aeed69ffab9c8c8909590eaa30a6085ddf8600595007b92ec9ea645e42fa20c04d1efa4289833776b7e4baa17ffd55f2b8d84

Download Submit
C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe

Filesize
408KB

MD5
964fb47b721a19c98d48cb615f0a7664

SHA1
399dd6e91da94a9611ff0f2c5b2ac394c67853bb

SHA256
0f99f97ce1d405965496dd34b1c49f2c3b9308879d864e8284cc3399aabdbb5b

SHA512
4919b9f8cc833568abf0765ce89927a7c85e52bc16ed602e683052d3d36170b7ec6eff13aa8c53057069fbbfc7395797ac2ac385e1fb1bad05e9282ed8d3e4b7

Download Submit
C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe

Filesize
408KB

MD5
3361db5ef1fcc70095167b7857f88306

SHA1
2b4871b0e5862647e1ee37d565b68d9805c380ec

SHA256
0efbd38e2aca27b6972d4b91a7757cfb7fa528a9f41182071664b11a7fa1d6a0

SHA512
703124b06b1d50636874b64e97e95f2b9b64492bdd0463532a28f1339399542937b8a14bc4ac921a0d0ce9ce291188c599bf05c0cdc2c461e3e8b58ec842437c

Download Submit
C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe

Filesize
408KB

MD5
f41c672f944ee00d5ca3972c297ba91f

SHA1
f63309fe1ef7511fe928021f60fbbb3b3b934b9f

SHA256
1ab400edb8757711c21619b6233baf7985f2a9c69e91b4937936edac2cce8fec

SHA512
e9bd58a003e6bc1fc11c74e440eca51a039b4350edb6f915f60440dff9fe9bcb4f9942a7e9642b329625e40a168d3e4c6227b2ea49681ec94adc54a15eced15e

Download Submit
C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe

Filesize
408KB

MD5
b56ddf7167eaffde947276095bb880d8

SHA1
019fc2b3acee9f76cba54d0fb6a339802ef582cb

SHA256
3f443d12f5d2c1556a80263cb274f5887312434cea8ad63f2f2901d8670ceb0a

SHA512
c7b58d80ea55bac2c626f1895b1413d70d14ab05a80a1cda4ae089e69de18d45148072742dc2a610ab118097bdb75a8adb1a2aabc8123303226c7e1bbdae3d37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.