851070a5c4a4cb16c827ecf3d150b37310c179a7c1aa4a00a29754d681f42ff2

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 16:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Size

168KB
MD5

c15ab7665b97b54ddc99d4b3bcf4506d
SHA1

eb560423542bdfa6ab5aad079014f124adaa0ad2
SHA256

851070a5c4a4cb16c827ecf3d150b37310c179a7c1aa4a00a29754d681f42ff2
SHA512

c55e6312657c1dbcb9984f8cfd0014c9e09b528a55d81013d066f8354af39e4a2596b27642d0cf08dea3a425d5f21d7fa437282c5868e37db21a5e2202a94ce0
SSDEEP

1536:1EGh0o9li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o9liOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002342b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023425-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023433-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023425-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023433-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023425-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023433-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023452-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001c000000016292-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023365-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001d000000016292-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022aa3-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E578649C-C582-4735-A349-9FD0B0D93612}\stubpath = "C:\\Windows\\{E578649C-C582-4735-A349-9FD0B0D93612}.exe"	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E903DE0D-DED8-4838-933E-E92F8C9749DC}	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62296D5C-4E7D-42dd-B8F0-757AFF405643}\stubpath = "C:\\Windows\\{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe"	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}\stubpath = "C:\\Windows\\{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe"	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635B7529-17B2-44af-92EB-34AEFAB350BD}\stubpath = "C:\\Windows\\{635B7529-17B2-44af-92EB-34AEFAB350BD}.exe"	{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E578649C-C582-4735-A349-9FD0B0D93612}	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02B3D3C-0728-42df-9785-0A49124E34AC}	{E578649C-C582-4735-A349-9FD0B0D93612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C02B3D3C-0728-42df-9785-0A49124E34AC}\stubpath = "C:\\Windows\\{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe"	{E578649C-C582-4735-A349-9FD0B0D93612}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027A7B5F-BB25-400f-A878-BF6EC90297DC}	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9843F0-2AF6-4d13-94B3-12101F31039C}	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6714A1E2-D983-4c83-A383-3FAB026539D2}	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027A7B5F-BB25-400f-A878-BF6EC90297DC}\stubpath = "C:\\Windows\\{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe"	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E903DE0D-DED8-4838-933E-E92F8C9749DC}\stubpath = "C:\\Windows\\{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe"	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}\stubpath = "C:\\Windows\\{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe"	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62296D5C-4E7D-42dd-B8F0-757AFF405643}	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}\stubpath = "C:\\Windows\\{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe"	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{635B7529-17B2-44af-92EB-34AEFAB350BD}	{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B9843F0-2AF6-4d13-94B3-12101F31039C}\stubpath = "C:\\Windows\\{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe"	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}\stubpath = "C:\\Windows\\{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe"	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6714A1E2-D983-4c83-A383-3FAB026539D2}\stubpath = "C:\\Windows\\{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe"	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe

Executes dropped EXE 12 IoCs

pid	Process
3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe
2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe
4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe
4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe
2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe
4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe
436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe
896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe
2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe
3216	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe
5088	{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe
2204	{635B7529-17B2-44af-92EB-34AEFAB350BD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe
File created	C:\Windows\{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe	{E578649C-C582-4735-A349-9FD0B0D93612}.exe
File created	C:\Windows\{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe
File created	C:\Windows\{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe
File created	C:\Windows\{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe
File created	C:\Windows\{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe
File created	C:\Windows\{635B7529-17B2-44af-92EB-34AEFAB350BD}.exe	{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe
File created	C:\Windows\{E578649C-C582-4735-A349-9FD0B0D93612}.exe	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
File created	C:\Windows\{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe
File created	C:\Windows\{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe
File created	C:\Windows\{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe
File created	C:\Windows\{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4452	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe
Token: SeIncBasePriorityPrivilege	2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe
Token: SeIncBasePriorityPrivilege	4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe
Token: SeIncBasePriorityPrivilege	4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe
Token: SeIncBasePriorityPrivilege	2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe
Token: SeIncBasePriorityPrivilege	4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe
Token: SeIncBasePriorityPrivilege	436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe
Token: SeIncBasePriorityPrivilege	896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe
Token: SeIncBasePriorityPrivilege	2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe
Token: SeIncBasePriorityPrivilege	3216	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe
Token: SeIncBasePriorityPrivilege	5088	{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3824	4452	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	91
PID 4452 wrote to memory of 3824	4452	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	91
PID 4452 wrote to memory of 3824	4452	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	91
PID 4452 wrote to memory of 3104	4452	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	92
PID 4452 wrote to memory of 3104	4452	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	92
PID 4452 wrote to memory of 3104	4452	2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe	92
PID 3824 wrote to memory of 2644	3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe	93
PID 3824 wrote to memory of 2644	3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe	93
PID 3824 wrote to memory of 2644	3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe	93
PID 3824 wrote to memory of 1264	3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe	94
PID 3824 wrote to memory of 1264	3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe	94
PID 3824 wrote to memory of 1264	3824	{E578649C-C582-4735-A349-9FD0B0D93612}.exe	94
PID 2644 wrote to memory of 4620	2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe	98
PID 2644 wrote to memory of 4620	2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe	98
PID 2644 wrote to memory of 4620	2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe	98
PID 2644 wrote to memory of 4828	2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe	99
PID 2644 wrote to memory of 4828	2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe	99
PID 2644 wrote to memory of 4828	2644	{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe	99
PID 4620 wrote to memory of 4964	4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe	100
PID 4620 wrote to memory of 4964	4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe	100
PID 4620 wrote to memory of 4964	4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe	100
PID 4620 wrote to memory of 3312	4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe	101
PID 4620 wrote to memory of 3312	4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe	101
PID 4620 wrote to memory of 3312	4620	{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe	101
PID 4964 wrote to memory of 2584	4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe	102
PID 4964 wrote to memory of 2584	4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe	102
PID 4964 wrote to memory of 2584	4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe	102
PID 4964 wrote to memory of 4792	4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe	103
PID 4964 wrote to memory of 4792	4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe	103
PID 4964 wrote to memory of 4792	4964	{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe	103
PID 2584 wrote to memory of 4328	2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe	106
PID 2584 wrote to memory of 4328	2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe	106
PID 2584 wrote to memory of 4328	2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe	106
PID 2584 wrote to memory of 4320	2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe	107
PID 2584 wrote to memory of 4320	2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe	107
PID 2584 wrote to memory of 4320	2584	{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe	107
PID 4328 wrote to memory of 436	4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe	108
PID 4328 wrote to memory of 436	4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe	108
PID 4328 wrote to memory of 436	4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe	108
PID 4328 wrote to memory of 2232	4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe	109
PID 4328 wrote to memory of 2232	4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe	109
PID 4328 wrote to memory of 2232	4328	{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe	109
PID 436 wrote to memory of 896	436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe	113
PID 436 wrote to memory of 896	436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe	113
PID 436 wrote to memory of 896	436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe	113
PID 436 wrote to memory of 1596	436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe	114
PID 436 wrote to memory of 1596	436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe	114
PID 436 wrote to memory of 1596	436	{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe	114
PID 896 wrote to memory of 2004	896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe	119
PID 896 wrote to memory of 2004	896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe	119
PID 896 wrote to memory of 2004	896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe	119
PID 896 wrote to memory of 2840	896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe	120
PID 896 wrote to memory of 2840	896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe	120
PID 896 wrote to memory of 2840	896	{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe	120
PID 2004 wrote to memory of 3216	2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe	121
PID 2004 wrote to memory of 3216	2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe	121
PID 2004 wrote to memory of 3216	2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe	121
PID 2004 wrote to memory of 2676	2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe	122
PID 2004 wrote to memory of 2676	2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe	122
PID 2004 wrote to memory of 2676	2004	{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe	122
PID 3216 wrote to memory of 5088	3216	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe	123
PID 3216 wrote to memory of 5088	3216	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe	123
PID 3216 wrote to memory of 5088	3216	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe	123
PID 3216 wrote to memory of 3380	3216	{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_c15ab7665b97b54ddc99d4b3bcf4506d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\{E578649C-C582-4735-A349-9FD0B0D93612}.exe
  C:\Windows\{E578649C-C582-4735-A349-9FD0B0D93612}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe
    C:\Windows\{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe
      C:\Windows\{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe
        
        C:\Windows\{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe
        
        C:\Windows\{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe
        
        C:\Windows\{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe
        
        C:\Windows\{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe
        
        C:\Windows\{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe
        
        C:\Windows\{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe
        
        C:\Windows\{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe
        
        C:\Windows\{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\{635B7529-17B2-44af-92EB-34AEFAB350BD}.exe
        
        C:\Windows\{635B7529-17B2-44af-92EB-34AEFAB350BD}.exe
        13⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6714A~1.EXE > nul
        13⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC7A~1.EXE > nul
        12⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D0F9~1.EXE > nul
        11⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{375A7~1.EXE > nul
        10⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62296~1.EXE > nul
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38A4B~1.EXE > nul
        8⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B984~1.EXE > nul
        7⤵
        
        PID:4320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E903D~1.EXE > nul
        6⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{027A7~1.EXE > nul
        5⤵
        
        PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C02B3~1.EXE > nul
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E5786~1.EXE > nul
    3⤵
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3104

Network

DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=10C312D6C88364661EC106B0C9386571; domain=.bing.com; expires=Wed, 14-May-2025 16:57:28 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7EA171D531734A7986C2011EB90947CF Ref B: LON04EDGE0810 Ref C: 2024-04-19T16:57:28Z
date: Fri, 19 Apr 2024 16:57:28 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=10C312D6C88364661EC106B0C9386571

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=6n3n8gAcK4f1ff-vvjxkTsTzj1n9MZuU8OxS_YAqSyo; domain=.bing.com; expires=Wed, 14-May-2025 16:57:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C28C7451E81F4D70B513BB0A1E7150C5 Ref B: LON04EDGE0810 Ref C: 2024-04-19T16:57:29Z
date: Fri, 19 Apr 2024 16:57:28 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=10C312D6C88364661EC106B0C9386571; MSPTC=6n3n8gAcK4f1ff-vvjxkTsTzj1n9MZuU8OxS_YAqSyo

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FE1FD73D545D40DFAF72FFC50ECD681B Ref B: LON04EDGE0810 Ref C: 2024-04-19T16:57:29Z
date: Fri, 19 Apr 2024 16:57:28 GMT
DNS

99.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.58.20.217.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

21.114.53.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.114.53.23.in-addr.arpa

IN PTR

Response

21.114.53.23.in-addr.arpa

IN PTR

a23-53-114-21deploystaticakamaitechnologiescom
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

107.211.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.211.222.173.in-addr.arpa

IN PTR

Response

107.211.222.173.in-addr.arpa

IN PTR

a173-222-211-107deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

101.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.58.20.217.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8C2158BE3AF54B0F96B80F7D3F96978F Ref B: LON04EDGE0906 Ref C: 2024-04-19T16:59:06Z
date: Fri, 19 Apr 2024 16:59:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10A5E9E9F0C0463D96D7BF74B1F2DFF6 Ref B: LON04EDGE0906 Ref C: 2024-04-19T16:59:06Z
date: Fri, 19 Apr 2024 16:59:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 33549D4260814140AD14B0732F59FA07 Ref B: LON04EDGE0906 Ref C: 2024-04-19T16:59:06Z
date: Fri, 19 Apr 2024 16:59:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DE5BE2DDCB1C401B9493A69DE2093ADB Ref B: LON04EDGE0906 Ref C: 2024-04-19T16:59:06Z
date: Fri, 19 Apr 2024 16:59:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 415458
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E6F23D4EE4A44E209E0CEFEBFFA5C7C1 Ref B: LON04EDGE0906 Ref C: 2024-04-19T16:59:06Z
date: Fri, 19 Apr 2024 16:59:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 430689
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10C2EAA45790414188CEB34629FD66F5 Ref B: LON04EDGE0906 Ref C: 2024-04-19T16:59:07Z
date: Fri, 19 Apr 2024 16:59:06 GMT
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

tls, http2

2.0kB
9.2kB
22
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91e8022f18ca4812a00abfcd71072e69&localId=w:FEA8F19F-01BE-DA76-49B1-72C0C15A5E1B&deviceId=6825832441142904&anid=

HTTP Response

204
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

128.4kB
3.7MB
2668
2663

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

99.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

99.58.20.217.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

21.114.53.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

21.114.53.23.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

107.211.222.173.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

107.211.222.173.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa
8.8.8.8:53

101.58.20.217.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

101.58.20.217.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{027A7B5F-BB25-400f-A878-BF6EC90297DC}.exe

Filesize
168KB

MD5
0b338f6b0ae8287d996034cbfb245a2f

SHA1
fd46d386867ff3cffe5d2d1b3815146caf8b45bf

SHA256
37cc704b55cc370e9374868aba3ca439502015f68c25062b80e6c829fc453c94

SHA512
f0b4f230e58d78a1b3ce2af7e269aecd8146043706ea9d182dd20b1049d168cbe2b248948cea3be231f8359c10ac62bf79395524acd6d1d1332b5546845736d4

Download Submit
C:\Windows\{2D0F93E4-FE55-4c4d-8B4E-EEABDAAF3788}.exe

Filesize
168KB

MD5
080ec4c5ea2e6f3a9e9b8b2e49ef91e7

SHA1
89abf08ce0721610e7fd58762a9c868802f731d3

SHA256
67959c94ce2782d68dc52d6e564305b623ab6d1d2efc8a8264b161dadab9a380

SHA512
0c9472cf44d07e19763ea491c977f229dba5dc85528e30a4b3bb0a2bb8b59bc7562e1c5563f7c9d609affe58efe59bf9a7c2fa05333c6d13708b8a56f79133b4

Download Submit
C:\Windows\{375A7EB0-7428-41cf-865E-36F1E8E3C2FA}.exe

Filesize
168KB

MD5
8f5055442b074c68476921353ba24990

SHA1
0f1b7304872f2a87544991b1f3408a268e944e0c

SHA256
dc0fc7b3d7932195c22fd78b5cc9cbcac5b4ee228a5d01496e56f4ffcc838152

SHA512
1b9c75467f442b00ba1acd9fa8b55ded0b86c5fe290f6194fb29e56ea39f833adbb3fbe9331692fdd621b3a0bbe90458c52b7e650ede149ef49906089b99251c

Download Submit
C:\Windows\{38A4BCE2-F9FB-4076-ABC1-552AA47D664F}.exe

Filesize
168KB

MD5
ffd2001db5554364c36b72ca4c43382c

SHA1
f1e9f4930a913db7d7b3deea0b4c836d1a3c9d95

SHA256
94621be466a26315fd1f2a0fdc28766bb2dc5d9944fc3c8793561fb138166c27

SHA512
fa1a7ae6a38faac156fcb3be365d65d15faedebc42317dc70c6a25a92e5ed0006dd4b0a541dc38b734770869cea6d83e805dc337b640336bb1515069045342c2

Download Submit
C:\Windows\{62296D5C-4E7D-42dd-B8F0-757AFF405643}.exe

Filesize
168KB

MD5
2266b70860a050125f951eb7a9a659f3

SHA1
121003f52cfd36fc665ce948b3346dd801c696d4

SHA256
e6f92da49cb4a0512cd8ef321e2f4c1cdb2ec809aec0cec999470a1fb0bb69b6

SHA512
cd6acfded64ad361572f6366861726aab32a10e0bf7b7637f6cfb13f61dd3eb16da5ede1ec9b943674d7f937338956549aba2f2b1c67b1fb2d42f1c98dfca687

Download Submit
C:\Windows\{635B7529-17B2-44af-92EB-34AEFAB350BD}.exe

Filesize
168KB

MD5
9421458c7a29cd10f04503cdcc58b67e

SHA1
fd626c17487f663e5d812d854226c0547957b936

SHA256
9a4f08675a430d8a65f07412b2321d7a405d26e029558ff6bd51d5ec29a1db1e

SHA512
dd3fd1e19cd0eb7015e82e23c038f78c08690f3d1935ea64574b5de14c38244b85b39f0d92638491a0e99a64d0594805b1e6e55103ea8d47cdbaa920a0fb4771

Download Submit
C:\Windows\{6714A1E2-D983-4c83-A383-3FAB026539D2}.exe

Filesize
168KB

MD5
c6eca792274a5fe02e00c7de43fe6e00

SHA1
965e35bf7f4253605bf7ce75e3460795beed8cea

SHA256
22456845b7c567521e8d3b47d6919d1840a6fd06684f09b1707281cede4d0298

SHA512
4a3642c42f2d8a458ff292785a93b126051837630593889c0753b7ebaf37f8315798e2aad91cc358b200e40cef9f2aa47b2ae67897c5ae4f4f3962937ec4246f

Download Submit
C:\Windows\{6B9843F0-2AF6-4d13-94B3-12101F31039C}.exe

Filesize
168KB

MD5
124919a277c5120570818845c4af88bd

SHA1
71fcdcae9562d4b0041f0a04867781659673b4f6

SHA256
93e68abfa9df0d3baf5482407b2d77bad139a39145d71e129ab1e1e198e4a027

SHA512
a240fdd3e1f177cf977858ac390c30bba325c1a201ed64bdda8c98f7fe18dc6fb2b0b8af82820146c5899d521b4eedbe48c4433b775e449edfd1a3237f35cbe8

Download Submit
C:\Windows\{7DC7AA2E-EDF9-47f4-92A7-FBE311DC06B3}.exe

Filesize
168KB

MD5
51f1f1cadec0d8d80e0370c1f3dd70f5

SHA1
43c73d8c4104a188906a2b77b416182fde61ab1b

SHA256
596b84f96e779ab5841141706cf5dd0708e5e7549234251e15a8b1039c79ed4d

SHA512
85229972baa00531bd53d27cb6d913e2e120ebd9b3eb49502ee76a4083dc340b7441de38948749f539fa44db41d5f55ca534f2b0dd4bd8a30f753489bb0d498c

Download Submit
C:\Windows\{C02B3D3C-0728-42df-9785-0A49124E34AC}.exe

Filesize
168KB

MD5
3d383d145b4360ddabbc9a07cac38c3e

SHA1
1cc2d9bdd378e18a7ac817f7daa2e3b0b758a081

SHA256
3fd26e547a04fb3e6e0d92dd91287ef961062d4a1a0628149ac853d7091a5f9e

SHA512
9fa975c3036b84a7b0d021a35f94298a75f89bd9eaa20204834abb943b4d433c430353a4c85d6286a8506ee7ef5fe2c8a7d317186439e0fea9bf812f5c4be6a2

Download Submit
C:\Windows\{E578649C-C582-4735-A349-9FD0B0D93612}.exe

Filesize
168KB

MD5
4a0ee08f7b45fb4a50ed1f726752c8fc

SHA1
0c7ffae157b577ad7b43f6bb05e03fe1679ca274

SHA256
a558a5641a49fa08c316c15ad19cea12ff5809e04f1e7e9c808b8446ce89c101

SHA512
7dfdd0e84b4c823c6a3b9023c7f67294c26d0770a9e99b41481fec9a2b324362c4a74d7b22d6478a4fafe9ee5b90851acdd78873ca5d13c3252425b110fc4845

Download Submit
C:\Windows\{E903DE0D-DED8-4838-933E-E92F8C9749DC}.exe

Filesize
168KB

MD5
8ff57a48cda34b59781212bf1054108f

SHA1
815b18fa229c77adcb2437c18a9b60c1e17b3972

SHA256
1792d90ded1b00dec296460f70c1d0fdd6d694d3a6030738bbc3fb9f16221183

SHA512
ecbad6a46f6c8fed72aa0395d31709a46b166068a802749f97ca16976c8c89726614b8dba58da138e7c9467901f5e1ad92bb5af3a8a90af58ed13e2874230599

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.