e807ecbbdcdfe1f3c52fd4cd592d89f588a0e43a62c73eaef8573064bdeb7cc4

Analysis

max time kernel
92s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 15:57 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98dff2f3020124495ad3c72a90bc6b08.exe
Size

253KB
MD5

98dff2f3020124495ad3c72a90bc6b08
SHA1

b50dc38bf4aa7d152264e9639f8ba83d83bfc5d0
SHA256

e807ecbbdcdfe1f3c52fd4cd592d89f588a0e43a62c73eaef8573064bdeb7cc4
SHA512

437e3450f276c3269a34a6ca95c38bb938c65505e6213f542944098117d380630b9cbb3545a8c7cb2f97d65dae4f02aa6859389b2cd3dec25d747b78a82ca976
SSDEEP

6144:h1OgDPdkBAFZWjadD4s57h4lw+TBy5uNu1GYLO3H:h1OgLdaO7hiFA5ZOX

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000240f9-69.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3744	519a4db757115.exe

Loads dropped DLL 3 IoCs

pid	Process
3744	519a4db757115.exe
3744	519a4db757115.exe
3744	519a4db757115.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpiejghifolpihplgmmojelmeboeeoee\1\manifest.json	519a4db757115.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\ = "BroWse2soaave"	519a4db757115.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\NoExplorer = "1"	519a4db757115.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000240f9-69.dat	upx
behavioral2/memory/3744-72-0x0000000074170000-0x000000007417A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98dff2f3020124495ad3c72a90bc6b08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	519a4db757115.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000240e2-30.dat	nsis_installer_1
behavioral2/files/0x00070000000240e2-30.dat	nsis_installer_2
behavioral2/files/0x00070000000240fd-98.dat	nsis_installer_1
behavioral2/files/0x00070000000240fd-98.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\ = "BroWse2soaave"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\InProcServer32\ = "C:\\ProgramData\\BroWse2soaave\\519a4db75714e.dll"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\BroWse2soaave\\519a4db75714e.tlb"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\InProcServer32\ThreadingModel = "Apartment"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\ProgID	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\ProgID\ = "BroWse2soaave.1"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\BroWse2soaave"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	519a4db757115.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}	519a4db757115.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7}\InProcServer32	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	519a4db757115.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	519a4db757115.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3744	5040	JaffaCakes118_98dff2f3020124495ad3c72a90bc6b08.exe	86
PID 5040 wrote to memory of 3744	5040	JaffaCakes118_98dff2f3020124495ad3c72a90bc6b08.exe	86
PID 5040 wrote to memory of 3744	5040	JaffaCakes118_98dff2f3020124495ad3c72a90bc6b08.exe	86

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	519a4db757115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{95A46B2B-97C0-EC63-B3A2-1E16EEA591F7} = "1"	519a4db757115.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98dff2f3020124495ad3c72a90bc6b08.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98dff2f3020124495ad3c72a90bc6b08.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\519a4db757115.exe
  .\519a4db757115.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:3744

Network

DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239357511424_1NSLXDV6EKAUQKBXT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239357511424_1NSLXDV6EKAUQKBXT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 880886
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F932A480722143A886D9E08ADFBBA43A Ref B: LON04EDGE0819 Ref C: 2025-03-30T15:58:30Z
date: Sun, 30 Mar 2025 15:58:29 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301183_1Q7FZ9HQ4P9RCH5CO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301183_1Q7FZ9HQ4P9RCH5CO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 631209
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2510F0DFC33848148A3DCFC3178AC3D5 Ref B: LON04EDGE0819 Ref C: 2025-03-30T15:58:30Z
date: Sun, 30 Mar 2025 15:58:29 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301592_19S8DNJJK87B8889G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301592_19S8DNJJK87B8889G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 706813
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 22AC8991DAE042FCBAA57104DCC43AA2 Ref B: LON04EDGE0819 Ref C: 2025-03-30T15:58:30Z
date: Sun, 30 Mar 2025 15:58:29 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239357511422_1A7OTR6A4QA6G1DBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239357511422_1A7OTR6A4QA6G1DBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 855706
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C3746327261F4C9A9A85072AC619DB07 Ref B: LON04EDGE0819 Ref C: 2025-03-30T15:58:30Z
date: Sun, 30 Mar 2025 15:58:29 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 305259
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 469D062C67DE443CB046EBE362E185C1 Ref B: LON04EDGE0819 Ref C: 2025-03-30T15:58:30Z
date: Sun, 30 Mar 2025 15:58:29 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 258855
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7AC7762D51D3434FA0906E940DFBC797 Ref B: LON04EDGE0819 Ref C: 2025-03-30T15:58:30Z
date: Sun, 30 Mar 2025 15:58:29 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.187.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Sun, 30 Mar 2025 15:51:00 GMT
Expires: Sun, 30 Mar 2025 16:41:00 GMT
Age: 509
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

139.6kB
3.8MB
2724
2717

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239357511424_1NSLXDV6EKAUQKBXT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301183_1Q7FZ9HQ4P9RCH5CO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301592_19S8DNJJK87B8889G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239357511422_1A7OTR6A4QA6G1DBD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
142.250.187.227:80

http://c.pki.goog/r/r1.crl

http

384 B
354 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BroWse2soaave\uninstall.exe

Filesize
48KB

MD5
f3c79bda3fdf7c5dd24d60400a57cadb

SHA1
1adb606aaeedb246a371c8877c737f0f8c798625

SHA256
a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b

SHA512
c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\519a4db757115.exe

Filesize
71KB

MD5
b78633fae8aaf5f7e99e9c736f44f9c5

SHA1
26fc60e29c459891ac0909470ac6c61a1eca1544

SHA256
d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

SHA512
3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\519a4db75714e.dll

Filesize
109KB

MD5
0e39b69f32aafde9527e88beabef66af

SHA1
6c5f221b49ad2693d21ee0528fe6286a410d7517

SHA256
1c4ba81c723f896ae542e6e55e76cd1062c50b82505b50b91f7d756bae8ec607

SHA512
33ca5f5fe377bc0cbd35592445bf771dab1315a3fc34b73ce961f94db42b269c94ca1bf06f1c2434278f4872445363fdaa016ecf8b60c74fb00230e9961b9165

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\519a4db75714e.tlb

Filesize
18KB

MD5
5c4616e4ea60383a9900d27030cd7cd4

SHA1
ef116081b72c995e1240e2b381bdae3e21a1e2ff

SHA256
ff4cea2b1584b8e3f274afcc77fc3421dfea1dfef8c43c495449524bdacf1c6a

SHA512
740ffc33441c588624317a9d5b414380e826ff9a637a7260f3e5dec7e3615595e9874c7361a5cd4e08386419121e236155e8b4e81796eabd0eaa97b02aaf1e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\kpiejghifolpihplgmmojelmeboeeoee\519a4db756eeb4.76426121.js

Filesize
4KB

MD5
ba05cd5853010a66f3e349673ad095da

SHA1
b6c845845c3f82f70f99aa801ef5c24d6bd3867b

SHA256
d00f4cd595db2e5c762a1507a272221c538d0aefe4a3c5f485899303afb56c29

SHA512
32973a9842b12533af7d5f313e8d27448bdabf2cf061d25ef57a91f2ed3d4f1a3993d0e99a293d547ccc271d687c14885448fce8ec58dcb72ae2b9b057b5a4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\kpiejghifolpihplgmmojelmeboeeoee\background.html

Filesize
161B

MD5
c75ac76734dae084186598f05510b028

SHA1
31faee4240904b9da465dd3834a21b94afe30242

SHA256
93b5c9f5b99ee97a8a5ca2bd55ff54852e47d22323fe60944bae1cc99c3bcfe3

SHA512
d5cf891a6cb5871aff5cff82610a2699311d632d8c9c53fdcaaeceb2ee0a0078cd6d3ede3cf8ad51c34a80fbcf64f941ed2f2075a3cbe7fa6f0424fccd8a69ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\kpiejghifolpihplgmmojelmeboeeoee\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\kpiejghifolpihplgmmojelmeboeeoee\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\kpiejghifolpihplgmmojelmeboeeoee\manifest.json

Filesize
505B

MD5
28eff7f8d6fcaf311597be7aa55f89fc

SHA1
b4f3404c3109d72bacad4138ef3a81d70fb48db3

SHA256
9393ba4791d6ff691541a4f5e4c3e4d01d40f6d64bfea49ebc65fe6afe5543ee

SHA512
4e3334f233a6cb7d9970a3d72be83612cf43fe5a0992e5a5a5b52500c79d372e11d588f348146d6a7fd5f58355b62ae89426a6bbddd7e55fb3c300aee21d677a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\kpiejghifolpihplgmmojelmeboeeoee\sqlite.js

Filesize
1KB

MD5
91c27ff9375e5881c1aa96fb09f9c4de

SHA1
cc94e11f1d42dc6749007faf4dc85c7a6b870f8e

SHA256
ece040a419ec19f8f3325c0734365804e9b77d78b1053c9373bb854239db388e

SHA512
151f8a6656972409f5f4b2e6d6ad3d917ebe9bed7af686aa8c1d5b1b912c7731f073b3d3c1bc2318b78915e4c8c06b8578d6da87c2bc57005c92247d9c345303

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\settings.ini

Filesize
7KB

MD5
1d146e3541e01417a03c3b9d9b2bb0fd

SHA1
3caf42fa6eb390e5eb1b0663ea4dec0aedf95afe

SHA256
7cd342ca3c1138e25ac0d7a62647218e89ae0f09d352f18c29c7242df4ce4a1e

SHA512
ba49bd05c6e3def9c968c041fcdad6df56b049c58e993d65e0c6a979b2a06552fd764921de9c17345e2530c3a5d3675d08f156533b3b715a4187dc176b45bbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\xzph-w@fxlvoyeat.org\bootstrap.js

Filesize
2KB

MD5
f9808f369fcb780ee09742ac3135e0f5

SHA1
17cd77bff4ede988a86b007e91478f188712f30a

SHA256
165c7b61d0130026d93e9b3f660ea05f52ccf6d82df7d1a4f466b765955651fb

SHA512
38514ef5ee2fda075a7a9e0e223d8282dd6c35aa52b7b38167d1a26dc755d0e6221b9ffc9fe428031314fb395e17946b814f4c3da8474bce5ed662cf10887126

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\xzph-w@fxlvoyeat.org\chrome.manifest

Filesize
116B

MD5
648346d79dcc93c3c53a32d1554573a3

SHA1
0318339f999fd1a8aedc318fdac957a27248bbbe

SHA256
e648110b511aab189344bf89342fd6566c6a1a05361b7326e83c558a1b0cc815

SHA512
42f32cfb1ce1120afa0c72d5f63fb2c242768dea9bafce3e8a96214060dfc8438fc865bf286edaf4f03a5156ae5cc9d7706b9cbc9f24c26fb2d7aeb88d37d9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\xzph-w@fxlvoyeat.org\content\bg.js

Filesize
8KB

MD5
66b29f6819977da45772d78e017b0c64

SHA1
74dab1f046e4f822a7362ba6014e33843b7261f8

SHA256
ec2447ea78750d9fc57d7590f5d66326902a38fde35008671542b8daf1d8e8b6

SHA512
15bb350ecbb5a1138b40318d9f2650b9d69546c9df655a445a356f25ac8a414d4330d692b31455b315489d7be1f67fe69d2fad8eb3c8777c7085fbe6477d26ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9318.tmp\xzph-w@fxlvoyeat.org\install.rdf

Filesize
607B

MD5
a84e9cb68f775cb9218af26098fb4293

SHA1
30bd4801852eecfe8eb2f0f23eb05f155c2afdee

SHA256
9cd1dae2b232d9225a6cadb0614217c443463810a3b03d161913955d311730dc

SHA512
16e7a18a79788ed81b7ea67a7e0eff7ad8fbdb7a0dc3ae4c48f31058574d758647919cb49d3e438371ac2fed7a91ac0fbb3fbe35d922103dbcfcc7e064a1ba33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9413.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9413.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/3744-72-0x0000000074170000-0x000000007417A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.