b87dc9a0ce9064927bc30b356c7d650de45654c8e54bdc403c3e17bc6f9ef41d

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Size

2.0MB
MD5

3cbb25f5426880ae6db8af8f7582408f
SHA1

f9a8e0ce5453e4d182bdf4c69da2b31f0020bee9
SHA256

b87dc9a0ce9064927bc30b356c7d650de45654c8e54bdc403c3e17bc6f9ef41d
SHA512

1f2e6d63ee087bba13d21b20570939f741b0597bbf83739bc895202fc64321eaf32392db26b9a44d47653f1b1430178c8ea3dce5349321f7610b49985732522c
SSDEEP

49152:XHcqvrDoMJ1l6q8+W2OAQyuTmZkAQzSyguNE401eoNVoUrgoqU:XHcmrDpJWqBLY54uHInVd

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 23 IoCs

pid	Process
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4256	rundll32.exe
3164	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55a1f516-561e-46c7-b388-e5e1f1755f3b}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55a1f516-561e-46c7-b388-e5e1f1755f3b}\	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55a1f516-561e-46c7-b388-e5e1f1755f3b}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55a1f516-561e-46c7-b388-e5e1f1755f3b}\ = "power90"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55a1f516-561e-46c7-b388-e5e1f1755f3b}\NoExplorer = "1"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\power90\ldrtbpowe.dll	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\SharedAppsContextMenu.xml	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\ToolbarContextMenu.xml	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\uninstall.exe	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\power90\	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\power90ToolbarHelper.exe	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\prxtbpowe.dll	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\GottenAppsContextMenu.xml	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\OtherAppsContextMenu.xml	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\toolbar.cfg	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
File created	C:\Program Files (x86)\power90\tbpowe.dll	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2ACFF443-1C3A-4B85-AFD6-338E36572FF8}\Policy = "3"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7262828A-88F6-11EF-B9D5-6AACA39217E0} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e40f48031ddb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137027"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\DisplayName = "power90 Customized Web Search"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2ACFF443-1C3A-4B85-AFD6-338E36572FF8}\AppPath = "C:\\Program Files (x86)\\power90"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1187131386"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2ACFF443-1C3A-4B85-AFD6-338E36572FF8}\AppName = "power90ToolbarHelper.exe"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6B79E272-DC3A-4CA2-B3E3-157B65943004}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{55A1F516-561E-46C7-B388-E5E1F1755F3B} = "power90 Toolbar"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001c00000001000000000700005e01000006000000010100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016f5a1551e56c746b388e5e1f1755f3b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1187131386"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6B79E272-DC3A-4CA2-B3E3-157B65943004}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Conduit\\CT3041134"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137027"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{55A1F516-561E-46C7-B388-E5E1F1755F3B} = 16f5a1551e56c746b388e5e1f1755f3b	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ShowSearchSuggestions = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6B79E272-DC3A-4CA2-B3E3-157B65943004}\AppName = "power90AutoUpdateHelper.exe"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{55a1f516-561e-46c7-b388-e5e1f1755f3b} = "power90 Toolbar"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000645c69dcf33f304d82964e308b3da4ad00000000020000000000106600000001000020000000a6d125882600f62de7684337f63bfc7541b50ccc1db3b0c3bc38b64f404d3055000000000e80000000020000200000005d98c2f84c7cf67226695b3eeac40c25356ce3283b95a8fd808dc2aa0a4243882000000042051f6e6d989cec5c718d03878a625e9bdfc71e8f5848d79b31005cb376b55b4000000007fe299d923cb0f6249b0bb1db45bac3e9755dfbe00a1dc8c830904ab4d1dfc43badfc819e1a770aa810e9f7652895da4681eacec2bc80de1705157b4736826c	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{afdbddaa-5d3f-42ee-b79c-185a7020515b}"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6B79E272-DC3A-4CA2-B3E3-157B65943004}\Policy = "3"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1189478543"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{55a1f516-561e-46c7-b388-e5e1f1755f3b}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	IEXPLORE.EXE

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BBCFA2-BCDF-4A43-BFB7-90B8A6A12F2E}\InprocServer32	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98bbcfa2-bcdf-4a43-bfb7-90b8a6a12f2e}\ProgID	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98bbcfa2-bcdf-4a43-bfb7-90b8a6a12f2e}\VersionIndependentProgID	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BBCFA2-BCDF-4A43-BFB7-90B8A6A12F2E}\VersionIndependentProgID\ = "Toolbar.CT3041134"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ = "C:\\Program Files (x86)\\Conduit\\Community Alerts\\Alert.dll"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{55A1F516-561E-46C7-B388-E5E1F1755F3B}\InprocServer32	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{55A1F516-561E-46C7-B388-E5E1F1755F3B}\InprocServer32\ThreadingModel = "Apartment"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{55A1F516-561E-46C7-B388-E5E1F1755F3B}\InprocServer32\ = "C:\\Program Files (x86)\\power90\\prxtbpowe.dll"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.CT3041134\CLSID\ = "{98bbcfa2-bcdf-4a43-bfb7-90b8a6a12f2e}瘀"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ = "Conduit Community Alerts"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32\ThreadingModel = "Apartment"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{55A1F516-561E-46C7-B388-E5E1F1755F3B}\ = "power90 Toolbar"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BBCFA2-BCDF-4A43-BFB7-90B8A6A12F2E}\InprocServer32\ = "C:\\Program Files (x86)\\power90\\prxtbpowe.dll"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BBCFA2-BCDF-4A43-BFB7-90B8A6A12F2E}\ = "power90 API Server"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BBCFA2-BCDF-4A43-BFB7-90B8A6A12F2E}\InprocServer32\ThreadingModel = "Apartment"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BBCFA2-BCDF-4A43-BFB7-90B8A6A12F2E}\ProgID\ = "Toolbar.CT3041134"	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.CT3041134	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.CT3041134\CLSID	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{55A1F516-561E-46C7-B388-E5E1F1755F3B}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98BBCFA2-BCDF-4A43-BFB7-90B8A6A12F2E}	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
1136	msedge.exe
1136	msedge.exe
2904	msedge.exe
2904	msedge.exe
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2324	IEXPLORE.EXE
4712	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2324	2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe	86
PID 2648 wrote to memory of 2324	2648	3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe	86
PID 2324 wrote to memory of 4712	2324	IEXPLORE.EXE	87
PID 2324 wrote to memory of 4712	2324	IEXPLORE.EXE	87
PID 2324 wrote to memory of 4712	2324	IEXPLORE.EXE	87
PID 4712 wrote to memory of 4428	4712	IEXPLORE.EXE	88
PID 4712 wrote to memory of 4428	4712	IEXPLORE.EXE	88
PID 4428 wrote to memory of 1136	4428	ie_to_edge_stub.exe	89
PID 4428 wrote to memory of 1136	4428	ie_to_edge_stub.exe	89
PID 1136 wrote to memory of 3928	1136	msedge.exe	90
PID 1136 wrote to memory of 3928	1136	msedge.exe	90
PID 4712 wrote to memory of 2324	4712	IEXPLORE.EXE	86
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 1504	1136	msedge.exe	91
PID 1136 wrote to memory of 2904	1136	msedge.exe	92
PID 1136 wrote to memory of 2904	1136	msedge.exe	92
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93
PID 1136 wrote to memory of 4708	1136	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cbb25f5426880ae6db8af8f7582408f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://power90.OurToolbar.com/SetupFinish
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=90266
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=90266
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd52b46f8,0x7ffcd52b4708,0x7ffcd52b4718
        6⤵
        
        PID:3928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9682694203575522773,13548420443750506440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        6⤵
        
        PID:1504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9682694203575522773,13548420443750506440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9682694203575522773,13548420443750506440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
        6⤵
        
        PID:4708
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\LocalLow\power90\tbpowe.dll" DllWriteSocialCookies
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4256
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\LocalLow\power90\tbpowe.dll" DllWriteSocialCookies
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll

Filesize
620KB

MD5
5c6a15ba23dfb673a81f3c8c38117206

SHA1
6817884586147951fda72d82a702f27a4b025b9c

SHA256
2be5657bd5d47be35975eabc53b966b82ab31efdf907fea5abf76709b5929e29

SHA512
e95c24c7b9955db62c55525cfbcda1c17d3e5c54425a5c7a3bad7641f18b99659a64bff90386edda99e595c7622cb09c684fc2ea2ddc2e0b50ff68ee04f3614a

Download Submit
C:\Program Files (x86)\power90\prxtbpowe.dll

Filesize
172KB

MD5
4c163bd2a5905d18893ee311608e8c54

SHA1
a2d929a9864513c0e8ed84aad622ef6adcc9b950

SHA256
4553d99f1f146e2359ceb60987d904bafd24843b71d3e95c358776f3a1d5c6f1

SHA512
e1c7b44dc683f58c7c7b66b2448ed19c4e846b35f4018592c2d87191f3d8a2e4649ec3c92aa2f444b249f8ac27e5f2e7fe1cefbedd5d12721d21335a1c55afb1

Download Submit
C:\Program Files (x86)\power90\toolbar.cfg

Filesize
19B

MD5
bd0bac268fe6b3afd406b17cf2eaf193

SHA1
ee8d369fd1a5d12be13816ef168c8fec6cef488e

SHA256
b79469d9efb6eeb22cca6e2debfa0231d5eb6b794c04fff46d37d77256aa65f9

SHA512
6f451fc73fff7ed49f859df1d9bd44d30ac7ccefd2658cf799d4800887fa531e9d9a22e94dccc3040226355ca8ccd14619be9b1d7b0a80491a6ef185742c7cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
adca62d83bfe2fccad58a7035e9cb40c

SHA1
8585b192deaa613bfbaf08138bc8bbfb0cd09da4

SHA256
67026b0a3377b9365d4bcacd1f21b16db8184d256661b7ffab2bf5becf01e343

SHA512
b48a0ce890dfc6049206ac43b2d5c5bea57a733cc4e000ff0524c077b6199b3dc2692b1a8d1c1c5e4fb262e0fb2091fdf03040c627fb2bd9bc3e4c46ae2b6074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
3db54e8635686f2b7052424aaadb570f

SHA1
00700743a900709190d37a208d8ef7630014d440

SHA256
ded546d30399f9a063d2ba801f43aa6ff0181fadcb3cfd4fbfb072ccfafdf326

SHA512
dade3eba73654ba03a060a27dfa8be3cc262f873b8b23626e2f8990c4e46457f266a520a3f651d522e3cc6440fe958d028c870f76f33020b8b65c8cbbbb70e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\power90\ldrtbpowe.dll

Filesize
249KB

MD5
f0ac64e1d9a805800578c667283d79a0

SHA1
f029155010a8b430019c03c0bbfd1ebefd9e7e28

SHA256
884d5f8b03391a9fe9c42424afe810e2263dcbd9fd66447b4fb23da3569b37e2

SHA512
e173d55e640a6fbf7df65d392a126e6c9974c9f412e8a4a6b8283949aa8e6374375e03c19bb1e44f75cec4d2bb07fa533caf7f172bd747a1e7ff096c9139347c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98886ed96b1b88f7c024b8f4b4f68768

SHA1
bf627b1e90e8552036a9c36f417d208516174786

SHA256
0b76918843053cfe2ebc0c717979e287dd8f9e4cf27ff2a42cf2aac36dbb04c7

SHA512
1c2a4f889310478cb22dc0124fcd9a41d5b88ce0ae38a3749564deea4f2b4faf172d5b53cd7ff137d61caba77109b0cd9febf12498ab229224d9dfb2b65c1231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
099371121792b5a82cc758fb03935170

SHA1
e120010f028a76c5109bf067ac07cf64c3fa5135

SHA256
23f49481456e3d165d8ec9fa7268acc71fc9655c4e75381b5a3368584f8a5bd3

SHA512
da745ec9efe7f786bcb15478ec750b6567db67b4d3667f2534797fb91a466729c16dd70f50a052f53b123940758a50bea2d8d5b04c640bf852d3ccd9c93bc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b1e89ea9bf414e3a0b4f4d19b7c7790

SHA1
7c7ae422f8cc1602339a58aaa37a27fb75eb7935

SHA256
631728d918c82224b360ec84263eb6250583f2fc71ec9049489258d6bd2b3c4a

SHA512
14b471e0409d3cf0b0dadb97a24b18e7bd946cd0b59f39742faf1635701d935f993316a490286ce1297eafdf8f2913d0349e287b40e5c0a6c050077938f8101f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d2b417e9c7d5c0912f0d5a5b68003634

SHA1
1abcb01966956e1fbcca80c5e2c7d162c06c3f11

SHA256
3607ed3dbbc82c01d127f11db33e825a06447760949aacc8c9253ed5d87de90b

SHA512
3825a3ef98414efff918a913ae222414fa5186751f8e40880938e642084728ad38eb8d158b27a5d0f5cbf86196789b690442d9cc250c5d7542e6f2043873e7e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\v1[1].xml

Filesize
742KB

MD5
25a40f949855471562a1a9e465cfed7c

SHA1
c3a563c56fb8323e6c2ee7fa417c45d8384a4156

SHA256
075f1f4ec57dcfdbb2f1b60ffbf9efe0286216c43d0a65f82eae86af66b36127

SHA512
e5b4ed8df62488e7bb9ccb77f1daac251f65cd3251257ab94094df1316fa50a96901b32e7e76e47a4616d763ae54d7134f5d29f030ee7d2399bbe728498fedd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc98F6.tmp.tbpowe.dll

Filesize
4.1MB

MD5
3d080a251ecc02c638ede4992ad77374

SHA1
67b3ffc3ab18b47995361228ce574477eb8bbd07

SHA256
c787f361415e1667d01a28488ac189aa44f534f148c194a289b15b60d8524b7a

SHA512
878820eb168b995e4ad2c959cd5d46294a652c6acffb17d32502fcc7b4734293c4fa3deec2957416737e827572206b280aac11d4e2a023bb3173c3eb71288328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm98E5.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm98E5.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
memory/2648-93-0x00000000049E0000-0x0000000004A80000-memory.dmp

Filesize
640KB

Download
memory/2648-74-0x0000000004960000-0x00000000049A2000-memory.dmp

Filesize
264KB

Download
memory/2648-55-0x00000000048D0000-0x00000000048FF000-memory.dmp

Filesize
188KB

Download
memory/2648-34-0x0000000005010000-0x000000000542C000-memory.dmp

Filesize
4.1MB

Download
memory/2648-82-0x0000000005660000-0x0000000005A7C000-memory.dmp

Filesize
4.1MB

Download