hxxps://waterx[.]download/

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://waterx.download/

Score

8^/10

discovery spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation	Water X New Module_52781754.exe

Executes dropped EXE 16 IoCs

pid	Process
3168	Water X New Module_52781754.exe
3484	Water X New Module_52781754.exe
2248	Water X New Module_52781754.exe
5112	Water X New Module_52781754.exe
3516	setup52781754.exe
4944	setup52781754.exe
5004	setup52781754.exe
5964	setup52781754.exe
5804	OperaGX.exe
5852	OperaGX.exe
5988	OperaGX.exe
5336	OperaGX.exe
4344	OperaGX.exe
1244	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
5456	assistant_installer.exe
3916	assistant_installer.exe

Loads dropped DLL 64 IoCs

pid	Process
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002326d-530.dat	upx
behavioral1/memory/5804-531-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx
behavioral1/memory/5852-535-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx
behavioral1/memory/5988-561-0x0000000000C80000-0x000000000123B000-memory.dmp	upx
behavioral1/memory/5988-566-0x0000000000C80000-0x000000000123B000-memory.dmp	upx
behavioral1/memory/5336-570-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx
behavioral1/memory/4344-572-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx
behavioral1/memory/5804-599-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx
behavioral1/memory/5852-600-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx
behavioral1/memory/5336-601-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx
behavioral1/memory/4344-602-0x0000000000E40000-0x00000000013FB000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup52781754.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup52781754.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup52781754.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup52781754.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup52781754.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup52781754.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup52781754.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup52781754.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5632	timeout.exe
3368	timeout.exe
5220	timeout.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
6128	tasklist.exe
5604	tasklist.exe
6136	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Water X New Module_52781754.exe
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Opera GXStable	Water X New Module_52781754.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Water X New Module_52781754.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Water X New Module_52781754.exe
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Local Settings	Water X New Module_52781754.exe
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Opera GXStable	Water X New Module_52781754.exe
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Opera GXStable	Water X New Module_52781754.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Water X New Module_52781754.exe
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000_Classes\Opera GXStable	Water X New Module_52781754.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup52781754.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup52781754.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup52781754.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 882588.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5212	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
452	msedge.exe
452	msedge.exe
2164	identity_helper.exe
2164	identity_helper.exe
2244	msedge.exe
2244	msedge.exe
5004	setup52781754.exe
5004	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
5004	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
3516	setup52781754.exe
5004	setup52781754.exe
2248	Water X New Module_52781754.exe
2248	Water X New Module_52781754.exe
2248	Water X New Module_52781754.exe
2248	Water X New Module_52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
4944	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
3516	setup52781754.exe
4944	setup52781754.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	setup52781754.exe
Token: SeDebugPrivilege	3516	setup52781754.exe
Token: SeDebugPrivilege	5004	setup52781754.exe
Token: SeDebugPrivilege	6128	tasklist.exe
Token: SeDebugPrivilege	6136	tasklist.exe
Token: SeDebugPrivilege	5604	tasklist.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3168	Water X New Module_52781754.exe
3484	Water X New Module_52781754.exe
2248	Water X New Module_52781754.exe
5112	Water X New Module_52781754.exe
2248	Water X New Module_52781754.exe
3484	Water X New Module_52781754.exe
3168	Water X New Module_52781754.exe
5112	Water X New Module_52781754.exe
3484	Water X New Module_52781754.exe
5112	Water X New Module_52781754.exe
3168	Water X New Module_52781754.exe
2248	Water X New Module_52781754.exe
4944	setup52781754.exe
3516	setup52781754.exe
5004	setup52781754.exe
5804	OperaGX.exe
5852	OperaGX.exe
5988	OperaGX.exe
5336	OperaGX.exe
4344	OperaGX.exe
1244	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
5456	assistant_installer.exe
3916	assistant_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2092	452	msedge.exe	82
PID 452 wrote to memory of 2092	452	msedge.exe	82
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 3196	452	msedge.exe	85
PID 452 wrote to memory of 1796	452	msedge.exe	86
PID 452 wrote to memory of 1796	452	msedge.exe	86
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87
PID 452 wrote to memory of 3864	452	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://waterx.download/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc171246f8,0x7ffc17124708,0x7ffc17124718
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:1112
- C:\Users\Admin\Downloads\Water X New Module_52781754.exe
  "C:\Users\Admin\Downloads\Water X New Module_52781754.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3168
- - C:\Users\Admin\AppData\Local\setup52781754.exe
    C:\Users\Admin\AppData\Local\setup52781754.exe hhwnd=655712 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-Uwivj
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      PID:6036
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "3516"
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 3516" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:3368
- C:\Users\Admin\Downloads\Water X New Module_52781754.exe
  "C:\Users\Admin\Downloads\Water X New Module_52781754.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3484
- C:\Users\Admin\Downloads\Water X New Module_52781754.exe
  "C:\Users\Admin\Downloads\Water X New Module_52781754.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2248
- - C:\Users\Admin\AppData\Local\setup52781754.exe
    C:\Users\Admin\AppData\Local\setup52781754.exe hhwnd=262620 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-Uwivj
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      PID:5556
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "5004"
        5⤵
        
        PID:5644
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 5004" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:5632
- - C:\Users\Admin\AppData\Local\setup52781754.exe
    C:\Users\Admin\AppData\Local\setup52781754.exe hready
    3⤵
    - Executes dropped EXE
    PID:5964
- - C:\Users\Admin\AppData\Local\OperaGX.exe
    C:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of SetWindowsHookEx
    PID:5804
  - - C:\Users\Admin\AppData\Local\OperaGX.exe
      C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=107.0.5045.30 --initial-client-data=0x308,0x30c,0x310,0x2f4,0x314,0x718f61e4,0x718f61f0,0x718f61fc
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe" --version
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5988
  - - C:\Users\Admin\AppData\Local\OperaGX.exe
      "C:\Users\Admin\AppData\Local\OperaGX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5804 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240221150434" --session-guid=e0f97a39-6d92-4d84-9555-644464b1e0de --server-tracking-blob=NDk4ZTNhNjc3NTdiMDY3MGIzMDM0NDI3OWMyODQ2ZWRiOWIwOGQzNTRhMTYwOTZhOTNjNjA3ZmM4Y2JlZDIyMjp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMSIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0xP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD0yNDA0ZTJjZTc1YjI0N2JkOWQyNDU2YTUxYWVjNGRhZiZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwODUyNzg3MS41MDUzIiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiIyNDA0ZTJjZTc1YjI0N2JkOWQyNDU2YTUxYWVjNGRhZiIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImVlNDE3ZGI2LTRmYTktNDU5Yy04ODAyLTMwYjI1NGMwZDY1ZiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8405000000000000
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious use of SetWindowsHookEx
      PID:5336
    - - C:\Users\Admin\AppData\Local\OperaGX.exe
        
        C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=107.0.5045.30 --initial-client-data=0x2f8,0x2fc,0x300,0x2d4,0x304,0x709e61e4,0x709e61f0,0x709e61fc
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5456
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xc64f48,0xc64f58,0xc64f64
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5212
- C:\Users\Admin\Downloads\Water X New Module_52781754.exe
  "C:\Users\Admin\Downloads\Water X New Module_52781754.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5112
- - C:\Users\Admin\AppData\Local\setup52781754.exe
    C:\Users\Admin\AppData\Local\setup52781754.exe hhwnd=524804 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-Uwivj
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      PID:6052
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "3516"
        5⤵
        
        PID:4728
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 3516" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,10312530941859392711,6501278823133595554,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4400 /prefetch:2
  2⤵
  PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
2a10cd3b046116320fe7951c1f377130

SHA1
1a7540af712bd5c340c1d35259698b0d9954e4e1

SHA256
2224a99113542b434f54410a8b8e579b0654508a32b8769afa1245d479b31064

SHA512
e82c8e99ffc0a3ada42d1f662f7c94bb61f3d5a9e4d6bdd3f74b5c6c47198cdbb98011f6f43446596dc418399f396e49993082fcd1b33b05272d0fa0842c8bd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3465EF07B9A6512425B2408FA7DBF4E5_F38ABF5BFFF4E687C6F66BAEAE5ADE1C

Filesize
471B

MD5
69b885af977495cea4e69283c29c28b3

SHA1
191f8227f22ec47b43a419f583570c24e0b75e39

SHA256
f47a00876d2ad1e5839378efddb1a66474543b5930d56378b8d076df912a83b1

SHA512
71130ba26150d6d7c051be755d5922b08925d6d8c7b018b3c21278faa59a237e70a6db75bb5b48b0f69cd0428b12705ca2570786b34379e6839256f0d31019a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13

Filesize
724B

MD5
037ae8164352ca91e80ad33054d1906d

SHA1
1d6520e9f51637e61ee4554393f5ac5eddb18ebd

SHA256
07c018eb07002663d5248daa8a65eaf587955e3db45735e7e3ac9cb13d7d664e

SHA512
a092a9e43bb47bdb0e081bd4f2c0ef7c6f0ab9fbe3babd624d577186ba52e52e86209a527ced887275b74aa127b03e83c476a2a39a1d6dcf0ba1d024e7bd7730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
5a29b45cc1298002f2b18359adf809a1

SHA1
0684cf24630353a6bd24bce00f017ccfc5bf7139

SHA256
84d0957c82f5c3a542aed8a014d120a44f33e7da93a616a4cd650584026f7b77

SHA512
ccba5e177ce3361ecb02578bb4ddb3599bda554caf6d5b8c7629d8a836246366e8bff4f4ec655ad1414a25453366467bee3a0a3307c6287472c6059ec2374d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3465EF07B9A6512425B2408FA7DBF4E5_F38ABF5BFFF4E687C6F66BAEAE5ADE1C

Filesize
430B

MD5
38dfda4c40800bc6434c8bbc094ec4df

SHA1
67bacf8e688591fcc86e48d0d3b5a685691f803a

SHA256
39fdf35d2298829ca2d65c8afb93547dd1dc1a50cb39778893271740741747dc

SHA512
9fe0208c257616d8efc8dd20e7c2c2818edc9a8a3e6382a6528d07cfbe474f4c4f4bf11b1aac4fb42b9300d0b7e32217767292e8cc10e53a6123b97c41b8f9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13

Filesize
392B

MD5
d4e7b4bc6801115921ccd66bee03d671

SHA1
45fa98f75d7b760e8ce61eeba17f35e88a67183d

SHA256
63b911333c4f0bfec480a8bb9121e1d065b3be7bc79251f935bae410645d5373

SHA512
188f339c48efe18ca9d16a59a1b857fee007e93eb3b447082b134c875a7c2c27cef3854c5868b96177202399a73f97ad69b1bee635ad5539a3b4c544f51518ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13

Filesize
392B

MD5
41a35b5abfd0b936a7f265b6e2b11ade

SHA1
6cb2f04b25f8efb4c4ea478cd0cb07886b4fc847

SHA256
ec633e4af27eec7a682629b3a4d9cf597dccc2f27e5c47e922795f02bd077d59

SHA512
d19ca6ad3976f2ba18be2b31903c006b2d445f16fc832595d778966d61874cf2a05ab0154de22ba033c4a8d90779fff388e3510f20a101aa257723a2665afaa2

Download Submit
C:\Users\Admin\AppData\Local\DT001\setup52781754.exe_Url_cljmupabhile0cluyxl5emxhhbe4ldis\2.0.5.6649\tdov4lzd.newcfg

Filesize
798B

MD5
f3da41e2f01ec12a28efa662df2fa963

SHA1
9760227f497132829ec34fffec6184969043bba1

SHA256
a4544f806b5637e45e2e702c7997d0b6a52b805670a72aac518d189c3004d1c2

SHA512
ae4f56f93a2386abe8891ba5ba1cc7de166a28c6a2f3913870bed2926ac43469bbbf0b4b18acf2fce7c7f120056e36b3777aabbdf9715cc12d2159403e392e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
58670ac03d80eb4bd1cec7ac5672d2e8

SHA1
276295d2f9e58fb0b8ef03bd9567227fb94e03f7

SHA256
76e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8

SHA512
99fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3782686f747f4a85739b170a3898b645

SHA1
81ae1c4fd3d1fddb50b3773e66439367788c219c

SHA256
67ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13

SHA512
54eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
2b3a66834d210c3d815bb77c7a103bf8

SHA1
03baf0c88d0e9e10ffc692995890364ad0aa681f

SHA256
3bb57d4ad71042b8dd5fa8d95e6eb0675cdd4cec4de86dccfe7963c3c0d9a797

SHA512
48eedcfc00ce224117ee372bedab8a2acfeb8940eca0be01c8df0c8605a0fd83848e1cbf7f148f92321c919512edf5546cb0817d69e03f92aab9bca9220a1490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0756d551b53e09d3a855895f95dfae41

SHA1
65daaa2149d89c817bc3113777408bcad92ef2b8

SHA256
451e7236e81ed3e5ecb23be37dba3976d3f115a85e25a5308458ba9c65e80e60

SHA512
f3d320aa11177a1c8757c782c5b031b033bdfc7dff77f13ff1ee924a529e33e347ac76fb6fbe1ab5bc388a61d69184186f234f0c4f896dafa6efeea31df92d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbc09d6560517055b3b901205d7f35fd

SHA1
c26ae375ad376c7c60cf371f46144457695e821a

SHA256
3e4b4df2818305085ad69874979bba408fdd7ad10e773c1dffd4a0dfe46c3db9

SHA512
39ded841e9dd6c419704ce1f1ccf217411d14410c0dc247d9960a2946df321eaeac01860d177d8cdd0c9a13f15ff82887146962236225217bb770163b2d81aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2e125b1236d8326827a992a29a6cd37b

SHA1
f744a08c2b6c6e50dcc5fb5b07120ad63454a250

SHA256
6d3549829eb8c6e1ae41696303ad45eea366745efa403bc65edbd182355672ed

SHA512
580faa6a31c26aff986797dbc55abf5333dd3b118a3086426dc3b86dfb15795d18a2c9fc6e68a43b63932779dcdb1233c343e5b7f211244a32abd2763cfdfbd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8064239d05476a3acd7f36e8f86f2a2e

SHA1
e8faa1e8d162ec32e3a442022f5a7652b4cd24fc

SHA256
02503ccf8bb15b73b9eae9a62f7efb59376c9e44a90ad14d051ce5b47aa271f0

SHA512
695a106c9e01ec23a5458aff58823db675bb589d473036c31795aa2de33a555ed762f92bf22da6c1866903da048f99336c27f0b2da3404fb35e4a37783a05a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2fc6786677c2351b5226d04a500c0182

SHA1
6da8b7607e9d2b04f139c7a0ab99d8f16440184e

SHA256
e52fc65724606c855da4ad074ee45ce5cede9e3ca3c01deee5a79165e8a0837b

SHA512
79c1bfe773bcf3727b1a045979224f1680dcb539c09825cf56baf6e95162d587b992cf714fad65434e7ad77896f6e40643330132a628d840a1084e5ab5d760c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ed37d28ea9e898ac58a173312aac09e

SHA1
2c333d66d2541c7abe9d50878cfbeaef159fe3f5

SHA256
f2eb931d8e2df57807f358bd0183918db0ddd786e2b857f45a06e8eed19dcec4

SHA512
c52c3deea7cdc1c270d0cc07395d3c4d921e0fc90adbdd75056126077b1dbc9c30679c290d32f229920286aeee940f40750bc95558edba9473f4563f694e208d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
06b1da724bf84f68337b08d8ae4b6879

SHA1
51b1acab04acdd53221711fa77fa62760baae371

SHA256
49f85d95dd6868f59bda3a2c386bb4a6b6d711a24ec4faee9fff766405357857

SHA512
281473fce1d27d8612ad73e81d940b0cf602689fdf0284f24822d54860b3fe84c05a32f4eead8180d256bb996df7d68a61b06028e33eae3d95f9d2a0df2cf07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c275.TMP

Filesize
538B

MD5
df2c4caabe740d7b255623e7d199a8e5

SHA1
75cabf79b42a01a4db0fd2d649ebdc4a3236c128

SHA256
87ccf6c680c5d268e78b922230847b30de7f622b142f5b53e420ffc69aa0e0bd

SHA512
55ecfad2386c3d4664e7c6e1bbe608cd33d3b1b150fc73c9defd1d03329f309f3e08f60f742339913b0259d7c822cf815c79115975666cf09cbe68429efcbe25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3ec999619e2c7fd89a800a5716dee807

SHA1
bedf86cc39a36adb5a5656313a1bb104bbeed08b

SHA256
03e60ac0223d04e03fcd77805a7f9513e8ba38c569c241993dcee0060f129e98

SHA512
480e5651f1200c6b3cbf0f834f3c6e950deeb31fba57e74f65d54eb7238cd14d1acd7f3d72f912e321bc15f02d5835c10a0b85a063f46ac4f2e4e7ff85d0c254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
269f1e11ed4e35ce4180850a1e048642

SHA1
0361845d2107513808b7614b8539dc342bb6dc8b

SHA256
09dd0f7319c4b2d2900f3156e67ee9f73d3be3b9b6b1b95fa96cc5b0646534e9

SHA512
8bdbc170ea70532d1176664431a977a04be007ebec67050d095f57411c5e062369217e288d010457268d3cc6456fb8feca94ffaef19c7346dcf0da4673d635c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
facce63c7bbf1dbf360ce716e11eaf44

SHA1
a822057874ce0bb9155d9e90979cca180be3388c

SHA256
78d2916a992f54be6f6e1effb6dd23e0b6f70f5f2aefa04b8c1241471e6d1a5f

SHA512
f8b232d1dd0fe49babffda1d70de3489a3819bcfece365e25216a07d8b502413fdc8d5b92c77eb314b9bbc175ef2e12fb9c7b0f0eec85c559d4cd50125bcd42f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1Q8A8Q15\service[1].htm

Filesize
5B

MD5
067c787f1a9942e361d8600d59d247b2

SHA1
53ed7f1a7a3ca6a92f30ee66f3d3ca655d4ddf65

SHA256
b5895dded7aa7f503da35cc118e30f7eab146054d1847e5c96671ccd465b73fb

SHA512
fce5ecd403044c1bebed35856e802fe78a43fc2397c0bf9a487f2de0edcb41994eec4d050872d53c336f58335f684491fc4e8094b45aa157e550a0dd85c2f33b

Download Submit
C:\Users\Admin\AppData\Local\OperaGX.exe

Filesize
3.4MB

MD5
646bc7d303d94b84c45be25f0947b1b9

SHA1
16b807c3db778ed36deaadf2e440e7a03261fa66

SHA256
5592cbdb791903d1a3fdbbc36a1eccd7dd77383073a1cee9e9f5cae2ccb9a0bc

SHA512
28557da13885b52bfef45f89a887061254595ee3c721963542dd62914d1e2fb7d9e82cbd7270442ada91d6c0d00500c2fb808d82be35804cdfd3e3d5a4f57a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402211504341\opera_package

Filesize
322KB

MD5
2ace53e7d4f41e0e0e9fc0d907b9bb23

SHA1
413fc11da12bc5b0501457b8bccc7437241268f4

SHA256
d3027f5624e19e01743abdb544250cfc8a1e244cfaecddf50634ed7319eb9d61

SHA512
e5dfcc54dca5cd457e325e339c49178c1bbe8d7fc6cc9e74c0d1f0d56bfa777791c68cec1c5ba6bad9e14e612c53e5d8d58bc37a4af593ed1d62ed035152c7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402211504329255852.dll

Filesize
3.3MB

MD5
280f43a001c479ac9c1677923e3b3252

SHA1
b2f0467ef2c874836953effd4e64687cefe8f228

SHA256
4ad12b520dde1a0c9889117009efbfd865f86d507a2b29ce8416453d8915f72b

SHA512
2aba883ccc6d76a6810aff470dd6106a59fc19c8f53e4aee75c6420f98c561aeddb5bdb721a632efa6026bb3d6f46bab117035cc558ca475952b199333fa86f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\setup52781754.exe

Filesize
3.6MB

MD5
d50c804939759bbcbbe88599ccbb7dcf

SHA1
8929cc58679ec7da1a847e3ec1040bc4f017c4ec

SHA256
56af5af40df47da940b518680476d567e049301426bce503f69c59fac1e7461c

SHA512
3e9b7db4d444f2c87efbe3a616ff67c1d1f87e5c33c0e0ee40d798147c48dd03cbd281c5efdec58ab5f91b0c64bf7ba18c1a099d011d5ef6f91c12c16f58dca4

Download Submit
C:\Users\Admin\AppData\Local\setup52781754.exe

Filesize
896KB

MD5
5b5285d5ce23fffcb00e596b751ff729

SHA1
67e98f7e06a163511483fb61b32be1251e243324

SHA256
b87f60ea3c40a925c12e0134f6a8e0791dbc294a31991bdd4be033e04b9c5f87

SHA512
19c76bd796878d185652f072331af09bd1561f56d971f2d994b028bea1c73e7437adc26bb9987bcfd8de37e88d4d5de87130da011b2adf42d5e679754d5becfd

Download Submit
C:\Users\Admin\AppData\Local\setup52781754.exe

Filesize
960KB

MD5
2d280bebe54fa4398ff025c4617fbf11

SHA1
5c305f0c9b81c894e134425746be5605a926eab4

SHA256
c8db72f69bfd23df3b8916223f2e365a3c600450dcada00f75ab7d168cd66fa3

SHA512
341fc42069b82e48f94dd28666a2b9fa7c7f72514f3d0b033ebec285b6e07ba5367a8e14b4263d45953f78a2595614082d09f585628645ae76dbb209128a0d34

Download Submit
C:\Users\Admin\AppData\Local\setup52781754.exe

Filesize
1.0MB

MD5
02b4265f6d3a867cf5d00afc0cc77085

SHA1
075df8ff09270171f3dcbc6dfc9c013e02cf468e

SHA256
0a3065d7d188c2f97e6a99caa6e5266cb307d92ed5d9cb10ac82a8f17582b662

SHA512
ec4e3c726808227839bda492322f7abcf18e8aa4cf41f2d4cbf6cd4b17745f6b55dd59ebbb643646d18dc44bdc74755aed5ca6a68f879da62bee56e10228a634

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Water X New Module_52781754.exe

Filesize
9.5MB

MD5
93d16508432c3ff3512eb9de584f48e6

SHA1
6ed9fd4d190afc6c5154730d85cf883fd3ad4d2e

SHA256
be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549

SHA512
08ad71f9b6b3a65cb22b6a65c8e44d4e004de2d10683dd89a8eac5af67127b126db301ca55e00740e7342c2896cf4b7178257e9d4e446a03db13e122c4116338

Download Submit
C:\Users\Admin\Downloads\Water X New Module_52781754.exe

Filesize
640KB

MD5
74b475abd4ca8e5d08ab0ac52390aa44

SHA1
0c615c0790d5332847b8ea1930b974c76a49fb10

SHA256
314b37dd5ff250c13809c317ba8ca2458c5dc69867ef5422492254b9e66a8134

SHA512
60116070e76c5c69c23fa2bc0c921cf83c57dcc298cd2af924c95e3f845e11421a8a2d2da66b9f2f209e256d7287857d8398e1f626ad3b262abc3964c40e3e03

Download Submit
C:\Users\Admin\Downloads\Water X New Module_52781754.exe

Filesize
5.6MB

MD5
d93d861ad98394cce5e2a23551b4a582

SHA1
996b898e6e76291ec9560f4d29c45d47b6449c79

SHA256
a44c76c63772667c07fccb8a71ca1f230c86b04ab3e4fdb3e688069178c2a1e6

SHA512
fef27f6c8d4a45703a452039f8ec25111cc507bd89cf2d1f558c42c40ce346e1631649a4386d705a685f3e43df075546821301ee3f5eba60cbcc105414350439

Download Submit
C:\Users\Admin\Downloads\Water X New Module_52781754.exe

Filesize
6.1MB

MD5
aeda5cf5ba6cb83b2d86d502b967bb44

SHA1
6e5df3715462cf4730adcfae13eeb894f093f8e7

SHA256
29ad113fc98ba7e04ee42de4c66a0497418aa2f56f167d773b9ffebe37db2230

SHA512
46f5471a157213a1cb8966e906e6a419c8605ad171a4fbf355b6fb7a78706a01cd3c11bbe83f9a9dedc95339136d4cc8ed25bd117bb9f459749c28f9b7f467b7

Download Submit
C:\Users\Admin\Downloads\Water_X.zip

Filesize
1.6MB

MD5
0ee603be5ca18ec73293b8a3412133af

SHA1
c2e5f2db8a2095bd21da7f93cd73feac7030d9b6

SHA256
b411a4019259f0158e8b62b481dad8924561778df13c754b4098f5c166eba545

SHA512
f2a2757893f2b1e6e37e3f6ba042b38e0729dc59dbb39f3d8b968a2041ebe06ff055db3322d6c9498ca3e84230072c28307fb552493a573d15d0f522d449433e

Download Submit
memory/3516-320-0x0000000004FD0000-0x0000000004FF8000-memory.dmp

Filesize
160KB

Download
memory/3516-483-0x0000000006600000-0x000000000662E000-memory.dmp

Filesize
184KB

Download
memory/3516-389-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3516-392-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/3516-493-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3516-344-0x00000000050C0000-0x00000000050F2000-memory.dmp

Filesize
200KB

Download
memory/3516-386-0x0000000005180000-0x000000000519D000-memory.dmp

Filesize
116KB

Download
memory/3516-377-0x00000000051F0000-0x000000000521C000-memory.dmp

Filesize
176KB

Download
memory/3516-371-0x00000000051A0000-0x00000000051A8000-memory.dmp

Filesize
32KB

Download
memory/3516-365-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/3516-352-0x0000000005060000-0x000000000507A000-memory.dmp

Filesize
104KB

Download
memory/3516-254-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3516-336-0x0000000005090000-0x00000000050B8000-memory.dmp

Filesize
160KB

Download
memory/3516-359-0x0000000005130000-0x0000000005154000-memory.dmp

Filesize
144KB

Download
memory/3516-328-0x0000000005000000-0x000000000502E000-memory.dmp

Filesize
184KB

Download
memory/3516-304-0x0000000004F50000-0x0000000004F64000-memory.dmp

Filesize
80KB

Download
memory/3516-312-0x0000000004FA0000-0x0000000004FC4000-memory.dmp

Filesize
144KB

Download
memory/4344-602-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/4344-572-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/4944-460-0x0000000006950000-0x000000000695C000-memory.dmp

Filesize
48KB

Download
memory/4944-446-0x0000000006B60000-0x0000000006B82000-memory.dmp

Filesize
136KB

Download
memory/4944-255-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-428-0x0000000006960000-0x00000000069EC000-memory.dmp

Filesize
560KB

Download
memory/4944-492-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-388-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/5004-382-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5004-461-0x00000000072C0000-0x0000000007864000-memory.dmp

Filesize
5.6MB

Download
memory/5004-519-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5004-253-0x0000000000B20000-0x0000000000EF8000-memory.dmp

Filesize
3.8MB

Download
memory/5004-387-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/5004-429-0x0000000006180000-0x000000000618A000-memory.dmp

Filesize
40KB

Download
memory/5004-457-0x0000000006800000-0x0000000006B54000-memory.dmp

Filesize
3.3MB

Download
memory/5004-516-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5004-465-0x0000000007E30000-0x00000000083E4000-memory.dmp

Filesize
5.7MB

Download
memory/5004-473-0x0000000006DF0000-0x0000000006E82000-memory.dmp

Filesize
584KB

Download
memory/5336-570-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/5336-601-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/5804-599-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/5804-531-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/5852-600-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/5852-535-0x0000000000E40000-0x00000000013FB000-memory.dmp

Filesize
5.7MB

Download
memory/5964-484-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5964-485-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/5964-487-0x0000000071430000-0x0000000071BE0000-memory.dmp

Filesize
7.7MB

Download
memory/5988-566-0x0000000000C80000-0x000000000123B000-memory.dmp

Filesize
5.7MB

Download
memory/5988-561-0x0000000000C80000-0x000000000123B000-memory.dmp

Filesize
5.7MB

Download