ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750

Resubmissions

05/03/2024, 20:45

240305-zjqfasgh5w 8

05/03/2024, 20:41

05/03/2024, 20:40

05/03/2024, 20:37

05/03/2024, 20:34

05/03/2024, 20:31

05/03/2024, 20:27

Analysis

max time kernel
153s
max time network
159s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
05/03/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaGXSetup.exe
Size

3.4MB
MD5

b16754e31096ff084460514287187a29
SHA1

149d9d7bc7bfa0ee218e55eb3778ea3cf6184dc7
SHA256

ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750
SHA512

86fad8a6ee5660aac5a0fa172d6094585793cc6b86996941211292a9e91fc2571c8fa807a3021561909c841491400991f152f18c8e1d247c663ff600643224f7
SSDEEP

98304:TWo5jp/vdcY8uC+gOhUL+byztZXlAuoVGmKeLEcjXXV9bA:TP59/VcYZCOW+bO+5Eo9c

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4496	OperaGXSetup.exe

Loads dropped DLL 3 IoCs

pid	Process
3292	OperaGXSetup.exe
396	OperaGXSetup.exe
4496	OperaGXSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3292-3-0x00000000003D0000-0x0000000000991000-memory.dmp	upx
behavioral1/memory/396-5-0x00000000003D0000-0x0000000000991000-memory.dmp	upx
behavioral1/files/0x000600000001ac04-12.dat	upx
behavioral1/memory/3292-13-0x00000000003D0000-0x0000000000991000-memory.dmp	upx
behavioral1/memory/4496-17-0x0000000000950000-0x0000000000F11000-memory.dmp	upx
behavioral1/memory/396-123-0x00000000003D0000-0x0000000000991000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	firefox.exe
Token: SeDebugPrivilege	4728	firefox.exe
Token: SeDebugPrivilege	4728	firefox.exe
Token: SeDebugPrivilege	4728	firefox.exe
Token: SeDebugPrivilege	4728	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3292	OperaGXSetup.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe
4728	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 396	3292	OperaGXSetup.exe	73
PID 3292 wrote to memory of 396	3292	OperaGXSetup.exe	73
PID 3292 wrote to memory of 396	3292	OperaGXSetup.exe	73
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 2888 wrote to memory of 4728	2888	firefox.exe	75
PID 3292 wrote to memory of 4496	3292	OperaGXSetup.exe	76
PID 3292 wrote to memory of 4496	3292	OperaGXSetup.exe	76
PID 3292 wrote to memory of 4496	3292	OperaGXSetup.exe	76
PID 4728 wrote to memory of 3564	4728	firefox.exe	77
PID 4728 wrote to memory of 3564	4728	firefox.exe	77
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78
PID 4728 wrote to memory of 1204	4728	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=107.0.5045.37 --initial-client-data=0x2c4,0x2c0,0x2c8,0x2b8,0x2cc,0x73b061e4,0x73b061f0,0x73b061fc
  2⤵
  - Loads dropped DLL
  PID:396
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.0.1518634587\1590310040" -parentBuildID 20221007134813 -prefsHandle 1760 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fe3103a-d6fb-49c2-b5f6-c7d7a919ee42} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 1828 21f7b305a58 gpu
    3⤵
    PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.1.368568382\86901112" -parentBuildID 20221007134813 -prefsHandle 2148 -prefMapHandle 2144 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e334e34c-feb6-4685-ba8b-ba817fe3d38a} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 2184 21f79ff9858 socket
    3⤵
    PID:1204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.2.1174411089\710583921" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 3028 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {838db609-658c-47ba-b21b-cd1453ca60b8} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 3064 21f7e413258 tab
    3⤵
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.3.1336046357\43689737" -childID 2 -isForBrowser -prefsHandle 1224 -prefMapHandle 1232 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb1a94c1-fecc-4b77-986d-487b68d7abba} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 1572 21f6f070458 tab
    3⤵
    PID:3980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.4.1848688898\766753509" -childID 3 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef46730f-7b57-40fd-ace6-3842fb33dc40} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 3612 21f6f062b58 tab
    3⤵
    PID:3216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.5.209803588\1074117987" -childID 4 -isForBrowser -prefsHandle 4844 -prefMapHandle 4860 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67ceb5e1-12f1-474c-8b1b-184a09ef8658} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4876 21f7e974858 tab
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.6.190902748\465389760" -childID 5 -isForBrowser -prefsHandle 4720 -prefMapHandle 4724 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b07ef83-b3af-4ef3-806f-36ba1477cd97} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4716 21f804c6d58 tab
    3⤵
    PID:4456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.7.456899522\1314772772" -childID 6 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4718078e-677d-41e6-bbbe-123b6f15b221} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4876 21f804c7658 tab
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.8.2097216251\1979934029" -childID 7 -isForBrowser -prefsHandle 2640 -prefMapHandle 2632 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4298ec03-81f6-4368-8702-5d6a0d4a3d98} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 2684 21f81651258 tab
    3⤵
    PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.9.1609025630\922649186" -childID 8 -isForBrowser -prefsHandle 4788 -prefMapHandle 4752 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7f93d47-ce07-473e-9cff-81929b2ec7a2} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4800 21f800ac558 tab
    3⤵
    PID:2040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.10.458951099\450404169" -childID 9 -isForBrowser -prefsHandle 6104 -prefMapHandle 4608 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4b99845-8788-4c58-a643-b2e8bb3e55d8} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 4960 21f6f065958 tab
    3⤵
    PID:2288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.11.819611522\2112609719" -childID 10 -isForBrowser -prefsHandle 6148 -prefMapHandle 6152 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca8e9af0-404b-4498-a73e-8560da0f0843} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 6092 21f7e972758 tab
    3⤵
    PID:3980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.12.1033769630\1492215409" -childID 11 -isForBrowser -prefsHandle 5196 -prefMapHandle 5276 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca2539a-6e40-4f64-8c60-0f6d8d7c0c7d} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 5232 21f8334be58 tab
    3⤵
    PID:5560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.13.1848456530\370013609" -childID 12 -isForBrowser -prefsHandle 6476 -prefMapHandle 6472 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {897791f4-d677-4813-bf12-81d215b45e6a} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 6484 21f8455fc58 tab
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.14.1417153684\1873709558" -childID 13 -isForBrowser -prefsHandle 10616 -prefMapHandle 10656 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbe28893-2927-4e89-8ae9-8d0fc613d3d2} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 10592 21f7ef5ee58 tab
    3⤵
    PID:5444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.15.801147545\1826103948" -childID 14 -isForBrowser -prefsHandle 10276 -prefMapHandle 10400 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54e71a4f-6ff5-4fb3-8409-35ca09ec931d} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 10300 21f85baf158 tab
    3⤵
    PID:3052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.16.62021244\502727634" -childID 15 -isForBrowser -prefsHandle 10100 -prefMapHandle 10096 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c4cb618-c63a-4225-831b-23d573d16e6b} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 10108 21f85baf458 tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.17.1482390545\790097137" -childID 16 -isForBrowser -prefsHandle 9916 -prefMapHandle 9912 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a10994d-f1dc-4639-a572-8bd9d85ab9e2} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 10248 21f85bb0c58 tab
    3⤵
    PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.18.96910965\1793957455" -childID 17 -isForBrowser -prefsHandle 9648 -prefMapHandle 9652 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ff22349-84b1-4a1b-bef9-c5796e754bd8} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 9640 21f85b24558 tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.19.1584814934\783434423" -childID 18 -isForBrowser -prefsHandle 9312 -prefMapHandle 9316 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28640e0d-199f-471b-8fab-8c3737c2a3fe} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 9488 21f83736258 tab
    3⤵
    PID:3992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.20.1187882077\534462353" -childID 19 -isForBrowser -prefsHandle 9272 -prefMapHandle 9268 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {456b91f4-3f5e-41d1-b207-1849eb1234a4} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 9280 21f83736858 tab
    3⤵
    PID:3948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.21.1950973762\1848221114" -childID 20 -isForBrowser -prefsHandle 6676 -prefMapHandle 5004 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b1e3048-fb07-4c2d-931f-ab48fd182670} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 5068 21f81282e58 tab
    3⤵
    PID:6072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.22.908815255\794436519" -childID 21 -isForBrowser -prefsHandle 6676 -prefMapHandle 5004 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c684970-2f4b-44e1-a7a0-1d7e56e1365f} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 5020 21f86dac858 tab
    3⤵
    PID:2656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4728.23.456252394\880697536" -childID 22 -isForBrowser -prefsHandle 5308 -prefMapHandle 5044 -prefsLen 27081 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f07f7e9b-323d-48ac-81aa-4f379b58e184} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" 9280 21f86dacb58 tab
    3⤵
    PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eqnlllhg.default-release\cache2\doomed\24963

Filesize
12KB

MD5
f36c416e9a7bae37d0c5af773de2f9ea

SHA1
08d827c6c610c071c64816560b2bb1d61b930769

SHA256
ed48d4426d8d4d08575a469cee0e0b5159b7bacc02b439fa60fed645a5f271a7

SHA512
360c736cf1c9beeb688f1316346239ba51d3e1caccb6ed2ebdf42c619659173da59eea4fcbba54d2f89a01dc974a4b87ab0103e6b8e2798621c11324875268ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eqnlllhg.default-release\cache2\doomed\31022

Filesize
33KB

MD5
28657ddfc457cb560b5e238fb31913dd

SHA1
a222854b3c1fb9762299707346c76e7c398350a9

SHA256
d724b5412c735676739cca54a80641b7c1a97ff8f967ccdb5bb68f85dfb74fa3

SHA512
08d29bbf9f90de7e430aeaf517eb345adbe8f676e31123bbbdc0be583b3735c5be6e1d4cf76c5bd708b68e715ab5682964ba8a22b911b05ea27e501caee740c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eqnlllhg.default-release\cache2\doomed\6901

Filesize
8KB

MD5
0cbc111dc56b74c181f9a9de32050252

SHA1
0d7c25a65fc48aa57a5d5a8c9f7809495870911e

SHA256
1c3b173d5413953b86a712078b9c7707bfe000e7e09b1877c13c01e1e01b8f87

SHA512
f166216b16c7cc5151019bbd80ee0f717d06df3929971d35d03923b9cc3bf46ab4111a992265a86b67d1471521ed98822629538679f24bda526c08acd3b053a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eqnlllhg.default-release\cache2\entries\36568FF4AAEC52E5FBA97C17EE969E667A8159EB

Filesize
15KB

MD5
48be0e284b7bad41250b24f01ca3c992

SHA1
6f39316e8d41fd52b10405641d552b978c514466

SHA256
07bacf2780a8cb743df60379ee0dd6d6c5e1f6188205a6db02c87f9d3a28d13a

SHA512
bd3e7b5ed063428089ad463a1bc10ecd9a3d5326142395a1f876041a7a6870a2b85b4626f24ce88d1e06a7146b9982c8ba8eb881c293f03a93764a81f74e44af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eqnlllhg.default-release\cache2\entries\39172F2924E6689A994995A9C4E51BECDC2078DD

Filesize
24KB

MD5
39104c1611550c127bfc51dd869c8b82

SHA1
68a801ecec4208a035fed7d9920981e92a35e48c

SHA256
286f8c985d70d9f56ca9cb6ccef51cf1fcbea33b9f7b683a382825011ed70444

SHA512
756468f080de1d47573434cbe1b668beebc2ae948a5ecdb0f9d13205049ac40c7c70e44665e215b1386b8a69c1baa874bc7293536b23cc9208b45c02fa3afbce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eqnlllhg.default-release\cache2\entries\532ADB763AFA0EC30767E4ED3ED65610448A0B99

Filesize
204KB

MD5
45c7a6a3bfdd4d4fab88fff7764dcd7d

SHA1
13cd3f738a0ada1a33926bd6717ca569487636b5

SHA256
1a42a65ce5db317bbeff078aeaaa1b5787771d0d8895f1ed0f7438bad988da8b

SHA512
046887df65b9c19d188d83e265f4f26ade59912d05f6d76c6849410be117a477d20bfc2092b2322dd38e36d07d578e22ab2a128075a1269dc46d4aed0b259a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe

Filesize
3.4MB

MD5
b16754e31096ff084460514287187a29

SHA1
149d9d7bc7bfa0ee218e55eb3778ea3cf6184dc7

SHA256
ada1f60b55545c1f8a59fd28d2a5fd37d9655e9f059857121e1d493fada33750

SHA512
86fad8a6ee5660aac5a0fa172d6094585793cc6b86996941211292a9e91fc2571c8fa807a3021561909c841491400991f152f18c8e1d247c663ff600643224f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403052035200044496.dll

Filesize
3.9MB

MD5
78cd71104eb3c37e70ca1ef1594b947e

SHA1
36292f68b809fd9fc10f8f8639d4502afda46cb2

SHA256
c37714da43507c9fe371ff9484d8c3ccde28d64c8b587a57ee9dd4955589597a

SHA512
cd56a1e8f3b75c5a11f8f4d6267b3969c481359c0f4925d4bdcbd7ee04c5e4041c5f5e4af72c179e241b425bd58b827aad442b542679d60ed145aeb5c190f4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
f75ee49082c87c8de343f98247c9b73c

SHA1
01a49af5f35c20aaf46715f420fbbaca199bce52

SHA256
5f5e149cb2d763d21a1d71bf73bce79f9bd26ffeb76a5e6fa55f2eabd115412c

SHA512
764e4f0124b56f12b0c4ab2e823ee896f69586bcf89d696b4fc5b2e0d1e70023e6cfc2cae4dc5032e3779e75857daedde4b12b81d230020fdeea84d5c06b41bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ec2aec2d742faf617e2c8b9c5b4cfeef

SHA1
d28113f4693ef0276587fa4a755cb0193d2e5056

SHA256
04b08b02bb6f09ba02a36d94120415bcdf25e785eb272c1302bf22a7c464a80d

SHA512
50b1d2ae4d67e2be0c121321aad3b44ed974b64a15ec6104d33dc2edbd3afc9450af865717cf20221489a7eb1a66f493133d64cb6eac95d5f358414b1bfd3204

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\pending_pings\44dfa43d-eef0-403a-82b6-3a77031a8e65

Filesize
746B

MD5
0e5e780f0a2f2c5ff3e7a3ded1ee36b2

SHA1
2f1c9fd2d0d34b3d126d4101984a4b3c969c0e41

SHA256
8e3ddf332c07192d40512e4acc0aedefdbcfdbbca5f8b3aaeaab8098e17e428f

SHA512
d7d6c9dc4be7b98625ea1c02341bad70ccfd64c2909f956e705c09767e6463da05cb21e8d075db311b5225c7df68c311d662e81640d9680ca857c77a222f8099

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\datareporting\glean\pending_pings\48742bd0-27c6-4f02-8720-c43dffa68cb7

Filesize
10KB

MD5
b939e31b7421dc233eaa78df9b6121dc

SHA1
0aa7df605539320bd2fe32e2e6486c3cc431891c

SHA256
4b8bb31258dad6b2e5262a9f36ca99179a03e046d59a0ba272df60782495e7c0

SHA512
c451435561bba0b53723f1b471e1323e77b3f11d5a0d80b57823646b16d56d89d4bb465ba478a5213ece47126413876d3863d75fca1cb7ad1f8711bb63977477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\prefs-1.js

Filesize
6KB

MD5
add266affa03304b369d4767e62f6b61

SHA1
533c1c8fd9583ac2f16b4b4c2e0226c90f609edf

SHA256
aa67507908a747440f1f7382bddcb38764be110e75feba0a4a3a6df92ae7f9e1

SHA512
f4323e5fcfae8263c2af74069960145c0e9c4170572e70e1b6dd6d5ca41a9d4485eee8813d60110e3776c380f296f0070d6bac5f4388fdb002d6ff5ed0fd3f95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\prefs-1.js

Filesize
6KB

MD5
e6f28df342c965e5a25c47752db101bf

SHA1
1a713f4ee27b841d5d0a8dcf9cc58157c9716920

SHA256
fffad710508b853973df6f5d621c69285962dbb4fd15bed43be6e3b3875c36ef

SHA512
32e555b55449d60f98b88a8debe8edb6b76fd9dca4c7bb983274852139c8cbc816f6bcaf9cd33eb161572de7754ca7ed3099b47758b3326cedfdb6cd4ebfc6ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
eceb2953c5aab0c67723d7d2493c3c82

SHA1
716f322a03dcbea96e0bf723baf547fd93376771

SHA256
f10fd809c60727be67d71413c28407581664caa988ef86abbba739b2dee694b6

SHA512
eb5e5368c9329acf18cc6cf931cce5bd80996b50fb86377102bc5af362cfc7f5969e2f908c312a1ab12908a0b65cf36cc70559ec4be368914f761d3f850dfa94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
b1727ffc1a7aa63fd3916b3facb75e73

SHA1
63081d694444ea55dab33d6094bf35f92f68ca69

SHA256
a1a0c4f32793c798b84829d84b8cdf78ca3ca8e70c6de68ae8aa6ff844077846

SHA512
c46d731a99debe2567deb766c86f095a120e05f02b2657db3d11989a9812223dc2033419a4f012bfea1e9ccd3395f41b18337d5e26e50b85903c175749cf6074

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
c6f62afadfaed364e47efdc895c034e3

SHA1
b3bb79badc128fe3b69d7e616dcbbfc214e7655a

SHA256
251d747d6ed042e69ebdafc30969bb1bcec5ec5aac05aa20ea5740b7a0dcf4b5

SHA512
ca5bf96de6a3f4f08f70a0a70ed4a707497d63dc2db710b99fe7876a5c317520257e02440e7622e310351069a352b509b600e5057b26d6f980944b543efcb12c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5df63de86bac983894d29fed069fa492

SHA1
421d3499cf42057eb33bec0d1d3acfc1c3e0fd4d

SHA256
5de759ea93f140f516b90617d95e67e552744397deeb82bc2272ee6820f16076

SHA512
874c43b035ee1a41537fcf51f23fa2186e2b172f0b8eb503c2a7f8927993483f85748bb45209d1eec96f622bcf4313f6f91d95d303cdccd2b2392441baf02a30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
cd08f24667c28620efc07af0cf6e6e19

SHA1
0af2ceaf5ec0487277a50a8147513accffda0cef

SHA256
26a275527aa7a0f4e5ed7fe53b28d45dd1abcfb701f55533352abb7376e8a5c0

SHA512
33f428749c58a17a726cb8c495188dec3f2faf9ad9f42fa97cef2beb9aba50ad2e8b84fb37ee0a28f9a45c61909ffb3e0426362870a625a25786f6f2efacc4e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
6c66516a75b4bafd92a8f9263ff3c188

SHA1
8779df514fb6d629a72ad539cf1dad50ce779ce2

SHA256
cd46db77829afcca0884a72a5dd2b04a4562368549fc987f7259dbece6e62f34

SHA512
7110941f9ff0776d8a5531d37dc6565b965b004a58d6d3934bf6a519f56a70566d74440f4e7e597bf5cc845b553851ba82649891aa8afb371c963e182e90471e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
dec0d516848623a766007818a70ffdc6

SHA1
8adc2590375fd1aa6706eac71c1d1e7a7c8727d9

SHA256
66a562fbe506ed865b2e51a5c22f54fc23e576a32646c7aac15a324ff261ebee

SHA512
26a31dabee8f7afe448b2eaa2742eb6ea9a3bdec496cb0fd9d13eef3e0fcd3542a75a40143d6feb8bd6b6f0203d4865bc5b4d3381bb6835fc92d1f6f3402502b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
725965790bd245163b36fdd1206401e2

SHA1
6287ab17ae337ca6de9a379587f43ae0619ec5cc

SHA256
15dd96bee90dabb2f347682e46e981a06026858ccb067f67f254e28aaecde97d

SHA512
8cd0bae749d6309772d8a2e7229783f92301d9cf985138789d6c9233e6c5263a34c936f2ebf795a4c9afca941ff1261647646d76365b95116556868fc870a7c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eqnlllhg.default-release\weave\toFetch\tabs.json.tmp

Filesize
10B

MD5
f20674a0751f58bbd67ada26a34ad922

SHA1
72a8da9e69d207c3b03adcd315cab704d55d5d5f

SHA256
8f05bafd61f29998ca102b333f853628502d4e45d53cff41148d6dd15f011792

SHA512
2bce112a766304daa2725740622d2afb6fe2221b242e4cb0276a8665d631109fbd498a57ca43f9ca67b14e52402abe900f5bac9502eac819a6617d133c1ba6a3

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403052035094313292.dll

Filesize
5.2MB

MD5
2e9e548040cbc282125031030041b2a9

SHA1
a84b26339be4cdd889ac806227c3260d57296605

SHA256
b44501388ac04d3db78e167cc1dc4daea68aa5c7140a2976b5a8e04f6d2438eb

SHA512
8be8af00aabe5e5ccac38faaf9ed499ea9c84d6a180a3cbce81297b58e1b4cfff5597638587c8f81058f59e19f87ac4bcdacfb34e1fce7ac61128837e39d3e7b

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2403052035200044496.dll

Filesize
4.1MB

MD5
755b151b807f1897cb451d7debfabf47

SHA1
3e11925d2109f9032f7a217b972d2db1369acb5f

SHA256
bb2f0fd97df2d0e3e77006c832c82efb3d4cdc22d0cd5a80004d56a2d9002569

SHA512
0c5e658d6f1ab34f093728f54671e4a89654a7376bf184a35bb1dc04d5fd2d0187560c4354facc1163a30f96411c4bd92b9db0d74e2575c0adf58d7a15963e7f

Download Submit
memory/396-123-0x00000000003D0000-0x0000000000991000-memory.dmp

Filesize
5.8MB

Download
memory/396-5-0x00000000003D0000-0x0000000000991000-memory.dmp

Filesize
5.8MB

Download
memory/3292-3-0x00000000003D0000-0x0000000000991000-memory.dmp

Filesize
5.8MB

Download
memory/3292-13-0x00000000003D0000-0x0000000000991000-memory.dmp

Filesize
5.8MB

Download
memory/4496-17-0x0000000000950000-0x0000000000F11000-memory.dmp

Filesize
5.8MB

Download
memory/4496-159-0x0000000000950000-0x0000000000F11000-memory.dmp

Filesize
5.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads