hxxp://t[.]ly/-pDgU

Analysis

max time kernel
189s
max time network
193s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
25/07/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://t.ly/-pDgU

Score

7^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
3856	OperaGXSetup.exe
4988	setup.exe
568	setup.exe
1728	setup.exe
2004	setup.exe
1896	setup.exe
2116	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
2824	assistant_installer.exe
2224	assistant_installer.exe

Loads dropped DLL 5 IoCs

pid	Process
4988	setup.exe
568	setup.exe
1728	setup.exe
2004	setup.exe
1896	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	api.keen.io
27	api.keen.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663871002101752"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 61 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1376880307-1734125928-2892936080-1000\{43B5D097-DFB5-44E9-AFD3-DE4F0F73E74E}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Key created	\Registry\User\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\NotificationData	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000e5f2b5a31fd2da017b719bb124d2da015837a0b124d2da0114000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Desktop\download.jpg:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
3832	msedge.exe
3832	msedge.exe
2276	msedge.exe
2276	msedge.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
5272	msedge.exe
5272	msedge.exe
6024	msedge.exe
6024	msedge.exe
5592	identity_helper.exe
5592	identity_helper.exe
5868	msedge.exe
5868	msedge.exe
2584	msedge.exe
2584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe
Token: SeShutdownPrivilege	1388	chrome.exe
Token: SeCreatePagefilePrivilege	1388	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4988	setup.exe
5868	msedge.exe
6028	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2300	1388	chrome.exe	81
PID 1388 wrote to memory of 2300	1388	chrome.exe	81
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 1972	1388	chrome.exe	82
PID 1388 wrote to memory of 4000	1388	chrome.exe	83
PID 1388 wrote to memory of 4000	1388	chrome.exe	83
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84
PID 1388 wrote to memory of 2060	1388	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://t.ly/-pDgU
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97c73cc40,0x7ff97c73cc4c,0x7ff97c73cc58
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1784,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2012,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2996,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3012 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3004,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3040 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4548,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4900,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5092,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5132,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4788,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4640,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5384,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5580,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5632,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5760,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6136,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6184,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5516,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4644
- C:\Users\Admin\Downloads\OperaGXSetup.exe
  "C:\Users\Admin\Downloads\OperaGXSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe --server-tracking-blob=NTAxMzE5YmRhZmJlZmIxZWExMTAyOWJlMjcyOTAxOTRkYjc0YzY1NmI4ZGZhOTA0NGVhMTM5OWFjODYxZDlhNzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9YVlJfMTA2MiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTEwNjJfZmMwOTF4czdzMnRtNzhuM2ZmJnV0bV9pZD03Mzc3ZTU3ODU3NGU0ZDQwOGVhZjJhMzE5N2JlNjZjYyZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX0dCX1hWUl8xMDYyJTI2dXRtX2NvbnRlbnQlM0QxMDYyX2ZjMDkxeHM3czJ0bTc4bjNmZiUyNnV0bV9pZCUzRDczNzdlNTc4NTc0ZTRkNDA4ZWFmMmEzMTk3YmU2NmNjJTI2ZWRpdGlvbiUzRHN0ZC0yJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJnV0bV9pZD03Mzc3ZTU3ODU3NGU0ZDQwOGVhZjJhMzE5N2JlNjZjYyZkbF90b2tlbj03NTIwNzI5NCIsInRpbWVzdGFtcCI6IjE3MjE5MTM1NDAuNjQzOSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjMuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9YVlJfMTA2MiIsImNvbnRlbnQiOiIxMDYyX2ZjMDkxeHM3czJ0bTc4bjNmZiIsImlkIjoiNzM3N2U1Nzg1NzRlNGQ0MDhlYWYyYTMxOTdiZTY2Y2MiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS8iLCJtZWRpdW0iOiJwYSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJQV05nYW1lcyJ9LCJ1dWlkIjoiNmJlMWE0NTYtNThiMS00MzYzLWE3NDQtYzI2N2VjMjJkNTQ1In0=
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=111.0.5168.99 --initial-client-data=0x33c,0x340,0x344,0x31c,0x348,0x74831160,0x7483116c,0x74831178
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:568
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4988 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240725131933" --session-guid=6ee97ab4-326e-4313-aece-c8857b88280d --server-tracking-blob=NzUyZWFiODI5YzhkZjRiYzEyMDU0YmEzOGJiN2M1YWU4NWE1ZTFlMjY3ZDE2NGMzYjk3MTZmNGY0OGFmZjA0ZDp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9YVlJfMTA2MiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTEwNjJfZmMwOTF4czdzMnRtNzhuM2ZmJnV0bV9pZD03Mzc3ZTU3ODU3NGU0ZDQwOGVhZjJhMzE5N2JlNjZjYyZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX0dCX1hWUl8xMDYyJTI2dXRtX2NvbnRlbnQlM0QxMDYyX2ZjMDkxeHM3czJ0bTc4bjNmZiUyNnV0bV9pZCUzRDczNzdlNTc4NTc0ZTRkNDA4ZWFmMmEzMTk3YmU2NmNjJTI2ZWRpdGlvbiUzRHN0ZC0yJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJnV0bV9pZD03Mzc3ZTU3ODU3NGU0ZDQwOGVhZjJhMzE5N2JlNjZjYyZkbF90b2tlbj03NTIwNzI5NCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMTkxMzU0MC42NDM5IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyMy4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1hWUl8xMDYyIiwiY29udGVudCI6IjEwNjJfZmMwOTF4czdzMnRtNzhuM2ZmIiwiaWQiOiI3Mzc3ZTU3ODU3NGU0ZDQwOGVhZjJhMzE5N2JlNjZjYyIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI2YmUxYTQ1Ni01OGIxLTQzNjMtYTc0NC1jMjY3ZWMyMmQ1NDUifQ== --desktopshortcut=1 --wait-for-package --initial-proc-handle=4809000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=111.0.5168.99 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x72261160,0x7226116c,0x72261178
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x7e4f48,0x7e4f58,0x7e4f64
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5956,i,9423351001637389821,5700770418216749405,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1340

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff986393cb8,0x7ff986393cc8,0x7ff986393cd8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,12452287710425338516,7933806542185288097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5384

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
b248ce452799c1d56f5c0024cf8f04cb

SHA1
683ca511c3c75b3492f23d9bbf3a21e009d97d1b

SHA256
58110340d9ec698f09ec082bde79f2bf920531be48d5965dbfb464ec64945eb9

SHA512
1626ee9a1fe79d6c95120291ab2d2059fa465ccc0e0d2c2b357af0e123ec0938c6ff97f9130201fae59881eb932f5543ab2ce991d63409e5d42e95d3b2dfce6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9A347AC5A42F886F9F966873087C7F2E

Filesize
727B

MD5
eeab1375953219c180be5bd4a0c340da

SHA1
220f67b7f16a2cd5ec63a0ea12f5e83b2a68647c

SHA256
dff6aded5e52c93654213b1d4206c25a798ea0a33a2de0050a91ebf44d0f944f

SHA512
3220d4d70c2e6b5944d4b17e75dbd6028ccc8578bf5085a75f1d2e3aebb8521a180af90ab027e070f66c2aab71f2dd1e7a44d9d3adb1536a178935307352a51b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
401a65544d40a60e15666662cea04e0e

SHA1
894c782fe90f65b7273db94ffc334e50729f3f57

SHA256
4d6924f5bc0de95d24cb2c3d91e1dacbd9f1f4537ca0c276163432bbb989c999

SHA512
c8c6cec3c1449ee469cf03cff428aab93cf6d6d0b9041eb520a577d996702d85f001d54ec3c253e96889b9125f0dc8e5d794a19116b8318ad7ae2855da0d07b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
581e8558088a76cf0e6a1678c4689c52

SHA1
12a8bff10940d00fc969945b176cd4ffb7868230

SHA256
cc9fb80755c8c44bb22ec872e569d69e37a1bd01a1915f20b4ab66afd54ab0e5

SHA512
99bbb77e297c2ef6c12b74e1845ffe3523cc91329a783329c65a18d2775ef9978237be84ac6c8451e2f7a5a737d2fd520b62a4d90b6917d9330d22255ffd3ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9A347AC5A42F886F9F966873087C7F2E

Filesize
404B

MD5
af27b1802a9a51cb4ff701ef2b6d3293

SHA1
a45936997644c96e2d5da2db70ac3e65dc518f94

SHA256
e0cba2755cbdd18e469b421fdb1e556a0c1c91fc28df8d033ebf7b407423c634

SHA512
26d381b11d7e3f761b99456b90d3e089ec5a2c5613c803222e082f18f54f839840c0f42aa241a31db1df556db96fb809bd924c01d7d101df0f6c7ae2c6f12c4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
0991bdb4d10148e2f0a80847d498b7ff

SHA1
ff533966c927833fbae2a8c033fc5f6cee675539

SHA256
843c53e8c9caa2ed3f141fd6fa853b656a961c8055b741a591856e4de1deeadb

SHA512
e7952e1960e5270254a5b4ce4553e0100b64788e409dd5d9f142174abc00f8fb93ca990b5d93a7847850312234c0b8c8f448f7ef9ccdf68578b13fcd5f6eb5e1

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d7983c4169383718a465c327f57bbd32

SHA1
e564c1a6a1c3e4bfd6e4753e3fa03d613733f395

SHA256
50027d48e8566803ae20653ca4f377954f8fb748a46918bde0a817dd4f134a6d

SHA512
448473f6e55e9721a9daa062cd60c6e770c73335b66d89f688efa497cfa746459549df910102456b57b0e4f10ed6b8658f85626c058ef5f9fb579e00d3d92c4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5a505fb2b61ec2ef31b30b1d0d2a6e43

SHA1
ddb3eb5e0b7f3e5bb7572d251e57c3a76a4a14b9

SHA256
5c03d50734ae8ec4ac3b595c46d87b39d877094924d90904d6f051f98b3a44de

SHA512
8c4091afc831da3da47106bd011ced329294fe3f8532c5b0087da5c5a8ebbd30b2ee530943ff9ae8bbfb84dc139a62321db368a2d8011d63a2c20bb74dbe60cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
2946ffeb7e3dcbca17330f346d3d69a0

SHA1
aeae7fc5d9aff3b4d22e96cb51f55eea9bf35f22

SHA256
ced953551474262f301be7fdf1c1cbfc69b515f002d28ba9ea5d319d32b6cb67

SHA512
8bcbbc4853b0676c1e13e7399ef7935aa4451997705be24ce8f45dc652f4fc625636cce86aa3ddd340a9d406b18e0506b8df968e2df86efeed2daff702a2e9e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8d90cd09bac59ad185b2727adcbe3e14

SHA1
3d57156523c6ddb2dc9d4ec7321c3d7ceccb0b95

SHA256
cc374c1b413c69e372ac435f67ea5b76e04c020bd5685f48b6cd59b6a790e9a3

SHA512
d7fa574f8aac83c0cbdca75fe344e856bb02001d51b1ee2da54e899c6d697e880b1336f0bf9fd69b0a4f5978c98457306d6f96b0e085f90c5576e77f462e9aa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ce637aa6ee32ff581b08ce1fc61a3321

SHA1
eb77bc309faac6f0f39d2452c2db85d18d443936

SHA256
312a95be62e57db41add4e2814245e2bc1cc790d45254d1e706bd8d58fc55b24

SHA512
56dc8e15363ee32d46139ec9e945422f19a1f3b0f57a596dd6225dbbde554baa9de7ce9eb57d289bf7637594f1628d24be10d1f897e2a695db06d0642399270d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ed6e0749d657eb11d058b59901d987a7

SHA1
93e5aff27bcf9bd532a308d2c5b9e3facf093fd4

SHA256
721db00728498af39d712e50b5e33d5ca7c6176cd071f13d59079e277e19e6a8

SHA512
8912409bfe141711890fb3c3ce769842b2e09a6b458305cdfc2a3cf0cb5842fa3b453f1b9431942b578015410ea6a8cdecccd1ef50d13e53c96a78fc04790057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7ddfca1509c292e1e7d1b533803ae02b

SHA1
b44c10b5c6899f0beb160b489b200a66c79c85aa

SHA256
48e97cb2dd7156f818cfb43ac53c374849c7c2e367303c6f8549b84231c54987

SHA512
1b57d2eff1b4bc582ccc6627d55f3ec022504a91555e233d26a2dcf40de70369219f4bff05a2f2d5f1714995b26131e09787f8f0ff308d22025885b33398bb27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15d4a4c13388e066b40965570f47570e

SHA1
02759bf4c18289c066c7f74a079b0835249fa3c0

SHA256
340a1e5168f4e7927e7dc400392d4458421325f8917d5848a113c98636abedbe

SHA512
65c52aaecc4384ced3ad396204c2999ae552c860846aaac0e480e5819a7ec406281ff425a5161373fbc8a5001b748b033faaa9f191a8b31f43554d2bb2bd0086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca48efc6d3d999d49762b4ca7e811c2a

SHA1
1166a74b13bf6de9a81971aae9fb0de3cbcb508c

SHA256
fd4fd8f8d32e881aba35b2283a2736eba1773c21398d2bbc387259a7f9c3f93d

SHA512
c0bdd4f0e6f6ce74cfb16e5798f4ecc1a511ff0fb56bbc203c8ead88c404e834fa431768dcbe5570ea0e6dbaf67f1b06de9c8506bf082892cd7a06562be4364a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fb6e07daccc81c2cb88260fe068d21b0

SHA1
94db5269ebd1fd3bc1d38e769364bea2515070b8

SHA256
b26dfb0b4c43e1e17602ffbae27e8a908a960026b0795bd6656a784bd1ab61fb

SHA512
3066dafd3d28dbdd1ecf93cf1a1eb4ce0b02bef80867e62c168faee898ec19d958912281f9a5cddc1a032d625c41ab7e5b3aa727404792dac54d0a00e9c62eba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
50c5ff02a1367b84181137b83f8d6d4e

SHA1
4ae89bf964eaa0aef7bc2105a5be914e9577b208

SHA256
e8b83677c6974ca8dcd1a1e14ff7e05e1a369ec2e948a6eb9133e7fe77e282da

SHA512
9f6d71a5768ff0985a9a149b5ffa018df53c120d19f68d17b958557646840fda9596ef5e7c05a02ae9447bfac79fabbb77988ad8b9e2001b2820556269de478e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ca5c2f673d77f1cbf510c184f1a9c6d5

SHA1
d67fabdd4ee280f39adf360d48f21e8ba0cc19bc

SHA256
3bf51ec3822fae7a5459937e5e766a2a811aab24e87c7ffac235d45b5b861f05

SHA512
6ea3c7acbb00578983cb4cb419013c117a1902dbedf41f224548dd1b45f58d228193ac8c93e654ddf7b9fd30022838fd374c41987e7e52370ddfc82e5b480891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
dd5aad8e1f6a9050953115255280609c

SHA1
0a13bb73d7e54afab5d10e736396165632acc183

SHA256
c57cbf5eec59277e340e1c70995d7e6b5cc1ab5022f54a6506156b0e5e337f8c

SHA512
6bde4c187c6608302909ab66ec0591bd31d99d2fdd15cab8830c566d56b473f6ae4576778c7d6ea9fc635328455c6940a6152279daa8eba8184a98f004705a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2c72ad35555f506254c4d051dd29552b

SHA1
5009470ee2d22bfd07a18df7e5bbf98e24b739ee

SHA256
844dcf69bad04d8b473eeb9a9b9b1d832c670ae92e06c7d4bc72bfde04e0a947

SHA512
d83bdda126eb9ab372fc301a2d0f9d7bfb4b3884cf25548936d4d4b6f426aba5c153bbe40b28c2905b26c1d8bf6158faab6aebb1576aeaf4bfce3104dac2046e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
612eec9cf5cf06ccacd7d15868da7489

SHA1
749d7027238e89c826cb50fc5629ebfe900bbced

SHA256
8b5b6fb770b39c78c63a8ba4e9be107ea5f49a8bf4b7dd5dd423b1101602fdb9

SHA512
e8f43e7983c90e37c479bfdb689ec9c7083505571c2bb965a1c1dc5ac6b158c158321605555fcfb3790a21f64a0223d76a1a8400b33259f92d8533c8b42bb6c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
07c6d5fe67d8f8134f01194e07ed3105

SHA1
81f63ad238878db71fece12373c3128bc7aab9e9

SHA256
78bd4b34915d6ba2727cd48e8bd4f6eafcd9d18ed4a81fb8d0cfa8a017dbaf1c

SHA512
cff5b4ff3ddb2c4416e06709186f05f4107c3adc5e560329b5879380dc60e3f42f8e8fadbcdc50c2c5b5bb4142ebbbcb2b08c119f45900f316af7dd857b63499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
02f2cb364991ce1909efe9a603b25de8

SHA1
7c46bb7e84d086032c3b8e826c707eeec53c6627

SHA256
4ed7e3d10a8daf15a01add3719c43d0ac121377637b4b80e9238e30dc42e5014

SHA512
23bf4bf4d09c20bc6f58ce4329dd9e09abb34d4ad0ac67716340451545e99ea28110aaca67ffda28d35f56644b1399da17939691cabd6dd50084e1eafe026c13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d87f7e0273310c384e48cf2ddee2090c

SHA1
af27f18af58d4f958850cb7ba8e3d3a2e60378ce

SHA256
925706d524f1e37a1dca0e5eeaf4649dd9167ee4a3713fd28b03d2c9bf6229f2

SHA512
25bc3c912407413ce3f3dc2c7c965fcf8e00802a888b94f952aca7ccdc92879d39d98913bc103f9b3744bb5b27048a5329d0a44562f1e334bd8de8d102027af2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84665102c2d7a55811ab75cd0137fcaf

SHA1
ccb3137c3198dfc0001ea5f0492a2a373169e8ae

SHA256
0fedb48b134f6e7a0b544840f7c214c4a718c84b87b962dee9fa056b8ea09cd9

SHA512
e88aa3db3ae12ebf26e8cc2ceb90fc2d47b763cf0711d82dc61a9c3c6a1e02545946ec16f1551712b399d018418dead3ee6b4b11085258abf56665b92fe9ee9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c580df79cdb0c088d40b3c80f8550173

SHA1
73c307de40b852abd14fb1e98e8d4e5beda5385a

SHA256
88fcec2e1d32f4cff94dfe6c862d592a4d103c78cfa5ef02c8bf2cbf140df022

SHA512
3856f2a9977f3facef7a149b9e625bdd200393b625e1f476ac049e04259a77b844c8ddefd7d649ec7ce859b93c76c97b58630e65d3c6f310438c146942167aa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
652b1424e0a1368cb1b7d1d55144b1e0

SHA1
7a6f7078cea39c278b675e7de8d815b6ab09418b

SHA256
bf04d7674726c25d7c6db246060bf4732422624ce15c8a504a8b2941dc119c0f

SHA512
4d41d0326696bb7ae644710ea865ee0dc200bd6931baedf7fb3d5fc6c9bd695d18468b920717446306dfef0fed1bab15c536e5f2e8a9c069734d6013c47b9159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
709f4b7998f21e38ef05f8a875ef81fa

SHA1
bc953b3e3e1813f7fe406a40a403fdcfbaa38c23

SHA256
6d8f5501bf549b3e8f75d9f03568f8c43f0a42e81a5579074bde585bc5e13fd3

SHA512
08f277370848e5172473de163753fa7e162781b1d066042aba1b124c0e032fbd6d5932fb959439ee34a1e546dfec8ffeb4b2336ad86859cfe5a7186290da6e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
cd50b009e46d17aa7ae5f52f6d3ba5f2

SHA1
aa81e22c55f67c20a2377221b44a35b3557f4785

SHA256
e159fcb4e68556ac5c8f96ea417d37f11db152fe2d166caadb6c848c7a10b556

SHA512
5d6bf1d6db0838321546ec4ed78fec2a42d2a0a2ba91bfdc538088455b1ce5e89a9d469bd2f9a4bf8c1c8e7986b81b0a78091726ffaaffa91d5f136d02c64f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
9a270ad49becfc6733efa16be5554c2d

SHA1
22f35ba813378c5812064f169a8346ccdcb4f7a4

SHA256
8077a673aa2c8cb19e13efc0db098e9bb22c0090a62e4f10c64dea70d11e6515

SHA512
8e8969148771c76e39b124c4fa1fbcbc2948d32c52a454bfa1e53010f23dae737c17619c183d320afb81c9bd8b13cacc66c77fda9eda9348ff3d277437a4c9be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53eb880cad5acef8c91684b1a94eed6

SHA1
afab2b1015fecbc986c1f4a8a6d27adff6f6fde9

SHA256
5cb8554e763313f3d46766ab868f9d481e3644bfc037f7b8fe43d75d87405a27

SHA512
d53f3965428f73c0dfed1d941a9ff06eb70b254732410b815bc759b8c7904e11292ad7e9624c12cccaed6763e7bea68208bc0b67fc70b7616d25bda143833794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0499f1feacbab5a863b23b1440161a5

SHA1
37a982ece8255b9e0baadb9c596112395caf9c12

SHA256
41799b5bbdb95da6a57ae553b90de65b80264ca65406f11eea46bcb87a5882a7

SHA512
4cf9a8547a1527b1df13905c2a206a6e24e706e0bc174550caeefabfc8c1c8a40030e8958680cd7d34e815873a7a173abe40c03780b1c4c2564382f1ceed9260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6b44acf2ec1b7ec088953555196c8244

SHA1
7b1c743271895f6f7fa14f5e6daa5da6e3188027

SHA256
4234aa8e75cd2274616b5cad62fe822464b6e8c6d0a775f47abf8df863214824

SHA512
a1253c3889f46a90f6bb6fc41303f882a340b81f21e9f55e5b87e2d2d3b53823790565984ce1d8f32ce14c6d535225a85e912c396112390169ee46c0a73132b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6ad3abae243a431b994a313a31f0f29

SHA1
56170ed6017a3ba85bbea90ec0e41a6053745509

SHA256
20bdb241f28e5b8450d3a484c5afe2cc7f18a40ebab2d07f0f0c700ab72b107e

SHA512
627dc2a88666d83738a676dfe8567fe7419d0556b7cee888d01cb41c7cf6f65f902dc00d124c945ea92b2f0589e39ea7a16cc0124bdfa09f1c6b0549d7d1bda2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
808e44dd1bf2e233752012ee40c999ec

SHA1
3ffbb6ddc52a990c1141a7b14d602fe9236d2924

SHA256
b9ddb2453c676b81eb948c74df96ff9da6fd2f8970fab80cb191de382449edf9

SHA512
d4c6c2022449cc64d85337fd39f3dcd053008078759856cb63be310972b82c7f4696f3023c1fda7dd758726117e4cf2a65dbdcbe9606b470afc2a9e1a459fca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4409a208856228ae048e86a613640f4e

SHA1
7323e5aba504755723b8ab08c8f005b07a5a72db

SHA256
94141d028a1a003aa8c01a8a9e5c4dfb95c0353da08acbc1c11629773d285e09

SHA512
147de10a9e8e3ad61f5020dd900882589edcecebf5732cd47450590198aef084656428e93fffb42eae527e13aebd0bedf297b3016f8e97d2103af4234dd36039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b240041fd3b68e320116a6648dbe989

SHA1
91f23b9ef5e21b84908a6230d4f65c6ca2661c05

SHA256
cdadb3527b2a1e3266cc01034786279b9fa0ac66b32bed2be3aa1a8bea3c44ae

SHA512
f37e3e92c17f050fbc7bb928f4ee510ba33aa4e6c22aa433451afc0dc6546a6345ecfd03ea29043e2d4ffdbf79a6a1b667457edf68f9709978ad9af3f9b676da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b69fc40914eb6025561fffa1a5150a91

SHA1
ded8a60073c06af71cdf2fdf652bb14d4cffa087

SHA256
26e3a36ac261672e59c6d8f35c8043c91ece357baf9f8fb4ca941e47b5716b3d

SHA512
f00a4aa5992dabb724532068585c099bda5da89066f9d216eee9f85a2d308cef51012b47c4c644bb12bd038782f831575a8cea8631717ad805c0fcfdf7e7bb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c200253131ba860f7a28b1080971b758

SHA1
716efbfb7de880dfc9b9fe068ad66164190a4ca9

SHA256
409697bc32e6e52c8d6d87d37b79c2c36a528942ae137ccde6bd812b250a8ae3

SHA512
95de0b38a95d67ebfc83c4eef759cbb8b4f1650ada9d3bb21f4838777e5fbd0df1fb611498b125fd8c8ba4cecc4bf44e077ee6bd04a79fbef4ce2a7f93866b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af9f6b450258ab463c7ad5868945e914

SHA1
b2b3269ed7f2c339d5e45001c0afdb828f485c3d

SHA256
ef46ae1e6101c6c8635b0d3b862fa86148d513e795997f3c070914d78ed2a952

SHA512
4bc07e3c0709ed4e276af1903afa51ae3831b7358e0b1f96d00dbca388fc14aeaa91f7fa89ca885db6bee5eeac114807647509c962416fa61eda2e2bc8f1f144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3e7450398842b8fb470c655a6fde3a75

SHA1
c6f4172443b8ec8bf1a950b94e00fd6162ede344

SHA256
4f5878a8b39751a4f7c5822d9f220b98fe95cfda862ba788c0d0ccb097ffad52

SHA512
9072d84c5f200a610681a9f0bad2a56d252dff8039028a29fcd4e218e5156e87ea70802b1a883fcb301422f994e65457b8fa7d9440cb405f8b154cd13bb976c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b1ec9315f289328573d7f9d6aae55676

SHA1
9c9b55eb1b7599d1ace7106223893a520d4de3c2

SHA256
2d04d98920024396f3d9758f70b929f025fc60ca9532f83cb9ef3e88f4faf571

SHA512
5ffe85c3ddd1a54b6d517760919a8d18f63004ac4eba2255ad2f1b9b81ee9523348386abb0cd3fe0cf9bcc37504d3e141a41cae24b154f7c587d2b6a3999de03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
13711fd161e7f4ee8ffd3753a4e13ba6

SHA1
ac05be1a8fe39f783357e5fc8212a0139bbf64ab

SHA256
1638a44d7f588bb6ca7cab114ab951108012ad3c7acb6e0bf42a5aa503c41391

SHA512
96bb319141c4edf5544f1c2ee0145e5f461e9a6405c3786ba887ab8643f0e6e301384dc3a48be82b9186317d93565457e008cf61ee5cc5584026406550290b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
436cc465b88824483586b6edaceb42cb

SHA1
13267ef7b4bf9b1a01635027c95816d463d4fcbc

SHA256
9ebd902cdb9d52ce9bd7435e4c34da236f6adf04ee869f86473665ae00d5334b

SHA512
f8509b38198b7a3d487d105d77b5eb68eb299551e1dea341e1fe217d7cfcb1f083014d8de19bc6da472f223363433d1c7416a45311bb713ed7fcfdf3df774e86

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c7e6c4fe75def133faaad5143dd9866b

SHA1
16c306f0f07a1eb20a184a055e7d00dae5c1be2e

SHA256
93a3517d19755945a0e9a7f896bb4df74f0872ab515779b5919f8a06eb5732ed

SHA512
3f32f7d849fd6d5e064a4f67733f1d8cba9ede77e515e175283682055a4e2f9bce65dd5ef82239266c1dc58aa708905f677fa557f3261d20c5de55b64a9182e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202407251319331\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS01F3F619\setup.exe

Filesize
6.4MB

MD5
241331bede4cd250aeead156de3225c0

SHA1
4e6ebbfda62706203c7f3016d136560854841358

SHA256
b476f1c8521db36255a862af284f462eef77c4fd5233adb002137af7835f5e86

SHA512
9eb8f3970645315c73e80cea2af9364d8aa68d4e3383cdf21dd0393fc74857538639793e995a66b6bd58f086738981ffc364a06b23b129fab380d0e59532d712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407251319320094988.dll

Filesize
5.9MB

MD5
4510a03cd9a85d34ad47ed84097ed4a4

SHA1
a1a761249bbbe8dffcb3fac37ed570c89e130379

SHA256
cafaa2ac106c340ca91acbbd483379cd3c2273d2cb795349db6b07c7272c0433

SHA512
95b4b9de8818e025608f7a77b3281e879bbaed5bbde6cfcbbd4bcb1b6c6cf09706b68061b7264d90c3374c2a0072f91afffc5b617fec12921407c72b63b2be62

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
3cf2e301eaefc4cd6ba80e9c45aa1c89

SHA1
6384d2e746f9fb497b75b250d4f70a4f3ddea8a9

SHA256
7e00ae13bbc28851dff829dad36926681895f2d57879fc0b581908e00551a7c0

SHA512
c6b421d53a1a0394433b804598bc8767172f408a38e38020d6cd6578ab453461499fb136167d4a3610e99508ea711d57f2ed59ed793e7aa16531bd23aad988f4

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
b8f2c0230bc7eb7b9733fb11bfdfe4a7

SHA1
2cf21562ef01c41b2dd239b70b6ae198ef8f94c9

SHA256
a12b4591cd350349b613ed03c7279e4167ad2fa81b50212eb714e11d58119735

SHA512
5af0aefbbd4a92ba85a66865799ab66c0bcdb36f39e1a2a6479cca200bc3b7015a43d648450599c1217a1e95c234d23478a3c36348aeba9f4a1b3f8fa4266066

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe

Filesize
3.1MB

MD5
d7bf8224cc74255ec04ab7d8a8e06bf2

SHA1
320bac191a9b325e48ea715c2b8a74f772e46798

SHA256
c2a51648ebbfd553721d4350914497f4fe37a83f82b72b757f76a9521bf08f24

SHA512
6376e4badba18ff0a5226ff3e65f64e692ccb454d65292cc9bb3d05e1b5013d0f20ae21512ee02d5e8c8c6875795d56e468f3fbfe428340f0fc1d33f551f1ee7

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit