Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 09:30
Static task
static1
General
-
Target
2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
-
Size
112.1MB
-
MD5
951253ebc4a99a4194d888bc83237249
-
SHA1
1ebe2659f9cfb645505dee28408723a7253bb8b4
-
SHA256
e0676e14798238498be7074dec41bf98c05c0146fbf49ec1371c7a4ab19a3052
-
SHA512
41846ed72d534fcb61ccb990ad99c351e83e30189e24ce7565d697be3e4f5e2ce1fd4bae28f13064c2f48360422d173fe319509706d76da9e6a30569e26cf736
-
SSDEEP
3145728:6eEMe2LQ0MFGOkjy7wBIz1zlYC5BoGFffU0ZM:REpMOk+mIz1zRfoWfXM
Malware Config
Signatures
-
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe File opened (read-only) \??\F: 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe File opened (read-only) \??\D: 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe File opened (read-only) \??\F: 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe -
Executes dropped EXE 4 IoCs
pid Process 2808 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 5072 assistant_package_sfx.exe 4356 assistant_installer.exe 5032 assistant_installer.exe -
Loads dropped DLL 9 IoCs
pid Process 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 3376 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 2808 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 216 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 3200 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 4356 assistant_installer.exe 4356 assistant_installer.exe 5032 assistant_installer.exe 5032 assistant_installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_package_sfx.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 144408.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 724 msedge.exe 724 msedge.exe 2920 msedge.exe 2920 msedge.exe 3424 identity_helper.exe 3424 identity_helper.exe 5560 msedge.exe 5560 msedge.exe 5560 msedge.exe 5560 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe 2920 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 3376 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 82 PID 4612 wrote to memory of 3376 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 82 PID 4612 wrote to memory of 2808 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 83 PID 4612 wrote to memory of 2808 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 83 PID 4612 wrote to memory of 5072 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 84 PID 4612 wrote to memory of 5072 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 84 PID 4612 wrote to memory of 5072 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 84 PID 4612 wrote to memory of 216 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 85 PID 4612 wrote to memory of 216 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 85 PID 216 wrote to memory of 3200 216 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 86 PID 216 wrote to memory of 3200 216 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 86 PID 4612 wrote to memory of 4356 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 87 PID 4612 wrote to memory of 4356 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 87 PID 4356 wrote to memory of 5032 4356 assistant_installer.exe 88 PID 4356 wrote to memory of 5032 4356 assistant_installer.exe 88 PID 4612 wrote to memory of 2920 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 89 PID 4612 wrote to memory of 2920 4612 2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe 89 PID 2920 wrote to memory of 3708 2920 msedge.exe 91 PID 2920 wrote to memory of 3708 2920 msedge.exe 91 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 2712 2920 msedge.exe 92 PID 2920 wrote to memory of 724 2920 msedge.exe 93 PID 2920 wrote to memory of 724 2920 msedge.exe 93 PID 2920 wrote to memory of 3148 2920 msedge.exe 94 PID 2920 wrote to memory of 3148 2920 msedge.exe 94 PID 2920 wrote to memory of 3148 2920 msedge.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe"1⤵
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffcb7792950,0x7ffcb779295c,0x7ffcb77929682⤵
- Loads dropped DLL
PID:3376
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe" --version2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4612 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240927093031" --session-guid=2515eb8f-7e64-464b-bd67-90ca1404e888 --server-tracking-blob="NjFkODk4ZWJjMmNmNGQ1YjllMzkyYmJlMjJiYmQ5MDY3ZjdhY2U0Y2Y1NWMzYTQwM2Q2Zjk0N2YzZTU1NDA1Yzp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=780A0000000000002⤵
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x260,0x264,0x274,0x23c,0x278,0x7ffcb6402950,0x7ffcb640295c,0x7ffcb64029683⤵
- Loads dropped DLL
PID:3200
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe" --version2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ff686c68268,0x7ff686c68274,0x7ff686c682803⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5032
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x642⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb59046f8,0x7ffcb5904708,0x7ffcb59047183⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:83⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:13⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:13⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:83⤵PID:2556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:13⤵PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:13⤵PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:13⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:13⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5388 /prefetch:83⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:13⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:83⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5560
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1436
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4900
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5de65f746c23b98635cfcde2a14b5734e
SHA1fb127faee607e73b75027ff219fd311ba3d2a154
SHA256ad7354e08d296817d6946a4e66dcc35c00e62e57aaec1b3d83cc9b17fa7e612d
SHA512634dbcc86e3c25744f65879b461151fa3c8dfd6b562810352020c6f8364a0efe2a86518b00208c1c5f9e4dd53180ff16d6eca9cabc65c68b36e9e855b222afd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811
Filesize727B
MD534ed9a3ad17c74006b73783de1a9c898
SHA156b8c2bdde2aa30847550aaa9a7b7a3538085207
SHA256d16dd2bb1c6e7bd0fcd9ccf90b45757baf7946c17372128f012d8ed4eb9f13ac
SHA5124af44cfb9fc246956c0d2813c8ea02c9fa52ec90d66f3fc054d0122150e04af37afd0bae1c7845a3b6497996540b7ff868e3ba4d55f9a08e6954cad564e0cc91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD59afe06d446f0a065af01c048cbddc393
SHA18fafc942adfc79cb9c0b86b39516ce2fb01bb3b3
SHA256e231799c5142390fcc9633c021efcf9ecb58420da4a22163e8136eca0d93355b
SHA51269e76904187b8457c55ead8a6ce1444f9b900536d22143c5cacebd5c343216aead5f84b6e6b9f46e3a8ccdd9b3cc98bde775f1961cb8b433cb17cfc299406279
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD51cfe01527588c1a117f0c8a7a8bdc4a7
SHA17d8731a0d75aa9844fabe2c853df64e091b4939f
SHA25647c74834e54d5f9f1455ba4ea714cdf29fb181ec3321e07636d469241a8ad7b3
SHA51252a1c955fd84cbbd467dc1191ebba512ff86e37d8b8bf4fae06658c193c803ce9b22c2eab75ee153393cfab3641354d7d57051453995793c21eea008ae9c14a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5ba36960b604ac64ee2a7b297373b935e
SHA16d62bf223e5475f9ae5daf06e81023d6e48173c9
SHA2565adeb8b0c3b406e3cb8887372f107eb4d09fc5e81f9486920c0958fcb0aa58e7
SHA51201be2ce81168512d2ef530fec52b3961ccb03112835561102b5fd6f8b95b229c37ab07e6679a0da8c3cffad594edd6154f2da15f34b297defa41c3bcf1abef55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811
Filesize412B
MD57d07a92c6eef7fba267101f3cc8c81cf
SHA1d30a59e53e3bb59344742f99c6e269a8a1c52218
SHA2562452d9b37619f28df2b91e54bc365accc058047bc5f4708581c5833a363a4b09
SHA51292ec521d29e71411ad642df677d05cd40bbcc579770be13f7f1da0f1f6dcfd011381012d22ed736fd6d118ad96e0020cce3b6b8c0a63ba50d32ea5a7fa52f6aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5e4c1c2c1f5cf00d87228f41755c2ff8c
SHA1b7322937391010876f284237d4f4f17f3d8e6edb
SHA256868140611accf8f7590cca4acc1ef38e4a8c9a4778b8a205b466f5fc2d327a1d
SHA512cd5a7dc55e8698ba06220f1c907b0a8efc85d4038109b1ae07dbb0f6fca905cc6a0db045438b9355bd113ea7a0b24e1764119291f167d7d1f899d29bb6c8347f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD5f312518f75b970e3e22d8ced356f0e94
SHA1bdec0eaca8dc10fc9be43cb2c18515bec74dd8bb
SHA25668a4760487fcd7422b6b01df2a04805f54277c589f2efd27f6d1467a1c0bc7d6
SHA5123a7480185027c4ede89fb0dbc6f2bea1f8328df5aa3931c8afe7f940974481a8143710c1d8a5fa8c048d270452e59204c956c9a3ca3c36129597a409707fd85a
-
Filesize
152B
MD52dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD5d0808ada125ca2de3477977c84343cb4
SHA1dee7cf57d1d51d0164be41b42883d2f2e71d62d6
SHA2565c00440c25ce036b41aa0abd6957d8f9b549caa18b8e7b70b6a3d40977651e46
SHA5125ba59c8547c42cdb1e540b7ac39569d51d2860ba81fd61d956a65a92cb4b91a9b33013f9b6b70c6f98f605066aa4085fb85d55831d61b047d467919fe5dbac01
-
Filesize
1KB
MD52fe1314c4d1c07587678eb50ba62f2e6
SHA1288fd8266f6952ae26c19e0cbe16646d4fb59da0
SHA2565b8a083d4e585d56805e95ee025ed2298a4a3add3a87018f719fa1d03884fef8
SHA51258b30edf6918011860fdd07a18ab2a8019b77f7bb6b414ca303a181620141350e9a163f9b89d6167ca3ef7558dc4b814a9ef8d2805584518e2661617f2c3f19b
-
Filesize
5KB
MD5da2c96d2bf52b9427e8b818b980c89c5
SHA1c72841eeb7184e1a867e489597e77815d6837de5
SHA256e1f718d43d1bb3e711aea1e4df34ccf79c99632212846e3f31dffc9af82a1127
SHA512e99a8f196468b22e62b34f3cf02b0e078eb938d4cfa01f48b8ed91da4f6f6a3fa2b5d0a378bab5d000a3d4437fc3ac739fca50805349c4e72b1fc80ab266f853
-
Filesize
7KB
MD524439a0deee5e37ac0cb50c87b2a6fbb
SHA14ac6de41b1bf3c23f5810e4f315174b9b60f4371
SHA256dc841f2a59c3f231f149381b95b0de3961bd1f258e54a349accdc704937351e4
SHA5122ca2a5329ba81e10b55901803be95267277c4602ae307609f87be9751a138dd61b119031c955c0b70d2c8278a8c8fedc258771652000372fee25849dfcfca724
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d91364ee5b9a693f3d100909cbc48152
SHA1f3ede4dee822ece72a1ca2d58f180830d8c81081
SHA2562856aeb8b8cd056e3268c276630cfb9b9216646a22f928fd00178d0d135b2522
SHA5120cfb902709466ad0cf0cb3d09a0ea3715a262b33402a186959630e5b0916b1a276132abbe4012ce09a2b8aef3f5a6aeb7fb0c698d5b9b89194b9c5b104a8d1c3
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe
Filesize2.5MB
MD535780b98b5b6d7840ab369d576c22637
SHA18410b03cdb01bd3fea626b444b47c13c0ba8596e
SHA25642f48f0629f2483e9aa2321a5147ae7fede93be6ffc5a8fdd7b3f6780ec91ec6
SHA51292f7511d5f1d3f927e6f6f3e4e6214d80500eb84376086d331bfbf141b4f8ca17d797082aeac4cf1e189513cc1baaa1644d1b761e2cb0f83e8f0614bc2068c85
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe
Filesize3.0MB
MD581fafa405dbfc40f6d38145aaa871edb
SHA1bfb6afbb815a011073d4850ebab0cbce198926b8
SHA256a3b76c3f5cc80f96ec4cb3e2aa27a90d81bc427bb3a1a1dcc3b5312ed7a4fe1d
SHA5120c1d652c96eaf67a89bc52fe2534e8302a862e10aa52ac844db8777ad6793955cca16681ce67c46fd50e58d469fb1827f6dfe68f9efc2ec8604e3f4a8afb18fa
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\dbgcore.dll
Filesize219KB
MD5920e2429d93ab6de0144df38d4ecc4d5
SHA1b0337583efeaafeac3cf1242dbe1958327b36826
SHA256a94bdffbba88a411c959332c6e24b329d48b47638149cc43588168150d820c9f
SHA5121885327f80ebfe80acc35b9cc368191ddaf862aeccd3129a0ada79c6cd280eaf015748a72ebf45e8cc6d1e5dbe126ef2bb54ed3529edf85dc902528894a5f9eb
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\dbghelp.dll
Filesize2.1MB
MD5036498155251c4f0547f6e7b45c48a86
SHA1fb813f06e446ae3c70629c5cfb8ec12e0f1801ec
SHA256c837ddd38856f82aec58b061199f345f7c68063917f52fb0bff3004ff101f839
SHA512643b286fa815832ac08b9cf57523c0c29692a03f139296844bf9e57b53c4b8a5e8e223f7c506b60db02bd35a58fa8c84c5d3beaa4245b4cbb9fde1a94283f4c1
-
Filesize
5.8MB
MD521c62a01246507ddd3b5dfd740f539fc
SHA18b1e396d65d2f1875c83e75b68fbbb46e3d64866
SHA256cd9bf24b6139410154d8e46c44212c467d5a660ce3e424fa421da63b417745cb
SHA512d2462355ef1a0bc666769affa63f549e9016034e53bda3d9d2c25e32d52630d32f9df18141580daf2cee531d81ff84c48e4d5f5f8aacc3ca3a65b4d23b865ad7
-
Filesize
40B
MD537358640bbdc298c38f88c746c731967
SHA1590a9db9b349e837d42104e074e7d97cf2ce8e30
SHA2565e3b637ced16222b21dae1d0874c109f9d991a4f2146819e78e98339b8652194
SHA51292393bde4597159766e7b4c5b5aff8ebdc729ceee9aafae5bfbfc67dd8c8a3fb1f2913a59d8c2e5e492595e69d3f71995546fa5b0c804cb9227cf2d58660d704