Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 09:30

General

  • Target

    2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe

  • Size

    112.1MB

  • MD5

    951253ebc4a99a4194d888bc83237249

  • SHA1

    1ebe2659f9cfb645505dee28408723a7253bb8b4

  • SHA256

    e0676e14798238498be7074dec41bf98c05c0146fbf49ec1371c7a4ab19a3052

  • SHA512

    41846ed72d534fcb61ccb990ad99c351e83e30189e24ce7565d697be3e4f5e2ce1fd4bae28f13064c2f48360422d173fe319509706d76da9e6a30569e26cf736

  • SSDEEP

    3145728:6eEMe2LQ0MFGOkjy7wBIz1zlYC5BoGFffU0ZM:REpMOk+mIz1zRfoWfXM

Malware Config

Signatures

  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe"
    1⤵
    • Enumerates connected drives
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffcb7792950,0x7ffcb779295c,0x7ffcb7792968
      2⤵
      • Loads dropped DLL
      PID:3376
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe" --version
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2808
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5072
    • C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4612 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240927093031" --session-guid=2515eb8f-7e64-464b-bd67-90ca1404e888 --server-tracking-blob="NjFkODk4ZWJjMmNmNGQ1YjllMzkyYmJlMjJiYmQ5MDY3ZjdhY2U0Y2Y1NWMzYTQwM2Q2Zjk0N2YzZTU1NDA1Yzp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=780A000000000000
      2⤵
      • Enumerates connected drives
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x260,0x264,0x274,0x23c,0x278,0x7ffcb6402950,0x7ffcb640295c,0x7ffcb6402968
        3⤵
        • Loads dropped DLL
        PID:3200
    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe" --version
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ff686c68268,0x7ff686c68274,0x7ff686c68280
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:5032
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
      2⤵
      • Enumerates system info in registry
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb59046f8,0x7ffcb5904708,0x7ffcb5904718
        3⤵
          PID:3708
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
          3⤵
            PID:2712
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:724
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
            3⤵
              PID:3148
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
              3⤵
                PID:2248
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
                3⤵
                  PID:4800
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
                  3⤵
                    PID:1180
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
                    3⤵
                      PID:2556
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3424
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                      3⤵
                        PID:2384
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
                        3⤵
                          PID:2132
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
                          3⤵
                            PID:4220
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
                            3⤵
                              PID:4332
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5388 /prefetch:8
                              3⤵
                                PID:2984
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
                                3⤵
                                  PID:1940
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
                                  3⤵
                                    PID:2400
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5560
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1436
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4900

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                    Filesize

                                    471B

                                    MD5

                                    de65f746c23b98635cfcde2a14b5734e

                                    SHA1

                                    fb127faee607e73b75027ff219fd311ba3d2a154

                                    SHA256

                                    ad7354e08d296817d6946a4e66dcc35c00e62e57aaec1b3d83cc9b17fa7e612d

                                    SHA512

                                    634dbcc86e3c25744f65879b461151fa3c8dfd6b562810352020c6f8364a0efe2a86518b00208c1c5f9e4dd53180ff16d6eca9cabc65c68b36e9e855b222afd9

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

                                    Filesize

                                    727B

                                    MD5

                                    34ed9a3ad17c74006b73783de1a9c898

                                    SHA1

                                    56b8c2bdde2aa30847550aaa9a7b7a3538085207

                                    SHA256

                                    d16dd2bb1c6e7bd0fcd9ccf90b45757baf7946c17372128f012d8ed4eb9f13ac

                                    SHA512

                                    4af44cfb9fc246956c0d2813c8ea02c9fa52ec90d66f3fc054d0122150e04af37afd0bae1c7845a3b6497996540b7ff868e3ba4d55f9a08e6954cad564e0cc91

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                    Filesize

                                    727B

                                    MD5

                                    9afe06d446f0a065af01c048cbddc393

                                    SHA1

                                    8fafc942adfc79cb9c0b86b39516ce2fb01bb3b3

                                    SHA256

                                    e231799c5142390fcc9633c021efcf9ecb58420da4a22163e8136eca0d93355b

                                    SHA512

                                    69e76904187b8457c55ead8a6ce1444f9b900536d22143c5cacebd5c343216aead5f84b6e6b9f46e3a8ccdd9b3cc98bde775f1961cb8b433cb17cfc299406279

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

                                    Filesize

                                    471B

                                    MD5

                                    1cfe01527588c1a117f0c8a7a8bdc4a7

                                    SHA1

                                    7d8731a0d75aa9844fabe2c853df64e091b4939f

                                    SHA256

                                    47c74834e54d5f9f1455ba4ea714cdf29fb181ec3321e07636d469241a8ad7b3

                                    SHA512

                                    52a1c955fd84cbbd467dc1191ebba512ff86e37d8b8bf4fae06658c193c803ce9b22c2eab75ee153393cfab3641354d7d57051453995793c21eea008ae9c14a3

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                    Filesize

                                    400B

                                    MD5

                                    ba36960b604ac64ee2a7b297373b935e

                                    SHA1

                                    6d62bf223e5475f9ae5daf06e81023d6e48173c9

                                    SHA256

                                    5adeb8b0c3b406e3cb8887372f107eb4d09fc5e81f9486920c0958fcb0aa58e7

                                    SHA512

                                    01be2ce81168512d2ef530fec52b3961ccb03112835561102b5fd6f8b95b229c37ab07e6679a0da8c3cffad594edd6154f2da15f34b297defa41c3bcf1abef55

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

                                    Filesize

                                    412B

                                    MD5

                                    7d07a92c6eef7fba267101f3cc8c81cf

                                    SHA1

                                    d30a59e53e3bb59344742f99c6e269a8a1c52218

                                    SHA256

                                    2452d9b37619f28df2b91e54bc365accc058047bc5f4708581c5833a363a4b09

                                    SHA512

                                    92ec521d29e71411ad642df677d05cd40bbcc579770be13f7f1da0f1f6dcfd011381012d22ed736fd6d118ad96e0020cce3b6b8c0a63ba50d32ea5a7fa52f6aa

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                    Filesize

                                    412B

                                    MD5

                                    e4c1c2c1f5cf00d87228f41755c2ff8c

                                    SHA1

                                    b7322937391010876f284237d4f4f17f3d8e6edb

                                    SHA256

                                    868140611accf8f7590cca4acc1ef38e4a8c9a4778b8a205b466f5fc2d327a1d

                                    SHA512

                                    cd5a7dc55e8698ba06220f1c907b0a8efc85d4038109b1ae07dbb0f6fca905cc6a0db045438b9355bd113ea7a0b24e1764119291f167d7d1f899d29bb6c8347f

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

                                    Filesize

                                    412B

                                    MD5

                                    f312518f75b970e3e22d8ced356f0e94

                                    SHA1

                                    bdec0eaca8dc10fc9be43cb2c18515bec74dd8bb

                                    SHA256

                                    68a4760487fcd7422b6b01df2a04805f54277c589f2efd27f6d1467a1c0bc7d6

                                    SHA512

                                    3a7480185027c4ede89fb0dbc6f2bea1f8328df5aa3931c8afe7f940974481a8143710c1d8a5fa8c048d270452e59204c956c9a3ca3c36129597a409707fd85a

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    2dc1a9f2f3f8c3cfe51bb29b078166c5

                                    SHA1

                                    eaf3c3dad3c8dc6f18dc3e055b415da78b704402

                                    SHA256

                                    dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

                                    SHA512

                                    682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    192B

                                    MD5

                                    d0808ada125ca2de3477977c84343cb4

                                    SHA1

                                    dee7cf57d1d51d0164be41b42883d2f2e71d62d6

                                    SHA256

                                    5c00440c25ce036b41aa0abd6957d8f9b549caa18b8e7b70b6a3d40977651e46

                                    SHA512

                                    5ba59c8547c42cdb1e540b7ac39569d51d2860ba81fd61d956a65a92cb4b91a9b33013f9b6b70c6f98f605066aa4085fb85d55831d61b047d467919fe5dbac01

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                    Filesize

                                    1KB

                                    MD5

                                    2fe1314c4d1c07587678eb50ba62f2e6

                                    SHA1

                                    288fd8266f6952ae26c19e0cbe16646d4fb59da0

                                    SHA256

                                    5b8a083d4e585d56805e95ee025ed2298a4a3add3a87018f719fa1d03884fef8

                                    SHA512

                                    58b30edf6918011860fdd07a18ab2a8019b77f7bb6b414ca303a181620141350e9a163f9b89d6167ca3ef7558dc4b814a9ef8d2805584518e2661617f2c3f19b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    da2c96d2bf52b9427e8b818b980c89c5

                                    SHA1

                                    c72841eeb7184e1a867e489597e77815d6837de5

                                    SHA256

                                    e1f718d43d1bb3e711aea1e4df34ccf79c99632212846e3f31dffc9af82a1127

                                    SHA512

                                    e99a8f196468b22e62b34f3cf02b0e078eb938d4cfa01f48b8ed91da4f6f6a3fa2b5d0a378bab5d000a3d4437fc3ac739fca50805349c4e72b1fc80ab266f853

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    7KB

                                    MD5

                                    24439a0deee5e37ac0cb50c87b2a6fbb

                                    SHA1

                                    4ac6de41b1bf3c23f5810e4f315174b9b60f4371

                                    SHA256

                                    dc841f2a59c3f231f149381b95b0de3961bd1f258e54a349accdc704937351e4

                                    SHA512

                                    2ca2a5329ba81e10b55901803be95267277c4602ae307609f87be9751a138dd61b119031c955c0b70d2c8278a8c8fedc258771652000372fee25849dfcfca724

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    d91364ee5b9a693f3d100909cbc48152

                                    SHA1

                                    f3ede4dee822ece72a1ca2d58f180830d8c81081

                                    SHA256

                                    2856aeb8b8cd056e3268c276630cfb9b9216646a22f928fd00178d0d135b2522

                                    SHA512

                                    0cfb902709466ad0cf0cb3d09a0ea3715a262b33402a186959630e5b0916b1a276132abbe4012ce09a2b8aef3f5a6aeb7fb0c698d5b9b89194b9c5b104a8d1c3

                                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe

                                    Filesize

                                    2.5MB

                                    MD5

                                    35780b98b5b6d7840ab369d576c22637

                                    SHA1

                                    8410b03cdb01bd3fea626b444b47c13c0ba8596e

                                    SHA256

                                    42f48f0629f2483e9aa2321a5147ae7fede93be6ffc5a8fdd7b3f6780ec91ec6

                                    SHA512

                                    92f7511d5f1d3f927e6f6f3e4e6214d80500eb84376086d331bfbf141b4f8ca17d797082aeac4cf1e189513cc1baaa1644d1b761e2cb0f83e8f0614bc2068c85

                                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe

                                    Filesize

                                    3.0MB

                                    MD5

                                    81fafa405dbfc40f6d38145aaa871edb

                                    SHA1

                                    bfb6afbb815a011073d4850ebab0cbce198926b8

                                    SHA256

                                    a3b76c3f5cc80f96ec4cb3e2aa27a90d81bc427bb3a1a1dcc3b5312ed7a4fe1d

                                    SHA512

                                    0c1d652c96eaf67a89bc52fe2534e8302a862e10aa52ac844db8777ad6793955cca16681ce67c46fd50e58d469fb1827f6dfe68f9efc2ec8604e3f4a8afb18fa

                                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\dbgcore.dll

                                    Filesize

                                    219KB

                                    MD5

                                    920e2429d93ab6de0144df38d4ecc4d5

                                    SHA1

                                    b0337583efeaafeac3cf1242dbe1958327b36826

                                    SHA256

                                    a94bdffbba88a411c959332c6e24b329d48b47638149cc43588168150d820c9f

                                    SHA512

                                    1885327f80ebfe80acc35b9cc368191ddaf862aeccd3129a0ada79c6cd280eaf015748a72ebf45e8cc6d1e5dbe126ef2bb54ed3529edf85dc902528894a5f9eb

                                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\dbghelp.dll

                                    Filesize

                                    2.1MB

                                    MD5

                                    036498155251c4f0547f6e7b45c48a86

                                    SHA1

                                    fb813f06e446ae3c70629c5cfb8ec12e0f1801ec

                                    SHA256

                                    c837ddd38856f82aec58b061199f345f7c68063917f52fb0bff3004ff101f839

                                    SHA512

                                    643b286fa815832ac08b9cf57523c0c29692a03f139296844bf9e57b53c4b8a5e8e223f7c506b60db02bd35a58fa8c84c5d3beaa4245b4cbb9fde1a94283f4c1

                                  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409270930300464612.dll

                                    Filesize

                                    5.8MB

                                    MD5

                                    21c62a01246507ddd3b5dfd740f539fc

                                    SHA1

                                    8b1e396d65d2f1875c83e75b68fbbb46e3d64866

                                    SHA256

                                    cd9bf24b6139410154d8e46c44212c467d5a660ce3e424fa421da63b417745cb

                                    SHA512

                                    d2462355ef1a0bc666769affa63f549e9016034e53bda3d9d2c25e32d52630d32f9df18141580daf2cee531d81ff84c48e4d5f5f8aacc3ca3a65b4d23b865ad7

                                  • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                    Filesize

                                    40B

                                    MD5

                                    37358640bbdc298c38f88c746c731967

                                    SHA1

                                    590a9db9b349e837d42104e074e7d97cf2ce8e30

                                    SHA256

                                    5e3b637ced16222b21dae1d0874c109f9d991a4f2146819e78e98339b8652194

                                    SHA512

                                    92393bde4597159766e7b4c5b5aff8ebdc729ceee9aafae5bfbfc67dd8c8a3fb1f2913a59d8c2e5e492595e69d3f71995546fa5b0c804cb9227cf2d58660d704