e0676e14798238498be7074dec41bf98c05c0146fbf49ec1371c7a4ab19a3052

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
Size

112.1MB
MD5

951253ebc4a99a4194d888bc83237249
SHA1

1ebe2659f9cfb645505dee28408723a7253bb8b4
SHA256

e0676e14798238498be7074dec41bf98c05c0146fbf49ec1371c7a4ab19a3052
SHA512

41846ed72d534fcb61ccb990ad99c351e83e30189e24ce7565d697be3e4f5e2ce1fd4bae28f13064c2f48360422d173fe319509706d76da9e6a30569e26cf736
SSDEEP

3145728:6eEMe2LQ0MFGOkjy7wBIz1zlYC5BoGFffU0ZM:REpMOk+mIz1zRfoWfXM

Score

6^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
File opened (read-only)	\??\F:	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
File opened (read-only)	\??\D:	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
File opened (read-only)	\??\F:	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe

Executes dropped EXE 4 IoCs

pid	Process
2808	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
5072	assistant_package_sfx.exe
4356	assistant_installer.exe
5032	assistant_installer.exe

Loads dropped DLL 9 IoCs

pid	Process
4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
3376	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
2808	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
216	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
3200	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
4356	assistant_installer.exe
4356	assistant_installer.exe
5032	assistant_installer.exe
5032	assistant_installer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_package_sfx.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 144408.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
724	msedge.exe
724	msedge.exe
2920	msedge.exe
2920	msedge.exe
3424	identity_helper.exe
3424	identity_helper.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe
2920	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 3376	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	82
PID 4612 wrote to memory of 3376	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	82
PID 4612 wrote to memory of 2808	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	83
PID 4612 wrote to memory of 2808	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	83
PID 4612 wrote to memory of 5072	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	84
PID 4612 wrote to memory of 5072	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	84
PID 4612 wrote to memory of 5072	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	84
PID 4612 wrote to memory of 216	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	85
PID 4612 wrote to memory of 216	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	85
PID 216 wrote to memory of 3200	216	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	86
PID 216 wrote to memory of 3200	216	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	86
PID 4612 wrote to memory of 4356	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	87
PID 4612 wrote to memory of 4356	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	87
PID 4356 wrote to memory of 5032	4356	assistant_installer.exe	88
PID 4356 wrote to memory of 5032	4356	assistant_installer.exe	88
PID 4612 wrote to memory of 2920	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	89
PID 4612 wrote to memory of 2920	4612	2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe	89
PID 2920 wrote to memory of 3708	2920	msedge.exe	91
PID 2920 wrote to memory of 3708	2920	msedge.exe	91
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 2712	2920	msedge.exe	92
PID 2920 wrote to memory of 724	2920	msedge.exe	93
PID 2920 wrote to memory of 724	2920	msedge.exe	93
PID 2920 wrote to memory of 3148	2920	msedge.exe	94
PID 2920 wrote to memory of 3148	2920	msedge.exe	94
PID 2920 wrote to memory of 3148	2920	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe"
1⤵
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffcb7792950,0x7ffcb779295c,0x7ffcb7792968
  2⤵
  - Loads dropped DLL
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4612 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240927093031" --session-guid=2515eb8f-7e64-464b-bd67-90ca1404e888 --server-tracking-blob="NjFkODk4ZWJjMmNmNGQ1YjllMzkyYmJlMjJiYmQ5MDY3ZjdhY2U0Y2Y1NWMzYTQwM2Q2Zjk0N2YzZTU1NDA1Yzp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=780A000000000000
  2⤵
  - Enumerates connected drives
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-27_951253ebc4a99a4194d888bc83237249_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x260,0x264,0x274,0x23c,0x278,0x7ffcb6402950,0x7ffcb640295c,0x7ffcb6402968
    3⤵
    - Loads dropped DLL
    PID:3200
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ff686c68268,0x7ff686c68274,0x7ff686c68280
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb59046f8,0x7ffcb5904708,0x7ffcb5904718
    3⤵
    PID:3708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:2712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
    3⤵
    PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
    3⤵
    PID:1180
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
    3⤵
    PID:2556
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:2384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:2132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:4220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5388 /prefetch:8
    3⤵
    PID:2984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
    3⤵
    PID:1940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
    3⤵
    PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8813213869974372505,16794262017543905404,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
de65f746c23b98635cfcde2a14b5734e

SHA1
fb127faee607e73b75027ff219fd311ba3d2a154

SHA256
ad7354e08d296817d6946a4e66dcc35c00e62e57aaec1b3d83cc9b17fa7e612d

SHA512
634dbcc86e3c25744f65879b461151fa3c8dfd6b562810352020c6f8364a0efe2a86518b00208c1c5f9e4dd53180ff16d6eca9cabc65c68b36e9e855b222afd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

Filesize
727B

MD5
34ed9a3ad17c74006b73783de1a9c898

SHA1
56b8c2bdde2aa30847550aaa9a7b7a3538085207

SHA256
d16dd2bb1c6e7bd0fcd9ccf90b45757baf7946c17372128f012d8ed4eb9f13ac

SHA512
4af44cfb9fc246956c0d2813c8ea02c9fa52ec90d66f3fc054d0122150e04af37afd0bae1c7845a3b6497996540b7ff868e3ba4d55f9a08e6954cad564e0cc91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
9afe06d446f0a065af01c048cbddc393

SHA1
8fafc942adfc79cb9c0b86b39516ce2fb01bb3b3

SHA256
e231799c5142390fcc9633c021efcf9ecb58420da4a22163e8136eca0d93355b

SHA512
69e76904187b8457c55ead8a6ce1444f9b900536d22143c5cacebd5c343216aead5f84b6e6b9f46e3a8ccdd9b3cc98bde775f1961cb8b433cb17cfc299406279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
1cfe01527588c1a117f0c8a7a8bdc4a7

SHA1
7d8731a0d75aa9844fabe2c853df64e091b4939f

SHA256
47c74834e54d5f9f1455ba4ea714cdf29fb181ec3321e07636d469241a8ad7b3

SHA512
52a1c955fd84cbbd467dc1191ebba512ff86e37d8b8bf4fae06658c193c803ce9b22c2eab75ee153393cfab3641354d7d57051453995793c21eea008ae9c14a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
ba36960b604ac64ee2a7b297373b935e

SHA1
6d62bf223e5475f9ae5daf06e81023d6e48173c9

SHA256
5adeb8b0c3b406e3cb8887372f107eb4d09fc5e81f9486920c0958fcb0aa58e7

SHA512
01be2ce81168512d2ef530fec52b3961ccb03112835561102b5fd6f8b95b229c37ab07e6679a0da8c3cffad594edd6154f2da15f34b297defa41c3bcf1abef55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

Filesize
412B

MD5
7d07a92c6eef7fba267101f3cc8c81cf

SHA1
d30a59e53e3bb59344742f99c6e269a8a1c52218

SHA256
2452d9b37619f28df2b91e54bc365accc058047bc5f4708581c5833a363a4b09

SHA512
92ec521d29e71411ad642df677d05cd40bbcc579770be13f7f1da0f1f6dcfd011381012d22ed736fd6d118ad96e0020cce3b6b8c0a63ba50d32ea5a7fa52f6aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
e4c1c2c1f5cf00d87228f41755c2ff8c

SHA1
b7322937391010876f284237d4f4f17f3d8e6edb

SHA256
868140611accf8f7590cca4acc1ef38e4a8c9a4778b8a205b466f5fc2d327a1d

SHA512
cd5a7dc55e8698ba06220f1c907b0a8efc85d4038109b1ae07dbb0f6fca905cc6a0db045438b9355bd113ea7a0b24e1764119291f167d7d1f899d29bb6c8347f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
f312518f75b970e3e22d8ced356f0e94

SHA1
bdec0eaca8dc10fc9be43cb2c18515bec74dd8bb

SHA256
68a4760487fcd7422b6b01df2a04805f54277c589f2efd27f6d1467a1c0bc7d6

SHA512
3a7480185027c4ede89fb0dbc6f2bea1f8328df5aa3931c8afe7f940974481a8143710c1d8a5fa8c048d270452e59204c956c9a3ca3c36129597a409707fd85a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d0808ada125ca2de3477977c84343cb4

SHA1
dee7cf57d1d51d0164be41b42883d2f2e71d62d6

SHA256
5c00440c25ce036b41aa0abd6957d8f9b549caa18b8e7b70b6a3d40977651e46

SHA512
5ba59c8547c42cdb1e540b7ac39569d51d2860ba81fd61d956a65a92cb4b91a9b33013f9b6b70c6f98f605066aa4085fb85d55831d61b047d467919fe5dbac01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2fe1314c4d1c07587678eb50ba62f2e6

SHA1
288fd8266f6952ae26c19e0cbe16646d4fb59da0

SHA256
5b8a083d4e585d56805e95ee025ed2298a4a3add3a87018f719fa1d03884fef8

SHA512
58b30edf6918011860fdd07a18ab2a8019b77f7bb6b414ca303a181620141350e9a163f9b89d6167ca3ef7558dc4b814a9ef8d2805584518e2661617f2c3f19b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da2c96d2bf52b9427e8b818b980c89c5

SHA1
c72841eeb7184e1a867e489597e77815d6837de5

SHA256
e1f718d43d1bb3e711aea1e4df34ccf79c99632212846e3f31dffc9af82a1127

SHA512
e99a8f196468b22e62b34f3cf02b0e078eb938d4cfa01f48b8ed91da4f6f6a3fa2b5d0a378bab5d000a3d4437fc3ac739fca50805349c4e72b1fc80ab266f853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
24439a0deee5e37ac0cb50c87b2a6fbb

SHA1
4ac6de41b1bf3c23f5810e4f315174b9b60f4371

SHA256
dc841f2a59c3f231f149381b95b0de3961bd1f258e54a349accdc704937351e4

SHA512
2ca2a5329ba81e10b55901803be95267277c4602ae307609f87be9751a138dd61b119031c955c0b70d2c8278a8c8fedc258771652000372fee25849dfcfca724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d91364ee5b9a693f3d100909cbc48152

SHA1
f3ede4dee822ece72a1ca2d58f180830d8c81081

SHA256
2856aeb8b8cd056e3268c276630cfb9b9216646a22f928fd00178d0d135b2522

SHA512
0cfb902709466ad0cf0cb3d09a0ea3715a262b33402a186959630e5b0916b1a276132abbe4012ce09a2b8aef3f5a6aeb7fb0c698d5b9b89194b9c5b104a8d1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_installer.exe

Filesize
2.5MB

MD5
35780b98b5b6d7840ab369d576c22637

SHA1
8410b03cdb01bd3fea626b444b47c13c0ba8596e

SHA256
42f48f0629f2483e9aa2321a5147ae7fede93be6ffc5a8fdd7b3f6780ec91ec6

SHA512
92f7511d5f1d3f927e6f6f3e4e6214d80500eb84376086d331bfbf141b4f8ca17d797082aeac4cf1e189513cc1baaa1644d1b761e2cb0f83e8f0614bc2068c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\assistant_package_sfx.exe

Filesize
3.0MB

MD5
81fafa405dbfc40f6d38145aaa871edb

SHA1
bfb6afbb815a011073d4850ebab0cbce198926b8

SHA256
a3b76c3f5cc80f96ec4cb3e2aa27a90d81bc427bb3a1a1dcc3b5312ed7a4fe1d

SHA512
0c1d652c96eaf67a89bc52fe2534e8302a862e10aa52ac844db8777ad6793955cca16681ce67c46fd50e58d469fb1827f6dfe68f9efc2ec8604e3f4a8afb18fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\dbgcore.dll

Filesize
219KB

MD5
920e2429d93ab6de0144df38d4ecc4d5

SHA1
b0337583efeaafeac3cf1242dbe1958327b36826

SHA256
a94bdffbba88a411c959332c6e24b329d48b47638149cc43588168150d820c9f

SHA512
1885327f80ebfe80acc35b9cc368191ddaf862aeccd3129a0ada79c6cd280eaf015748a72ebf45e8cc6d1e5dbe126ef2bb54ed3529edf85dc902528894a5f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409270930311\assistant\dbghelp.dll

Filesize
2.1MB

MD5
036498155251c4f0547f6e7b45c48a86

SHA1
fb813f06e446ae3c70629c5cfb8ec12e0f1801ec

SHA256
c837ddd38856f82aec58b061199f345f7c68063917f52fb0bff3004ff101f839

SHA512
643b286fa815832ac08b9cf57523c0c29692a03f139296844bf9e57b53c4b8a5e8e223f7c506b60db02bd35a58fa8c84c5d3beaa4245b4cbb9fde1a94283f4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409270930300464612.dll

Filesize
5.8MB

MD5
21c62a01246507ddd3b5dfd740f539fc

SHA1
8b1e396d65d2f1875c83e75b68fbbb46e3d64866

SHA256
cd9bf24b6139410154d8e46c44212c467d5a660ce3e424fa421da63b417745cb

SHA512
d2462355ef1a0bc666769affa63f549e9016034e53bda3d9d2c25e32d52630d32f9df18141580daf2cee531d81ff84c48e4d5f5f8aacc3ca3a65b4d23b865ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
37358640bbdc298c38f88c746c731967

SHA1
590a9db9b349e837d42104e074e7d97cf2ce8e30

SHA256
5e3b637ced16222b21dae1d0874c109f9d991a4f2146819e78e98339b8652194

SHA512
92393bde4597159766e7b4c5b5aff8ebdc729ceee9aafae5bfbfc67dd8c8a3fb1f2913a59d8c2e5e492595e69d3f71995546fa5b0c804cb9227cf2d58660d704

Download Submit