5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0

Analysis

max time kernel
101s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0N.exe
Size

3.1MB
MD5

d0447caaf040e70603a228c2a4a3b4a0
SHA1

668028029a0cfa3812fabcc7fe22575e099916e9
SHA256

5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0
SHA512

a567b2d31a0a6643dab684d40349614fafa9c8087bbab36bec7d279d81b6385ad86d8d85b5d09dedba990ad948e996ed190211889b6223b3f5c373c19edac5cf
SSDEEP

98304:0AvAd9yGp338SUPNvuldZzOKsGU0DAo8In+aP:5FG18rNmldrsn0Zj+aP

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1508	setup.exe
4932	setup.exe
1052	setup.exe
2684	setup.exe
4484	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
1508	setup.exe
4932	setup.exe
1052	setup.exe
2684	setup.exe
4484	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0N.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 217358.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1512	msedge.exe
1512	msedge.exe
2128	msedge.exe
2128	msedge.exe
1252	identity_helper.exe
1252	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1508	setup.exe
1508	setup.exe
1508	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1508	1912	5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0N.exe	85
PID 1912 wrote to memory of 1508	1912	5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0N.exe	85
PID 1912 wrote to memory of 1508	1912	5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0N.exe	85
PID 1508 wrote to memory of 4932	1508	setup.exe	87
PID 1508 wrote to memory of 4932	1508	setup.exe	87
PID 1508 wrote to memory of 4932	1508	setup.exe	87
PID 1508 wrote to memory of 1052	1508	setup.exe	88
PID 1508 wrote to memory of 1052	1508	setup.exe	88
PID 1508 wrote to memory of 1052	1508	setup.exe	88
PID 1508 wrote to memory of 2684	1508	setup.exe	89
PID 1508 wrote to memory of 2684	1508	setup.exe	89
PID 1508 wrote to memory of 2684	1508	setup.exe	89
PID 2684 wrote to memory of 4484	2684	setup.exe	90
PID 2684 wrote to memory of 4484	2684	setup.exe	90
PID 2684 wrote to memory of 4484	2684	setup.exe	90
PID 1508 wrote to memory of 2128	1508	setup.exe	91
PID 1508 wrote to memory of 2128	1508	setup.exe	91
PID 2128 wrote to memory of 2772	2128	msedge.exe	93
PID 2128 wrote to memory of 2772	2128	msedge.exe	93
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 2924	2128	msedge.exe	95
PID 2128 wrote to memory of 1512	2128	msedge.exe	96
PID 2128 wrote to memory of 1512	2128	msedge.exe	96
PID 2128 wrote to memory of 1248	2128	msedge.exe	97
PID 2128 wrote to memory of 1248	2128	msedge.exe	97
PID 2128 wrote to memory of 1248	2128	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0N.exe
"C:\Users\Admin\AppData\Local\Temp\5b69c7eab651ac554becc0d4e3c6ac491396dbbd7bb14d3cc021e9a5bdff92c0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe --server-tracking-blob=N2JjODU3NTEyMzhhMDY2MDIxYTdjNDljMzJhYmViOTRjOTJhMGVhMWIwMmU2NzBhMjE0ZWNiNjQyNWJiMjliMjp7ImNvdW50cnkiOiJERSIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0RFX1BCM19ERF8zNjYxJnV0bV9pZD02ZDE2ZGFkOWMzOGQ0MDRkOWQwOTg3MDM2NTBlNmNlMCZ1dG1fY29udGVudD0zNjYxXzI2NjYiLCJ0aW1lc3RhbXAiOiIxNzI4MjY0MjU4LjA1MjciLCJ1c2VyYWdlbnQiOiJJbm5vRG93bmxvYWRQbHVnaW4vMS41IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0RFX1BCM19ERF8zNjYxIiwiY29udGVudCI6IjM2NjFfMjY2NiIsImlkIjoiNmQxNmRhZDljMzhkNDA0ZDlkMDk4NzAzNjUwZTZjZTAiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0NjNjOGQ4Ni0wM2FjLTQ1NTMtOTBiZi04MTg0N2EyMWZkZTkifQ==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=113.0.5230.135 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x748c1864,0x748c1870,0x748c187c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1508 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241010023614" --session-guid=b8e55b5d-84a5-4f4d-a1c8-669d9a704c42 --server-tracking-blob=ZDY2ZDJmMzRjNzU2MzRjNmMzODJmMGVkODBmZDZkNzg3Yzk5NTk3MDdmNWU1NmIxNzBiZDhhODNiOGM0ZGZlODp7ImNvdW50cnkiOiJERSIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0RFX1BCM19ERF8zNjYxJnV0bV9pZD02ZDE2ZGFkOWMzOGQ0MDRkOWQwOTg3MDM2NTBlNmNlMCZ1dG1fY29udGVudD0zNjYxXzI2NjYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MjgyNjQyNTguMDUyNyIsInVzZXJhZ2VudCI6Iklubm9Eb3dubG9hZFBsdWdpbi8xLjUiLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fREVfUEIzX0REXzM2NjEiLCJjb250ZW50IjoiMzY2MV8yNjY2IiwiaWQiOiI2ZDE2ZGFkOWMzOGQ0MDRkOWQwOTg3MDM2NTBlNmNlMCIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjQ2M2M4ZDg2LTAzYWMtNDU1My05MGJmLTgxODQ3YTIxZmRlOSJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C09000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=113.0.5230.135 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x72171864,0x72171870,0x7217187c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe245046f8,0x7ffe24504708,0x7ffe24504718
      4⤵
      PID:2772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
      4⤵
      PID:2924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
      4⤵
      PID:1248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:1776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
      4⤵
      PID:1820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
      4⤵
      PID:348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5476 /prefetch:8
      4⤵
      PID:3192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5940 /prefetch:8
      4⤵
      PID:1848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
      4⤵
      PID:2152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
      4⤵
      PID:4940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
      4⤵
      PID:2140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
      4⤵
      PID:1148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8760674445607598697,6329360285380680104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
      4⤵
      PID:2376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
33c4d752dbaac8b3db84decd24a428d3

SHA1
9e17644910f6ca27a433f59446cfa7c2cfd689e2

SHA256
e8e0b099f990157af46a830e6614f2630e02abca18b8f56d1098a6fc9680037d

SHA512
404bfe0bf973909c2834fbdd627310c8e0e4fb2e08f1a765a0d004c14a1afa083634eefd12d780172a376eae937ab811a4612b7d31d6d115d28dd3c4fefeaadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
55f2562fc0adbcd9eb7fcee716ad0cbc

SHA1
29dd84ff549bb4acd397209216243ea37f9cef3e

SHA256
1217efa3efaaf7ca6ceabcea7604c86164fb5415212f476853bd7a6454217d26

SHA512
d19850724e2df6c8475770fe109896b8cb0092cd92d137eb706b5e345bcb543453c15dd90245ea5354bd3281fcae6f5b7dddb1befca84d2f612aac16964db433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
af929bcca7a4ba0c0a63f9a8b857d5ec

SHA1
4192bbb5ae8f96cf2b726b3b301371ceb91210e5

SHA256
56b39c2b43bc37fe9ec838ed3f63b2093f804ce5c992fd6c48d2136b8fe3e62e

SHA512
5075c817c7c58a773eff4b8399257c27fc1a88723495d823fb3b86f94ea306f8f49945653c5c22ae1502321ee940b7e952ad326cf37975d4954e6ded44786a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
699ce418dbbea553b286105fa6381d8f

SHA1
0c3b77ad5d907bde7c52cc4c03d2b535d653660d

SHA256
3eab657c1aff5a343d571fe97b7b4f1a520d4f1643fa996d13fa0fd4b2e2cdaa

SHA512
452902d5acedebe294d5b4689f84543c2341cc92c5025244f9e8b7e10b5d5eb37ed3c55f223f517e5cd97fb424eea9aa8eefe54e525ce3b3b731fdd1e3b5d7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71d015f6140aadc5c1ea5636ee70f27c

SHA1
50a6a21853d5bf19002cbea92ecbced8c71d2a56

SHA256
ace81b5f4bfdadf8833b88b57ffed3ca50d5bd2594f42399ba1c5d0d3b8ab4ed

SHA512
286076890815723bd3b223d9de9b77939c71e6310532cee67cab59c4d4f5c0abc3274f03297f4d337fabee3a290dcb1e53b02118932039ef0615a659f987933e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4dc350770b7a5267755d55fd75382031

SHA1
358aaa09305ef17e80c9eaa9569c481274294076

SHA256
0502eb76a05f27724b5cc3d216e17402a8c498897e36037fe5aa24fcbf07ee20

SHA512
0e09c712e3ca5f8758f27aa4779ad025f6aa347432cddef0a7f89a46f4dd3352bc5f90487d9e7e8e44fea2a1e4ff7ffafe4c8a4b5bf20f87e7e1dfd868c90cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0ac692682b175c91d51cee2403012473

SHA1
602598db53c2ed9d893a58056c90d52d18ea6f2d

SHA256
bfac17ad68861829ccaf4b6d5d109807a850de8548c0a361db1e168b8e7d0e2e

SHA512
e606b8ef06201f9a003d1760a461731b30242630ccfc9d96cf0b73c3363b1a9e4860523d8ec92a6d99118761373e5f8ee02762e497389f1da90405aa7df62de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e6098a7feaf5f16ddfda4a547b9b5db8

SHA1
79febd2ce36019610b3a770be8c751a240d9302d

SHA256
bd70bfcbb10751a65f94abec01608f2a30323bdfae7bb31eb0469466c3162d14

SHA512
e70ef50bdd082ec6101ff61a6b556c6d6e44180c28dca0d0b2956900d2e492dbdcd2d2b3ad862e12e6138731b82e07b3cb5ef50221f13fac4da41d311bfca0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS877883A7\setup.exe

Filesize
6.3MB

MD5
86dd06e679802c75653e22d0dbbaadf3

SHA1
62ae11a89addd8a9bb4cc4be6e9799dc86103c59

SHA256
8c13e1b66a1f67170410b1129fb7cfa55ef78bc2ef61b246edeaa68f3dfb8333

SHA512
094bfb863c7e31658a68dde41ca33a60271f788ab8d653a7a0aa7b57ccce7c0e0367a60474bf233f45f4dbf56777422ab538c87bcda9c0390e2f49630c3ed80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410100236132661508.dll

Filesize
5.8MB

MD5
e498604327c32088b7d6b29ef581b8d1

SHA1
9a9c88fb31ec04a815ab602d63ac34e089be0f0e

SHA256
b83e3ae782eb0324e3ea346365e9274b738ddd317a614d3ba08a76c1d696aadd

SHA512
62df01ff19828b755db562650720cea566604989a112ce57b4cf18d72fa0e7be593a91c2a2112bd27f5de966481b0c3f95f2077b521379f15f0c8ad3f767d946

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
8b0d755f8fce2044869b1a5d487aa11c

SHA1
660e0cb778df86181661ec18868fb787a57472c2

SHA256
3f29d6ef2b172f21d4f4bbbd392c0cea83259d1c17345801816b500a882a541b

SHA512
531e125679168503826bb90d377d9ab276b8c3d66e4086ce63c790802dcfbc784163b8de2987299e6a0f26ff8e43256394cd5f0fe8fbcbc99a59b66188665d22

Download Submit