f9db61e24f3797ff523b7aefb01b6e0f52c206d4ea9fbcde8005d83c468a3d25

Resubmissions

13/10/2024, 18:49

241013-xgb4sawhjk 8

13/10/2024, 18:44

241013-xdreassalh 8

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaGXSetup (1).exe
Size

3.2MB
MD5

03ab9b24d994fc46176776a167e087ec
SHA1

281c9564a9f7b9387b8cd78afe6455db8b2050cf
SHA256

f9db61e24f3797ff523b7aefb01b6e0f52c206d4ea9fbcde8005d83c468a3d25
SHA512

eeccfad1a00a17331a56ad511b1f109317335eb8b9bcaf3245e290ce2e20a631291977d3b8cce22223695c3c630b940d4ffc76d62f1e1cb5868e4f2e5f299976
SSDEEP

98304:qA8nd05UHPD5oiuFSYyzl0sLKpO1fu8eiWO:OHPD5H3hl0sWih3H

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1856	setup.exe
1124	setup.exe
4708	setup.exe
232	setup.exe
400	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
1856	setup.exe
1124	setup.exe
4708	setup.exe
232	setup.exe
400	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 582188.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
3940	msedge.exe
3940	msedge.exe
228	identity_helper.exe
228	identity_helper.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1856	setup.exe
1856	setup.exe
1856	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1856	1684	OperaGXSetup (1).exe	85
PID 1684 wrote to memory of 1856	1684	OperaGXSetup (1).exe	85
PID 1684 wrote to memory of 1856	1684	OperaGXSetup (1).exe	85
PID 1856 wrote to memory of 1124	1856	setup.exe	87
PID 1856 wrote to memory of 1124	1856	setup.exe	87
PID 1856 wrote to memory of 1124	1856	setup.exe	87
PID 1856 wrote to memory of 4708	1856	setup.exe	88
PID 1856 wrote to memory of 4708	1856	setup.exe	88
PID 1856 wrote to memory of 4708	1856	setup.exe	88
PID 1856 wrote to memory of 232	1856	setup.exe	89
PID 1856 wrote to memory of 232	1856	setup.exe	89
PID 1856 wrote to memory of 232	1856	setup.exe	89
PID 1856 wrote to memory of 3600	1856	setup.exe	91
PID 1856 wrote to memory of 3600	1856	setup.exe	91
PID 232 wrote to memory of 400	232	setup.exe	90
PID 232 wrote to memory of 400	232	setup.exe	90
PID 232 wrote to memory of 400	232	setup.exe	90
PID 3600 wrote to memory of 3008	3600	msedge.exe	93
PID 3600 wrote to memory of 3008	3600	msedge.exe	93
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3124	3600	msedge.exe	95
PID 3600 wrote to memory of 3940	3600	msedge.exe	96
PID 3600 wrote to memory of 3940	3600	msedge.exe	96
PID 3600 wrote to memory of 4908	3600	msedge.exe	97
PID 3600 wrote to memory of 4908	3600	msedge.exe	97
PID 3600 wrote to memory of 4908	3600	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe --server-tracking-blob=OWY1ZjBhMGFlNGRkZTQ5MDIzYjQ3NzM2ZWE2ZTgxNmE0YzI2MGJlOGY4NzIzN2U2YmU5MmVjZWVlMjM2NjVmMDp7ImNvdW50cnkiOiJDQSIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9DQV9IVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD1iYmUxNTBkYzU1ZWQ0MmViYTY5NzNjMDZjNGMzOWM4NCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX0NBX0hWUl8zNzM2JTI2dXRtX2NvbnRlbnQlM0QzNzM2XyUyNnV0bV9pZCUzRGJiZTE1MGRjNTVlZDQyZWJhNjk3M2MwNmM0YzM5Yzg0JTI2ZWRpdGlvbiUzRHN0ZC0yJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJnV0bV9pZD1iYmUxNTBkYzU1ZWQ0MmViYTY5NzNjMDZjNGMzOWM4NCZkbF90b2tlbj0yOTA0NDY2NSIsInRpbWVzdGFtcCI6IjE3Mjg4NDM1OTMuNTIzOSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjkuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9DQV9IVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiYmJlMTUwZGM1NWVkNDJlYmE2OTczYzA2YzRjMzljODQiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS8iLCJtZWRpdW0iOiJwYSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJQV05nYW1lcyJ9LCJ1dWlkIjoiZTM0MjQ5ZTktMzhkMy00NTIwLWE5ZTQtYTU0ZTJlZWU1ZjA5In0=
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.93 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x74428c0c,0x74428c18,0x74428c24
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1124
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1856 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241013184619" --session-guid=8f706d04-c71b-4b15-af92-b2dac6b09702 --server-tracking-blob=MDgzOGE1OTU5MTAxYmUyNGY2OTI1MTA5YzNiYmQzNjM5MjI0YTNiZDQ4Nzc4OTJmOTkyMzhhZTM4MjRlZGFiNTp7ImNvdW50cnkiOiJDQSIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9DQV9IVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD1iYmUxNTBkYzU1ZWQ0MmViYTY5NzNjMDZjNGMzOWM4NCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX0NBX0hWUl8zNzM2JTI2dXRtX2NvbnRlbnQlM0QzNzM2XyUyNnV0bV9pZCUzRGJiZTE1MGRjNTVlZDQyZWJhNjk3M2MwNmM0YzM5Yzg0JTI2ZWRpdGlvbiUzRHN0ZC0yJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJnV0bV9pZD1iYmUxNTBkYzU1ZWQ0MmViYTY5NzNjMDZjNGMzOWM4NCZkbF90b2tlbj0yOTA0NDY2NSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyODg0MzU5My41MjM5IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyOS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0NBX0hWUl8zNzM2IiwiY29udGVudCI6IjM3MzZfIiwiaWQiOiJiYmUxNTBkYzU1ZWQ0MmViYTY5NzNjMDZjNGMzOWM4NCIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJlMzQyNDllOS0zOGQzLTQ1MjAtYTllNC1hNTRlMmVlZTVmMDkifQ== --desktopshortcut=1 --wait-for-package --initial-proc-handle=2409000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.93 --initial-client-data=0x320,0x324,0x328,0x2fc,0x338,0x71c78c0c,0x71c78c18,0x71c78c24
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2ef746f8,0x7ffe2ef74708,0x7ffe2ef74718
      4⤵
      PID:3008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
      4⤵
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4984 /prefetch:8
      4⤵
      PID:4288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:3420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 /prefetch:8
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
      4⤵
      PID:2104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
      4⤵
      PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
      4⤵
      PID:388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,17339597564706624120,9678311376471807756,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1376 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
0b31d9fcc3ac0306b51f055e31bea39a

SHA1
9801b03654722c57fb6eb15a23af130047fedbf4

SHA256
6997c34a4126cf797652d51ed33a3b0ab22a62aa58bfabcde99337720a0a7dfd

SHA512
d1a12391c9fb1a419c31642f120bf5b55cc256763ce41137c9c12de05cadfaaa1c8e2a9a1a3b5414a7f1763c5480b138496189c80e5fde58d9d2e8c703ddfc97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
6186e955e7800eb4dd85333d7497cd94

SHA1
cefe7841d358696c9f9233ba8c64d550dadfb4f7

SHA256
c4363b0227093fbe797ee2943f96e6c2d013029acbfac8c61b4007693dcf8dae

SHA512
d766bc2a42708c3ecf1f2a07c96f83034e475ba93c1ecb7d9e5b75f04d9f86d6b898d52572178893bed05462edc7dbe246992a28a0fa2c85be9986f22c03e98e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
bc6c7b49b4f445d3752cbfa9a0bcab22

SHA1
e5622208b265922b1c28aa67a144ff5cfefb55a4

SHA256
88e47bbf9e22d2d3e7e7a031f70923373681333b785f3c6be195f7dcb0c2dc66

SHA512
cb9e44359baf35ca6782a3b5046089a5603d6fa30f59d98a6c2a93ee15c90574153f613b68687ebcea87d309000e70b6c974a49116cc57e9daef06aa9fee2d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
a1c783eab114c2d316bfd6370683652d

SHA1
9d8739cc02080653238b06c020a9143ebcbcda8b

SHA256
ba19e4252664fea41fb0a58eab83f960f37d9378e816715c7d4f92a076af9138

SHA512
5bf38b4bf3edf823459623f6859ce84be58016caf2f3737bd15a650c469500cfdd54a21ee1c99f98d375ae6fdf90404a275e6c8f5e915b4355519a56927b7ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
081789bd2480dd1f85c4d5a8b74df7aa

SHA1
58c4b6eb87fdad8868c8249216e57233eb605f8e

SHA256
f0602b3a98de0d0ab01ad7ec17dae174cf0b54a4074e4361a5596f9141c83fd2

SHA512
75c69abed3745ffe89b9f94fe559744bd69a414791cbc51c94671071584c46d2cd888603af68198c8152c81554c40f3c1317b4eb28207972bf030d67085448c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
609f318ef5d8df266f094ad2ebfa46fe

SHA1
0cfb67aed942c14a1edf8efc6de87af4ef9bf678

SHA256
1ee8846b75ecc307493bb528971da1ca7d6d2cd45538977e8ae42fc02be7bbf7

SHA512
1367ef72cc5839d4e4d54802ef318c4226c0f61b8a6ccc9a4a2905420a19810531467d140f09325a1dd2467922d1bab8018822c33485868297a62ab2595593e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
1dd623499327a52016c8c64703309dae

SHA1
9d10ac27b657d4020a39246837256e33ce7d9ef7

SHA256
a83d2368e5e31ed753cf9beee4fff906cbffe8ff1a45095707847c02dbb2604f

SHA512
36a34c1162ac63febbcb94737065983fbb76e49917fe3376031693ea1cc013e645c6a6550f731f380f7fc0ff0a443ffe6228ed9b76ef06f44d0cde1cce3bed9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fd672e2a5e053081f73f3f5c112ec90d

SHA1
563f2eadcf6abf1cd70865c0a4f4505fbdc95825

SHA256
61837375d89ede80781a4a653717d3c6aafc28f15bc3828e1c55b9c047074dc9

SHA512
93d2732b1881017fa93ce5d793df5a11a55c6dddeadfb80df1287822bad3e78f8a3598c71360ae1b760b50830c624325d74ef3830a5af39fe4aaa51f04b16cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb61e62d122f4df659e9d5b0c0c19238

SHA1
ee353ada9a19025c8eae187169537806439b07b0

SHA256
f6cb866a954aabbb6d02beea5905b66077e109ab5d912706fbdd685ae2101901

SHA512
3783368fcab5bb8f38e52d523df341be7b621f5e17c1894b03a8f0514d61de74f052556b67bc0e10bf06f4caaf9b92bcc0b5c7dfecc1d434082523a2d0481b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
af27b72d2948d57229eaa9e53ffe75eb

SHA1
99182af50628295923a83e3cd40baec475ef6fd1

SHA256
8ee07d0dca084be1f0b354053da9218c8c9809a24b324e06fb58fd7c20a2e1f6

SHA512
e4e8de03eb8331ccf4144145bf85f9c0fbd8ed900f8b5744408dbc36a79228a3a8a6a98389120873bf926a0e344f24020b6c19aefe8339cbb111ef249eefa4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f14159b927fd7e75b76bf7878e362c96

SHA1
a4a16389d598ace580ad326311b74c1668d2fdca

SHA256
da9c531257496a3542c0284cb3cc067078b5faecb7f0209c6382006b31331e26

SHA512
e7bbfbe2627c872a85e2ac97ed9e8809d00c9e4ede8140fd1bf973a125221345bb89e597854c89efc9e81d09605a9516c88ac8bb487c583eb26f4473d549bb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49672D47\setup.exe

Filesize
6.5MB

MD5
f3fb308a1192b6f23b9798274a7bbd3d

SHA1
594d0b878169de95f5c29766e24fb905b05afd48

SHA256
9c1da80efd2e6ed2a89bbf18da614a85f7d6db55f100fe3a35e9c939ffb29eea

SHA512
96e712bb441489d1b95b771914e9792c35b39e4296f0cc9e37cadf4dd470572b0c575233c004ca4e16e525042f80af600c0139ddef0d258fd6cdda92fdd54444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410131846188391856.dll

Filesize
6.0MB

MD5
c9b6a88f1a1406352509d2c5ecf647be

SHA1
dcde8ebf49a5a61a69bf6f57f88898e583747a7c

SHA256
2911fc2b9ec8af5ab91f80671ca1e3415cc9dded73c24d561fda9921f7672ba9

SHA512
5ea0c3003771e354b43339aa251ae2f8e6b82becfa498daecdfa445676bb179ce1738e052b5ce6769d92e3f3ba38d744dbf5344028e5281470b013af936b9ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
e1e15999f559e9f494eb2ed83738cb94

SHA1
4f3f210cb65cf02333c4d821d27432779951c45c

SHA256
fe0553f23945f875a1ab7e1c1f82e5d6bf51606752196b201636a7b2d9ef06be

SHA512
5fe12a554263d5b7e901ea45921e52636cc859d85fe40fc83d1c97cecfeec8272306badef133dc96149594ebcd6b1d9b4f21ec2f2d8cf014e25295777462ea0b

Download Submit