hxxps://filedm[.]com/YTR9l

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filedm.com/YTR9l

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Netflix Windows Edition 2.0_17656726.exe

Executes dropped EXE 7 IoCs

pid	Process
1676	Netflix Windows Edition 2.0_17656726.exe
1852	opera.exe
2524	setup.exe
4012	setup.exe
4980	setup.exe
3524	setup.exe
3404	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
2524	setup.exe
4012	setup.exe
4980	setup.exe
3524	setup.exe
3404	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netflix Windows Edition 2.0_17656726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Opera GXStable	Netflix Windows Edition 2.0_17656726.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Netflix Windows Edition 2.0_17656726.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	Netflix Windows Edition 2.0_17656726.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 812780.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3740	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2536	msedge.exe
2536	msedge.exe
3788	msedge.exe
3788	msedge.exe
4940	identity_helper.exe
4940	identity_helper.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1676	Netflix Windows Edition 2.0_17656726.exe
1676	Netflix Windows Edition 2.0_17656726.exe
1676	Netflix Windows Edition 2.0_17656726.exe
1852	opera.exe
2524	setup.exe
4012	setup.exe
4980	setup.exe
3524	setup.exe
3404	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4680	3788	msedge.exe	84
PID 3788 wrote to memory of 4680	3788	msedge.exe	84
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 892	3788	msedge.exe	85
PID 3788 wrote to memory of 2536	3788	msedge.exe	86
PID 3788 wrote to memory of 2536	3788	msedge.exe	86
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87
PID 3788 wrote to memory of 4976	3788	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filedm.com/YTR9l
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb42b946f8,0x7ffb42b94708,0x7ffb42b94718
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6076 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,13197459892974085017,11588191106835991426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Users\Admin\Downloads\Netflix Windows Edition 2.0_17656726.exe
"C:\Users\Admin\Downloads\Netflix Windows Edition 2.0_17656726.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1676
- C:\Users\Admin\AppData\Local\opera.exe
  C:\Users\Admin\AppData\Local\opera.exe --silent --allusers=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe --silent --allusers=0 --server-tracking-blob=ZTQwYTA4YmU0Njc4YWY1MTgyODc2MzgxNjI0ZGIwZTg2ZTA4MzdkNTE0MDA4NWU0NjhkZjhlZGVjOTAyN2JiYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1ZVFI5bCIsInRpbWVzdGFtcCI6IjE3MjkxNzY3MDQuNTk4NyIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IllUUjlsIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJJbnN0YWxsdW5pb24ifSwidXVpZCI6IjU1YzE4YjA3LTA4MGEtNGYyOS04NzcyLTA2MzlkNThmNmI5ZCJ9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.102 --initial-client-data=0x330,0x334,0x338,0x30c,0x33c,0x71d3fac4,0x71d3fad0,0x71d3fadc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2524 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241017145146" --session-guid=289c549c-8bda-40a5-bfcd-83774a4c15fe --server-tracking-blob="MTQ4N2FjNmRlMTAxMTk4ZDdhNjM5ZTM4MTcxZWJjNzZjNzk4NWI2MGJlMDExY2I2MmFkYTQ0ZDg5M2I1YmRkZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1ZVFI5bCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyOTE3NjcwNC41OTg3IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiWVRSOWwiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6Ikluc3RhbGx1bmlvbiJ9LCJ1dWlkIjoiNTVjMThiMDctMDgwYS00ZjI5LTg3NzItMDYzOWQ1OGY2YjlkIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2006000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.102 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x7117fac4,0x7117fad0,0x7117fadc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3404
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\42a339d4-4b08-4cfa-b252-8b1fba8abdfe.tmp

Filesize
5KB

MD5
1e1f53e5af4092c76b8507156bddcd8e

SHA1
3cdf49a38abce583cc760243736da897ef241dae

SHA256
542d0fc460c37e0d8843f0cffbb7a1f69e1c77888420a5c6ebe30438eb22982b

SHA512
40e81094d8b3721c467abb6bcad853d0a935cfb0d791753ab77ae81e74eb143568fee0b5b24b81b87b7d2d4e6fdb9ab3d570ab33f168912a018f2e3857c5d444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
9a4e5e4b4737409c7ef0ad65fbf85395

SHA1
4c56962133fe6ff50cfc02cbb4097a818ba29f9d

SHA256
1586660d3fe3e6cb201189beb1e945d5a0d23808ad06766ceb0f48d337b70b4f

SHA512
7d0739231ed344e9cc7978517d12f314e401876025629ba0a892d4081acc05a8388433e529e2548d45c01e0a2165e6ee1b8d9fbfb087e18969117d2d50e9e6e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
43b7547baa4832d96c3373e26ca8c151

SHA1
9dc2fd775e7c3dcc3200d5ab9ffc3ae3ea77093f

SHA256
38ee4284f00774beb7480d3e871a8ec4565d9a2d0260fdd44341d96b1fac3e04

SHA512
dbdeaaba26b591d116218032718f814e7708cb768e27a631c096b85be4a71e31b5d4c1bcb908afe40408a4bdaab7a4c79c16ea3d05765a92e5f7291e805c59e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
264077c5a018ed22313ed5c151b63a6d

SHA1
dc8a77f8d2448d74b16f724c5e6911b183d2eb7f

SHA256
5cceab0a77f5f4a0bddef4ca9143f890d0ed29a035d46e50b922efe81fb91914

SHA512
4c298e71672ccdfe2e79a181c079636d970c0b606e6ba228e84fb86100cb18c5fd7b31915d44bf1bfea7972dec2f1b052451ed4248ed2712a67dcd68d096c218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de693d2c136a3541a760a08adb151203

SHA1
6dd4e222471cb0821e7d6bbce92b585b8bb300b6

SHA256
89315294a3099710d23d0e4fc92fe1c35ff003574e7dc35829c62aa1e8a1f116

SHA512
9efc1fd9a1975ff8d8a38a5a751743732effaef893b8da56aed236cb54c3100ce79349e74b98c930c6ca8a5d6dc63f91172f8f3ba7e57c91dc6694b681a0e0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d40472e261706001bf95dd9055f43a7e

SHA1
d19cbf7a52e7bc91c4e130658955d9c039e92c78

SHA256
526a15592da52ee47f83f48a3d9e3aad17d07f9e008997c6295b9e60d8a5fa95

SHA512
9045e13383afac2f3bd017b2f01e99556b2b165b65b57460ba7ce96343d12574c1d5486e0fa2eba3d3d40bd5b9fa8f1025d51936ec4f75df62152ef82d449bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e8aab3fad877b77a3a29eb8d56a9f573

SHA1
dbe91c57f60ced32babe7e7a30b8e688dda31925

SHA256
5bfc6583d1537e2f09b5cbdcaa77f96e106635fbd16de3ad98342d6df78c03b2

SHA512
fe9e8eb2a1a2410d8c62def8057e00d7bc472d19751989361ff57b19a43b73105c1381c254d40ce4a446443b8385a76131e69177229cf93ca4b709d42ce820a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cbc1e9f46a189b717d7f9c6278582f13

SHA1
81cba0e9d21be68d23f6e9a1258ef536f23259b3

SHA256
2af0dc3aee45624480d67d475732f0467286155ed30dca92c766a7436d3f537a

SHA512
42092d6b8a6b3059bd86204846e933e41ce3f94f4128a47ed6921210888fd4c92fa2380fb2187490f316d6199012cf7073bcff3ce5bb243f69acefe0a7809335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7f4cff5c831f91074c4674da8b47d8cb

SHA1
491a3d40e8f4dd623bed5077be3e80908a0d4649

SHA256
14fe762f6b3e873718fdaa7e8528aabb689c92236f23e1fd1b1bf6861ae8e12c

SHA512
e99a1364f1e0531bb3b5ef0abbe87891e73c79a161ad4e1a97635f2f8a1d676560208002482e10079318f6426dcdde2c1907143be4024d5673295a8432e41f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC378C389\setup.exe

Filesize
5.3MB

MD5
79cdbdcb845da2203425f8882d1eee84

SHA1
f8a82f8615308412e54c03eeea46dd4cf6bcf26a

SHA256
c4e2e44e1fe4cbb1ec2883134494bf364aebe39c58fdf17e3024fdb9842db3fb

SHA512
8247a33cb2aa1286e1e000a1154a705b5ba78174de62f03505d5b03025bd1e3e1973a39fca9878dd15b3f630605b264f2c1eea3f608d6472b2c80f5a5dbf7c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410171451456282524.dll

Filesize
4.8MB

MD5
e02681fc3b1bacea505a9808f42ac8ad

SHA1
7ec6adbca2f5c3aa3d240a0c7501800861e1faba

SHA256
b5f2eee0d29c94dd418f7053fa4132386af6ca66158a2608a3084199084516d9

SHA512
a942642cbc83f580d957b0b30afbc0bd5a38296021dea5c85f9f3b62e08f8753b4a9f521451d4b7f1ebaa71d89ad2ccf74d018877ffcbb55617ce0abd1b9ab97

Download Submit
C:\Users\Admin\AppData\Local\link.txt

Filesize
57B

MD5
5a2ef64113185afec25c28d22427c49c

SHA1
1bc10ce9f54ad69e16912ddb754eaff50fde8455

SHA256
953533ff6253c3c1e693c0c55c4331d0d76a7630714b96f3373573deee3ef247

SHA512
8b1116b1c7d9e18c676ad662c8587d2bed2a2941b82f6571c9755cd9b249bcbab55ab5df2ac5337e9d9ef37435bded2004a2b1a5928dac3f8121e4b150313774

Download Submit
C:\Users\Admin\AppData\Local\opera.exe

Filesize
2.1MB

MD5
6cef762398c7097a274daf0f88559e3d

SHA1
a91a7ad8e7343faf5f38d9db0fa41a78e4df00b3

SHA256
7e3890437d617a33322d260cae963530f9750f6ca3cdc2d84e63ae6f105d615d

SHA512
a80829c1cd937570d2a81aa52db1e9c190724a9928763c8f827eddd8a0906b153fd7545072e4ef44511729d456fbc85e7d499a5df706b6950397012b499bfa8c

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
50bedcef88cb0e43a4c1ddb637399999

SHA1
aba9fe4ee8ebee2a42a470404f421a6f35ce2bc2

SHA256
51a6b016790b5f762876187b814072675cf2bd32b604fe072c15971cc0ec1ccc

SHA512
0956c966205afe76c4b1d01dc10eac3cc6be11e1251735e0c69bde8a8abfcd5ff62ad51831ee8958e337bd6f40666bdaa5525b7887d08c4529b1a5452ec3c67c

Download Submit
C:\Users\Admin\Downloads\Netflix Windows Edition 2.0_17656726.exe

Filesize
5.7MB

MD5
0aa6945aee17c3eae75f48e715ee5eb7

SHA1
b84977d612d1760f7a682e96dba9f7160cdaf72d

SHA256
0b8be7d62ba830a3a53686afb8af57d1b2301d76c8b06759bf4b148d1e2ab6cc

SHA512
8cdb467c92fefe0add78824acc496bf1c70c1eada04a801076073df92497660551c7b3c56a7d97a5ba74eb75879e5323f4b33ee51f94cab8c8afe6515056f5e5

Download Submit