137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c.exe
Size

3.1MB
MD5

944bd6719f9a3b5fefe7f2eb96b0aa1b
SHA1

2b4d4afbe6938e721ae52cb91a859587955a29b1
SHA256

137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c
SHA512

c0592ed39a0107965236fb59aa1a2f3ec9d48585ee8777c238c2c014c41596c3c1049b908f733b7b9c53b9b3ffed28b4cb409a17943d4921d75f6b6d8d7ac230
SSDEEP

98304:lAyXe7ykegiTNpjQpSI14jSKQoDXAy0YbJ31nu2Cmh:jXe7tiTHjY4jS1sXA/mJ5u2nh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1140	setup.exe
904	setup.exe
4208	setup.exe
2400	setup.exe
1692	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
1140	setup.exe
904	setup.exe
4208	setup.exe
2400	setup.exe
1692	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 320877.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
2456	msedge.exe
2456	msedge.exe
1028	identity_helper.exe
1028	identity_helper.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe
944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1140	setup.exe
1140	setup.exe
1140	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1140	3216	137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c.exe	84
PID 3216 wrote to memory of 1140	3216	137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c.exe	84
PID 3216 wrote to memory of 1140	3216	137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c.exe	84
PID 1140 wrote to memory of 904	1140	setup.exe	86
PID 1140 wrote to memory of 904	1140	setup.exe	86
PID 1140 wrote to memory of 904	1140	setup.exe	86
PID 1140 wrote to memory of 4208	1140	setup.exe	88
PID 1140 wrote to memory of 4208	1140	setup.exe	88
PID 1140 wrote to memory of 4208	1140	setup.exe	88
PID 1140 wrote to memory of 2400	1140	setup.exe	95
PID 1140 wrote to memory of 2400	1140	setup.exe	95
PID 1140 wrote to memory of 2400	1140	setup.exe	95
PID 1140 wrote to memory of 2456	1140	setup.exe	96
PID 1140 wrote to memory of 2456	1140	setup.exe	96
PID 2456 wrote to memory of 1424	2456	msedge.exe	98
PID 2456 wrote to memory of 1424	2456	msedge.exe	98
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 216	2456	msedge.exe	99
PID 2456 wrote to memory of 1092	2456	msedge.exe	102
PID 2456 wrote to memory of 1092	2456	msedge.exe	102
PID 2400 wrote to memory of 1692	2400	setup.exe	101
PID 2400 wrote to memory of 1692	2400	setup.exe	101
PID 2400 wrote to memory of 1692	2400	setup.exe	101
PID 2456 wrote to memory of 3984	2456	msedge.exe	105
PID 2456 wrote to memory of 3984	2456	msedge.exe	105
PID 2456 wrote to memory of 3984	2456	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c.exe
"C:\Users\Admin\AppData\Local\Temp\137f28a011fe3d081848fec7568b4db63e37d9919ee4de39522533d2f48ff85c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x74831b54,0x74831b60,0x74831b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1140 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241031081735" --session-guid=020245af-6756-42f1-a472-ea8acfc2fc80 --server-tracking-blob=MWY0ZjA2N2JjNjVjNTRlMGZlYmU0YjExMjhlYTA1NDIzMjczMWUzNzQ3MmQ2Mjc3NTkzZjM2OTQ5MTAxYmI4OTp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIEdYIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=6C09000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x71571b54,0x71571b60,0x71571b6c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa204646f8,0x7ffa20464708,0x7ffa20464718
      4⤵
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
      4⤵
      PID:216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
      4⤵
      PID:1004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
      4⤵
      PID:1596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
      4⤵
      PID:5084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5412 /prefetch:8
      4⤵
      PID:5236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
      4⤵
      PID:5244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3680 /prefetch:8
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
      4⤵
      PID:5580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
      4⤵
      PID:5588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
      4⤵
      PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
      4⤵
      PID:5072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,9814288487094525986,7423523768853945300,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2656 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
213d08513e32bb6741bec453fd3759aa

SHA1
f7df0a9a4bcd1c840e5459102672921d7912fabb

SHA256
8e95d9099eebd14015e359e21a16a7b28fe2e3a206189c7e0dc7b5bd71d0744f

SHA512
c75a4f233621bab3306e3f6509ada296f2891c8999e8fe8fa0c48a3ebf45626b5b52b1e52af1b914b4c6e0ff881ee64405779c717adeae6973f7106446d678d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
c8c8db92f7cd7aa2e5deefa27127451e

SHA1
8c7a6b67771e0937cd1be62deb48cc5582182b08

SHA256
f2ad2a102162e9ef032e3afa9b759ecbf7354e270768dcfcc62a84fbb8b54aaa

SHA512
fd9f03dc7fa9ae5c52c375a17c5afd2efc5b7b1586c6122ce1a7e715fd2c4ebdaaac6803b2ade829a71c3b6c64448696ac764734efced87bcaa8884f9e0fc7b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
bcfd43b53a47b2dcf107efdcbd0b59a4

SHA1
75b548df2aecb2dec9a995c9ff974be78959411a

SHA256
b0fa8ff8516c233400ff93675d5091c6747a19287d70c92c470fb30978868fa6

SHA512
f473cfef0228f41b471e67ad3dbfe5715ba9aab9eb541f27445da87b8944bcd6a3560ab3e5e57a440f8a626b9137fdcd85aa2a50366f67ec61f478b4c7cea634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
037a1a1eed877c520ec2d8e877a0ef10

SHA1
2c261667a88ca76c700cf61c24167d6185f164b8

SHA256
04f352b4d334a645a09a76772ff766ee4ae359754a056d08f5772895a703cc7e

SHA512
021cf980ecf3cdc259caadb470a5557d8b0ac13d34185e8e4bb22693e26b7ce01ee5fcc833177d921635e8da3a6cb72e9133c5a6e786056db71969b515814bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
31db2199e18b6970ae6c0da2825c9d3b

SHA1
069ffc8953d0983f6bf9526a20d62a601f39773b

SHA256
2232753d2049be274535662a63a28b497c8ae884d76e46294ceeaedc0648b924

SHA512
3094b03a6969b56925bd66340a949adecb7843f8142970d13e1f360a648dc82f52f83234b8c14a0da43762e8794cd45cb595996cb46ae0fcfe9d71d07588b9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
96badc2c56adf3e99dc69f7bf0b4418c

SHA1
7c246828874db4f637cb8c37b8c690b6aa29aa36

SHA256
78bfc74f5273b790ff3dbe8291df462ecc7798ef68ed377cd2be3d9c3dca7036

SHA512
80f8f00c5b8b512768e0f916fe525082e30d4ee08902f2bf4e6860b33851bf0e5fb049718f8f558a1d65e369b2381ab2e5d9d749ce7fc66f1fc9cd8fdd4f8e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
5106fc2810d19752ee5b9aa64e180d6d

SHA1
b5d9e3900b84845bfc65cacad7bf81a6bf8d79e6

SHA256
d8fe4673e339bf5b68e1e24b2ed1529c0210181560708e38a5d0d2a6e56183cf

SHA512
b7e39a087fc42e9c7275ee6cdef19c29d65557ea26e7ebcf781fd5458d03c54e12392198a32c26750cc4d9dadd2b7e9efcc7c76ea0d343c44b9febbd34ced80b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
e7d1ce4a8685d0f383182b0c5e70ad11

SHA1
af1ac97b1acb3a1caef2c7f20fb1501d011dfa1e

SHA256
a5bd1751f51abe7343666ebb513f07bcc2febd25c0784aa5283641c72dc0dc1f

SHA512
a9c88c091081c3f15a0e08c517499ac8c33281c284b91dd05508650bd82185c25fc5b29d59bdf7a4b0684cd74c446703aa0edc66291d95c8f5b7f308b94f46d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55082a57-0f33-4e49-935b-18564f4ca31c.tmp

Filesize
1KB

MD5
a8ef224e61810c129159f6a8e5ae8058

SHA1
31cb085c9752c3adada05ecb9f2b53fade3c2dfc

SHA256
efc7718c1e845b99282d194e3f085ca43c59232b96ee8e5d69b8d43f6d765c0a

SHA512
e01becd675aa007ea69347b6d1525bac39e3bcf1926f216a767628210b18857561736d0df0b0c0ca75271e123df5e93cab933cc8b38f2ad0bec517fb3d170289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f688d4e3871ebfe797d121455d05e52c

SHA1
e53b1c236daa07057a35602d2331d88445feedb6

SHA256
42473cafc11ca93ccaf12129f7dcc2f93b4e48b1d09debe484fe7da68c94f305

SHA512
df084f4bc3dc8f207babe6a638bc868d56f104cc4d10655743358b9f8a24da0cb599813fdf5a8ac32b5207c28d3635a48bc57a7e18122427afc647fa5bff18a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0af63ee5c5ee2e7a7f194aefc89490d

SHA1
4480e2bdc5e3ce8d530647f6e1b6f0bc49284b71

SHA256
8b100ae2c7c0dd37bbdd7a0899cbe9c2821cad943d8fcae580960a3097b7ff72

SHA512
8331f3288bfdb78e9ac2a994472189d23c41f45270fba9ee298abc412977191d70b1c8ea43150e6c26021ed0c27164d0a511cc227330cb3ee0e28c8e02583ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c5dc9fc1d00d4a8ecf4743f00f227e20

SHA1
00241e06ce43faaa41c21cb9b66a32a7f365d0b6

SHA256
01dc15961ff11d35373fc566e04b15726e955026a5af6df0aa4ee9d30c6b7417

SHA512
a79b04b3bb76ce48ef38ff31385b20668b6397fd355e545d6ee3d7ac93626bfb3642c734dfba6aa3143080fdc59d8f6ee5c6aaf4595dae153686bbe86d501652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
953b673ceedf8807c1928c5824f2f2dd

SHA1
487f6eb6daf3360c2cab6e4762b495f05cd420ff

SHA256
4467c7bf5d16ad0135e8109cacef07526bed4969ba408dee749ddf152cf607fa

SHA512
05eeae7cf579a3ebc51c09551d25523187fd2278398b1e013c5e7a956a2b31bbc05ae8eb713ce1a78ac5182d5356b572fa0413d8ce2eed0d078092143dce1662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588eae.TMP

Filesize
48B

MD5
f1fa849891df14f4099b558f89e4431a

SHA1
88749aecc5d9594a610e462e1a9422ef605a335f

SHA256
68fe096109f97bac016133c640c809baca46417c9673b2f13f45408f2f83f5e1

SHA512
647e1190ea1bcd27dcf5c8f577c9ad54057f2a6b0b723d67c5036fab25aa22c6925eae94f5a76c7b7f3d8f0d193b90107fdd4efcc50ed860048207e65587988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be2614debfe94e04328113029293c4ad

SHA1
1eb7773951fc38abd957ce076529cbaadc103391

SHA256
53398617bb32dcf34f1a0a9d2b38b9498cf32bf66caefab9fb2c5dfc5cc7ff80

SHA512
62b0ada2b98bb167363dd9ce98b1c864c96c72a77349226cee1468f9ef53e84bf3e8b384c156fd39ece80b7d75a14eeb5d684a7a5ba7b14418ab1bbad7be3bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2cdeda05ea6a611dfc6058137b97e633

SHA1
1b5a5090b57c27c00336999093fca995d929fc69

SHA256
9edac6d5d8f5feb6841c283c23352fe818231459c45fbb2c3f1b627a0ad203ec

SHA512
a56aef0c3657e793a56b49adbce37aadeb8b91390f1d6014eba9fa35c903b05f9756bfc473461db3d3fdce934d40f5db8da437b6e14e5df9cca3d5853c060e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS09C5D0A7\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410310817344361140.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
ea46d965ac319f2ec138faeab2ba797e

SHA1
ec1a73733b3edf08a740064bf4ccfea9ae08c231

SHA256
ec012eabd6c6cb92580845310674a97f48813c1c23e65cd64a1276f4dedd30ce

SHA512
3b763858808686324663dc82054298e779fcdf7fedf9bc204b876130fad8a050ec9ffbec5621182c40152a8ab6b54aa57ae5f95972a5d32695d64f7789a18e33

Download Submit