baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e.exe
Size

3.1MB
MD5

e0c4c0ca9ed3874398f2122f3fb4e925
SHA1

554521815630c05950ac0ff3908d0cfa1c6e62f9
SHA256

baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e
SHA512

3aa0b41b06fe114182b75dcc8cd6d1ab75a42fd258b3acf99850c0dd574b83c9662b357331a9d6c575a4177c6d9487d53a9e9ed7926d223fde3650ba6e97c439
SSDEEP

98304:5AyXe7ykegiTNpjQpSI14jSKQoDXAy0YbJ31nu2Cmh:vXe7tiTHjY4jS1sXA/mJ5u2nh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2396	setup.exe
4960	setup.exe
2128	setup.exe
3432	setup.exe
1516	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
2396	setup.exe
4960	setup.exe
2128	setup.exe
3432	setup.exe
1516	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 561695.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
3644	msedge.exe
3644	msedge.exe
1520	identity_helper.exe
1520	identity_helper.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe
3644	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2396	setup.exe
2396	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2396	2212	baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e.exe	85
PID 2212 wrote to memory of 2396	2212	baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e.exe	85
PID 2212 wrote to memory of 2396	2212	baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e.exe	85
PID 2396 wrote to memory of 4960	2396	setup.exe	88
PID 2396 wrote to memory of 4960	2396	setup.exe	88
PID 2396 wrote to memory of 4960	2396	setup.exe	88
PID 2396 wrote to memory of 2128	2396	setup.exe	89
PID 2396 wrote to memory of 2128	2396	setup.exe	89
PID 2396 wrote to memory of 2128	2396	setup.exe	89
PID 2396 wrote to memory of 3432	2396	setup.exe	94
PID 2396 wrote to memory of 3432	2396	setup.exe	94
PID 2396 wrote to memory of 3432	2396	setup.exe	94
PID 3432 wrote to memory of 1516	3432	setup.exe	95
PID 3432 wrote to memory of 1516	3432	setup.exe	95
PID 3432 wrote to memory of 1516	3432	setup.exe	95
PID 2396 wrote to memory of 3644	2396	setup.exe	96
PID 2396 wrote to memory of 3644	2396	setup.exe	96
PID 3644 wrote to memory of 4584	3644	msedge.exe	98
PID 3644 wrote to memory of 4584	3644	msedge.exe	98
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 3096	3644	msedge.exe	100
PID 3644 wrote to memory of 4108	3644	msedge.exe	101
PID 3644 wrote to memory of 4108	3644	msedge.exe	101
PID 3644 wrote to memory of 4324	3644	msedge.exe	102
PID 3644 wrote to memory of 4324	3644	msedge.exe	102
PID 3644 wrote to memory of 4324	3644	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e.exe
"C:\Users\Admin\AppData\Local\Temp\baaaf62661f4c7df3d7e466f357433da0723efa9d63ec06a5fe7df2d8920f62e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x300,0x328,0x32c,0x324,0x330,0x74891b54,0x74891b60,0x74891b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4960
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=2396 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241031081908" --session-guid=550f631d-563f-4868-bb24-80aa051965e6 --server-tracking-blob=MWY0ZjA2N2JjNjVjNTRlMGZlYmU0YjExMjhlYTA1NDIzMjczMWUzNzQ3MmQ2Mjc3NTkzZjM2OTQ5MTAxYmI4OTp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIEdYIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=2409000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x320,0x324,0x330,0x2f8,0x334,0x72101b54,0x72101b60,0x72101b6c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9db0e46f8,0x7ff9db0e4708,0x7ff9db0e4718
      4⤵
      PID:4584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
      4⤵
      PID:3096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:4864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:4736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:1
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
      4⤵
      PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5308 /prefetch:8
      4⤵
      PID:2264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
      4⤵
      PID:2564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8
      4⤵
      PID:4920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
      4⤵
      PID:3628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
      4⤵
      PID:5124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
      4⤵
      PID:5432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,18081517828695469733,13922081464733844208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3108 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
ffa550244a3fcc3da2577d3d5135e7c2

SHA1
89c03adb07e3cd89569f12d5aba6ecc0392dd93c

SHA256
7b942b845a2115944871286726dab21ce1c9fe33e71ca2c4cee880db5c37afaf

SHA512
7f625b7d97dee21492496c605a384f47374f17a82bc6a39a4adbd6a65b0fa7cc96d6daaeebe62692d623568d974ce85c76610a3f3548ac80d728b9742f8a3b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
037a1a1eed877c520ec2d8e877a0ef10

SHA1
2c261667a88ca76c700cf61c24167d6185f164b8

SHA256
04f352b4d334a645a09a76772ff766ee4ae359754a056d08f5772895a703cc7e

SHA512
021cf980ecf3cdc259caadb470a5557d8b0ac13d34185e8e4bb22693e26b7ce01ee5fcc833177d921635e8da3a6cb72e9133c5a6e786056db71969b515814bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
28af58175f41ca47bbbc0500434ed068

SHA1
541051e323ea4d32170842cc7161f573d8973df6

SHA256
f5e14f63026d05f54b2e63073b02d742bcc29b1ee5aafddf0a69acc19d126896

SHA512
be5a5689a74598cf2c8278c8bebe21eb04322c6e5c24622c12e06bb7e56d2c17ad67c9f8c477d1a7c75b61dfda800f707fc08bf1c8756bb172ce9cd1462bcb14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
c274e78f2b9a4e34994db28e0004b891

SHA1
f7a7dd5d4004566032b73ac792ff3a179123021a

SHA256
eee1c210de9acd157bed19a8b4a8e135f038093bdbdafbf2bfbb8d9c1cfd14b3

SHA512
7cb7c148037a7ccf68e3db8953ca2bd7d535692915e6838c5cf7e4887c950c1edaf08fd1725e71f257746b4d4259132edbb80c7920f920a5007e1c6e8ac9aa46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
87e8c67ce167cf3cc94b78cef9b6ac25

SHA1
c1d664cd639e6a2a099b35c5b5e359a69593e5ab

SHA256
aaa8a72cba003ad100562a879ee6da00e49769c6b81fe72461b15d1ed3c5f098

SHA512
f36080b6d9d02ad86a6088c7debb6e2d83eb5fe6f3de2f963d29a9eb655f3d9cec41bc8d94b52da94dc8f2a5621c1f56c902a3409d7c675753820e1c59741e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fff65d4c563599e2456fbe38654706d4

SHA1
59b35eb5304e4840fefb602ddaccee91022a031e

SHA256
d3fd6886552b3c797945ab8ed4956a68b8c78c79e8a81bb1271110e0a5225abb

SHA512
4a1917bd74d994497916abf82db3c25e3be3a9b4585a616399b4f968b97f0931bbec13fac1dc78d939ca1a93bbc1793a77414d7fd01edfcaf358e8472ca54200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e3d4e5016be4f919ab6ecc4060d61d5a

SHA1
86be98b41c4421f0a70e25b031a7b62d8453e2ae

SHA256
56059252f2cb968828a6fe60926e7740a32902f177b53fd86019d18493b2b3cb

SHA512
8f92f15ad01cb81b4557e8026ab9c4fa850af929a547e17335668f7fe88712f5934a898f3281f9aa8b54598f35c08daa420fd0220bb4d0f4559558f41cf49275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7e81be2fb0256f7cfc01d77beba72539

SHA1
0fc4cbdf2e24f93d8ec0b4196b6409ed25957370

SHA256
adde567023509bf5022e62ada9d6203531a4ed9fe2d3e48eb7d3b3e485010a04

SHA512
4691de8fda4d18efc46192feef9b3b8593e87bbaf6f2eccf8b39d6a18b61098f0e82d4b52ee8a6785eacef09c3ae79b76b3e9637e5ea24fad3a9d022e1f10b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
588a02ba67b3bd62a855509ed9733b60

SHA1
7e9042b462b51513a7f591b597aa2f702ad9a227

SHA256
b5ee9ec0c3da653c31fbd8279784dae4b252fb7fb761da13fc84e90f4dbeef31

SHA512
3a3d1a73ad64dc5ec5eaba45badc038a7059567e7acd57f574d214b3b7e2e362e7fa19b05f5a8ece6f0bf97fe0ec16651dbdab4bdc527fc46658b8db96b9623c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58317b.TMP

Filesize
48B

MD5
5a60b28f7ffd1d1d94936a64fd00ec84

SHA1
10cb47a4f3ee4230940f562c683ef47d4e3673cd

SHA256
2a96eabff286f56e209f7d2d20079876ceced0d8b6d8c87fd9426484eea104d2

SHA512
ecd32ad25ac6a2b509b843b8d6b3f20d9e34bbd29b5dce2a93f2e7479df5027e99ef055331c6a158134ee6a71418e800616b50305be410c862f06c1883c04b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
95f49e2cb1ccfd4e29ee34cf6387c48d

SHA1
b45f84bfbd96509214709a3b10f69a7640011107

SHA256
948d18289c94fbe80c041af8a7d64022249e3baa0996a874661e1918eb8ef74b

SHA512
208da8009e95ce8c9e5e706687adcec236965210bbd834a813b2592c0b3e4e47b280bb73f3507913b4ab55979bab38df83b1084a19fc861f5ea9d85ece4c8d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A8EAAB7\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410310819083282396.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
b5cc2753e9b05416ad02b657c746d6dd

SHA1
673ce1a80199d06f086bae9ac7fd12ad904e1985

SHA256
9612101ffb813b7bd1b41f3ee2061a75361cad92dcec30a40e4334769e92ddf6

SHA512
927d23278267d67ae25e13a7a73c6a309b7a99f6c1ac31503cea89e48bd3edd9908ffefaf4f0b7219a773de242212565bf24d4447938976f95709418c9e46826

Download Submit