b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7.exe
Size

3.1MB
MD5

3d06c2b094cb25a553d26aa8b1db6564
SHA1

5307870670bcc918438d4348cd0ca32ffc26480c
SHA256

b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7
SHA512

dafb097a6a6ebf8ec59e25877fc1ff013f4b19346cc2f111b49dc58450739d1d6faf9ba115faa663e2261db178ff548c9a8630a568139d8c0f028e15248587c9
SSDEEP

98304:PAyXe7ykegiTNpjQpSI14jSKQoDXAy0YbJ31nu2Cmh:xXe7tiTHjY4jS1sXA/mJ5u2nh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
628	setup.exe
4200	setup.exe
1356	setup.exe
3316	setup.exe
1816	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
628	setup.exe
4200	setup.exe
1356	setup.exe
3316	setup.exe
1816	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 368322.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2136	msedge.exe
2136	msedge.exe
3268	msedge.exe
3268	msedge.exe
5424	identity_helper.exe
5424	identity_helper.exe
5392	msedge.exe
5392	msedge.exe
5392	msedge.exe
5392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe
3268	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
628	setup.exe
628	setup.exe
628	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 628	1600	b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7.exe	85
PID 1600 wrote to memory of 628	1600	b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7.exe	85
PID 1600 wrote to memory of 628	1600	b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7.exe	85
PID 628 wrote to memory of 4200	628	setup.exe	88
PID 628 wrote to memory of 4200	628	setup.exe	88
PID 628 wrote to memory of 4200	628	setup.exe	88
PID 628 wrote to memory of 1356	628	setup.exe	89
PID 628 wrote to memory of 1356	628	setup.exe	89
PID 628 wrote to memory of 1356	628	setup.exe	89
PID 628 wrote to memory of 3316	628	setup.exe	94
PID 628 wrote to memory of 3316	628	setup.exe	94
PID 628 wrote to memory of 3316	628	setup.exe	94
PID 3316 wrote to memory of 1816	3316	setup.exe	95
PID 3316 wrote to memory of 1816	3316	setup.exe	95
PID 3316 wrote to memory of 1816	3316	setup.exe	95
PID 628 wrote to memory of 3268	628	setup.exe	97
PID 628 wrote to memory of 3268	628	setup.exe	97
PID 3268 wrote to memory of 2032	3268	msedge.exe	99
PID 3268 wrote to memory of 2032	3268	msedge.exe	99
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 4828	3268	msedge.exe	102
PID 3268 wrote to memory of 2136	3268	msedge.exe	103
PID 3268 wrote to memory of 2136	3268	msedge.exe	103
PID 3268 wrote to memory of 1116	3268	msedge.exe	104
PID 3268 wrote to memory of 1116	3268	msedge.exe	104
PID 3268 wrote to memory of 1116	3268	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7.exe
"C:\Users\Admin\AppData\Local\Temp\b378e321126292e91338bd537c775b2ec163a1e787f5d3e3ce2405ee5ab7c1c7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x74f21b54,0x74f21b60,0x74f21b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4200
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=628 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241031082117" --session-guid=0327a1ca-50f0-494c-ad6a-f69c24d542c5 --server-tracking-blob=MWY0ZjA2N2JjNjVjNTRlMGZlYmU0YjExMjhlYTA1NDIzMjczMWUzNzQ3MmQ2Mjc3NTkzZjM2OTQ5MTAxYmI4OTp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIEdYIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=E809000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x320,0x324,0x328,0x31c,0x338,0x72791b54,0x72791b60,0x72791b6c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdf0fc46f8,0x7ffdf0fc4708,0x7ffdf0fc4718
      4⤵
      PID:2032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
      4⤵
      PID:4904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
      4⤵
      PID:4556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
      4⤵
      PID:1056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
      4⤵
      PID:1680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5228 /prefetch:8
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 /prefetch:8
      4⤵
      PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
      4⤵
      PID:3172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
      4⤵
      PID:1196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
      4⤵
      PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
      4⤵
      PID:5444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
      4⤵
      PID:5452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7533810016038055726,4521433271038316666,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6576 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
c8c8db92f7cd7aa2e5deefa27127451e

SHA1
8c7a6b67771e0937cd1be62deb48cc5582182b08

SHA256
f2ad2a102162e9ef032e3afa9b759ecbf7354e270768dcfcc62a84fbb8b54aaa

SHA512
fd9f03dc7fa9ae5c52c375a17c5afd2efc5b7b1586c6122ce1a7e715fd2c4ebdaaac6803b2ade829a71c3b6c64448696ac764734efced87bcaa8884f9e0fc7b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
037a1a1eed877c520ec2d8e877a0ef10

SHA1
2c261667a88ca76c700cf61c24167d6185f164b8

SHA256
04f352b4d334a645a09a76772ff766ee4ae359754a056d08f5772895a703cc7e

SHA512
021cf980ecf3cdc259caadb470a5557d8b0ac13d34185e8e4bb22693e26b7ce01ee5fcc833177d921635e8da3a6cb72e9133c5a6e786056db71969b515814bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
93f07d119c4fe2ec293f60f761ebe4cf

SHA1
d98a745718e1e39bf56b8038aa2e9688307b33b4

SHA256
b16c0889e9cf030eca277dc2733ef170d2699c3fea3b960e2711761ff37c6730

SHA512
076014959609593bf9cf8d538dae2d106af74dd63f260b53d5cde0c5dd38379a13e17661378a3d45068b9698bed3d54f9cf98738df8a6c61ba20dd4834dd5d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
0d00a56c722ac33273a66d6d821da05c

SHA1
97b2a2fd7d24c7715a22b180685b42519fda1709

SHA256
e5e47027f9fb6ebbde09358d269ac316802d83c8ac71306e1556ac5c404a442a

SHA512
3ec69544334be9b115f5d018bc69b094327302b65376f21e689e4fa7a2ed87dc5165bba7ec0de45caca739a64e0ea3de58eb4f3ba73f06cc3d1fc49786de97c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
4bd2d0f678fffade45c8ec649e66d5b9

SHA1
e507ba811a8b49d8a96b2f4aa51bd2a7c2eb5fdd

SHA256
c1cceb8df82f10fce7f4e4f3d4178c15bc9c2bd30646ea7140b24f5695d00e86

SHA512
d3249b900266b30a84a0653c0f03ca77d1d20343758dcf5ee4b895178adee06e4bf9c8a92a096eba82117b623ed734f4f9ca9d8964fa240427285479a1f2b017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4f773fd5280f7179ef6c25c72c184e5c

SHA1
4997aebef9c4f31ca4b58412585ddbf53c795f9c

SHA256
da33c8d8c88ee4103c1f8a1dceb32e0caf80bb90584340101bea534e7a7dec37

SHA512
a8e51831375bf089abb122cbfe75b725e6cc8cd5c513c8f500faec7cb7e61f12bb127d81cc01863c7d3c63b24846cc2b3b8024098e12d234d3436a296a553fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0413477c8ee93fe7cec810cade603795

SHA1
41c54b3128776f0209a2d9cb879c56fa7fed7bc6

SHA256
60642fe5c7f0f4febc2bb562c98802881af30d5d9e6e5384ffa6a89fecb43b0e

SHA512
e9c27721a0a7319dbca3306dcbfa74c1f393de7df1fe510fc87b1ab3b552017425b65bc4990d3f06b3af0c6ae887112298d326864f249939ee803ecf4600f18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3e5bb4ea360e4ef41e72c4cd5727638e

SHA1
ce2ea957cdba9e6195bd7a03e6bcbf7d0d381b01

SHA256
9002870ea5ab497ef394ab3f275f0f87198bd279d2cf9e451ed1718988e512b6

SHA512
4a50dbb61765c090666ad25bef65b7de2898320e469f1110fe30483f4f7fc20f6efb4debc8a7fb151f0adfca08b2d4255566fc533683398fc646da0b877436b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6e750ff19d3b4ae12a6beecba2b86168

SHA1
cf5e2166845cf7d0c89a3957e4301b3c309fc494

SHA256
46930bb1ed1d76ded0cd7ab4a3fc691d46ef5d0437ad4c3d167cbb1c484c57f5

SHA512
fd3f4c391e5a77fe86fc9de993369ff5b3771bc82c1a465ddb7c59c0218520222ebd369ee57d4527bb6fefaeb2ad7dbe4cdbf95780f324046f0ca79f7316caa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587961.TMP

Filesize
72B

MD5
27b40d5012166f4c3b9350beda64e3ed

SHA1
01a73a10245ae1a57a75bd5136e7039421276a05

SHA256
91d6fce88a535603f587ef86f8ac63a0065f7923641ad20953152ef29cc25f3e

SHA512
456b3b72989cd935760c15ab1ed03aff1477e58a47b75bc00c166a20bc9244b2cae004f546e33cad4e725c721b6c0ddd0e109c478a2ae5563c5e64ac2ca3ceda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b38d348eda7aaf9945dad274e16cf69

SHA1
b838c1dbae0fe7dc48911119739dc49e50377e7a

SHA256
e8ebba756c84d167129c40070539f018173d95e9c7770c82af687f93dccafec0

SHA512
2e99cc741840c07f13a103a21dda0c318856d84b8906dd77e7e23cd6a04d973ed334007958f523e5037cb22a5c2700d127cc48c106e6a4e2d7a55215f4bdfbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44c77ff7dd0e33e9f2135b08c67051d1

SHA1
44451a4f92d4e851083e2f890ad6ff9ec845da7a

SHA256
5cc41c9ed6b54e0e7c9118e2e3be746edad31cda90808a014e49efe23ef64c78

SHA512
87d383e42a425d531ccb43bace4d1acb18602875796779de3322476099f49110b4bf7b86f8eb47716c06c85994b3796088662eed2e38453f5d25302e0325dff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0468EFE7\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_241031082114433628.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
b056b6ba0a935fb92d89b4e81ed01263

SHA1
120d46659a38036fb3d835f2331e557bc94f668f

SHA256
48764c7d21b86668c907d67b3a796a93a3aed0177d2d12dc62a0e488fb708d32

SHA512
d55314d784a570ff2c7d34af7f5c663e4d5059c6a82e90bc091b99027b7e1eeadcb9425c1f6415cc7aeacf1edcd6ca391660b665026902384036fbe22246a7c5

Download Submit