6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57.exe
Size

3.1MB
MD5

918d2f7e8aec9964ce5ebf4ccda5e586
SHA1

35879e84f4f8527bfafecbaa8acfab9c62734730
SHA256

6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57
SHA512

ed486b1b9ba7d4b1c89fd7966c3c1cff7209161a6608f9817fb1079e1cb97fabd299f5f80473cde0274372bb772a699b20b348b7862bac434331a57c1f04aa24
SSDEEP

98304:XAyXe7ykegiTNpjQpSI14jSKQoDXAy0YbJ31nu2Cmh:ZXe7tiTHjY4jS1sXA/mJ5u2nh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4972	setup.exe
3008	setup.exe
4172	setup.exe
2868	setup.exe
5008	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
4972	setup.exe
3008	setup.exe
4172	setup.exe
2868	setup.exe
5008	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 455701.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2400	msedge.exe
2400	msedge.exe
1040	msedge.exe
1040	msedge.exe
5880	identity_helper.exe
5880	identity_helper.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4972	setup.exe
4972	setup.exe
4972	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 4972	820	6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57.exe	86
PID 820 wrote to memory of 4972	820	6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57.exe	86
PID 820 wrote to memory of 4972	820	6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57.exe	86
PID 4972 wrote to memory of 3008	4972	setup.exe	88
PID 4972 wrote to memory of 3008	4972	setup.exe	88
PID 4972 wrote to memory of 3008	4972	setup.exe	88
PID 4972 wrote to memory of 4172	4972	setup.exe	89
PID 4972 wrote to memory of 4172	4972	setup.exe	89
PID 4972 wrote to memory of 4172	4972	setup.exe	89
PID 4972 wrote to memory of 2868	4972	setup.exe	90
PID 4972 wrote to memory of 2868	4972	setup.exe	90
PID 4972 wrote to memory of 2868	4972	setup.exe	90
PID 2868 wrote to memory of 5008	2868	setup.exe	91
PID 2868 wrote to memory of 5008	2868	setup.exe	91
PID 2868 wrote to memory of 5008	2868	setup.exe	91
PID 4972 wrote to memory of 1040	4972	setup.exe	92
PID 4972 wrote to memory of 1040	4972	setup.exe	92
PID 1040 wrote to memory of 3400	1040	msedge.exe	94
PID 1040 wrote to memory of 3400	1040	msedge.exe	94
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2680	1040	msedge.exe	97
PID 1040 wrote to memory of 2400	1040	msedge.exe	98
PID 1040 wrote to memory of 2400	1040	msedge.exe	98
PID 1040 wrote to memory of 3184	1040	msedge.exe	99
PID 1040 wrote to memory of 3184	1040	msedge.exe	99
PID 1040 wrote to memory of 3184	1040	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57.exe
"C:\Users\Admin\AppData\Local\Temp\6ef5dead93bbd8b08efc827105b5c71fdd9d773b71f7ca665d89b5514ea39c57.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x324,0x328,0x32c,0x320,0x330,0x74901b54,0x74901b60,0x74901b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4172
- - C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4972 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241031082106" --session-guid=269f1746-493c-4066-b710-7bd0815a154f --server-tracking-blob=MWY0ZjA2N2JjNjVjNTRlMGZlYmU0YjExMjhlYTA1NDIzMjczMWUzNzQ3MmQ2Mjc3NTkzZjM2OTQ5MTAxYmI4OTp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIEdYIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=3408000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x72171b54,0x72171b60,0x72171b6c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff90b9346f8,0x7ff90b934708,0x7ff90b934718
      4⤵
      PID:3400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:2680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
      4⤵
      PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      PID:2968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:3664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
      4⤵
      PID:1816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
      4⤵
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5628 /prefetch:8
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
      4⤵
      PID:2252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
      4⤵
      PID:5136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
      4⤵
      PID:5144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
      4⤵
      PID:5244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
      4⤵
      PID:5508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:8
      4⤵
      PID:5716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10933334026741334372,4244321201726062012,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
c8c8db92f7cd7aa2e5deefa27127451e

SHA1
8c7a6b67771e0937cd1be62deb48cc5582182b08

SHA256
f2ad2a102162e9ef032e3afa9b759ecbf7354e270768dcfcc62a84fbb8b54aaa

SHA512
fd9f03dc7fa9ae5c52c375a17c5afd2efc5b7b1586c6122ce1a7e715fd2c4ebdaaac6803b2ade829a71c3b6c64448696ac764734efced87bcaa8884f9e0fc7b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
037a1a1eed877c520ec2d8e877a0ef10

SHA1
2c261667a88ca76c700cf61c24167d6185f164b8

SHA256
04f352b4d334a645a09a76772ff766ee4ae359754a056d08f5772895a703cc7e

SHA512
021cf980ecf3cdc259caadb470a5557d8b0ac13d34185e8e4bb22693e26b7ce01ee5fcc833177d921635e8da3a6cb72e9133c5a6e786056db71969b515814bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
0ce3633df3a3ef3a9f2254a415663bac

SHA1
534fa305b3cfb71f0d6df41ede5c40ef67bb7881

SHA256
1048559e1e311f3863e6aa9cdbd57c5fab14c1ac1cad9c755d9d4cdd52cd2b0b

SHA512
563262f54fe1f21782292a3ff57f3459732068b599b2700a7e675bb2bde072ac98962d1a390238fe030d01df8fde393f7b12d92f360bce522f0cd62c7eb940fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
aa9685652cc8e6ba423d4520e39958a8

SHA1
f99c53a174e234d6bb100ae0328648c0340ec19a

SHA256
8c5be392f0a4961ba30c7158160a5437e47547b9fb33c2bae25da9e2f71ab329

SHA512
23d879da2076aca9522fc6ca21bdda05b525e77b93db18a52340a8840a38ae3b1c1ab615035ee3ecbd1c3fb4423e1718352822c9530efbdacc3ab4acd04960be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
89921ed7b97c4c052de3e9f74f308584

SHA1
1aef590519b18a8cea60af89d2fb3ce39f34524c

SHA256
49c5f0e5a58641ffd0aa084f585ef25db2648411579745dbffb23b513865fbef

SHA512
4a1e6d6abefd231547d637eaff4357cb4d28fdde450c16a405d5d6d63c20a1f08bffe4245076422c1de8c80f1287966a3ccce8173d52575a9f7868a0cb99da20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fe384ddf7b775c07a1ce6c9587abd8d5

SHA1
0405a788692bb3786858eadda4544111c77a1434

SHA256
cceb0d9e2d75eb4a14c8a89d29ab56f17942768f362ed6839911c55feaa3a843

SHA512
e50a5c66c152105c15b40127537235d61c69783fd34e936c72e3a7df3ba0eb335240b49922e4cd6ae313284800b1d6551f7361be0679232f4ce8f10717b13f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc4cbbeedf5aa03df33af740aaa0804f

SHA1
051ee483217686c818533171b02502a69e3c8977

SHA256
a3af75c2aee2869b1da06780ead5041cb8a383fbc6d8d4be5090bc3dfb9539c3

SHA512
9aeb48530de561624367f38dc472c00831aa7414fb27ce7e1eff36a227fd08ff168ffea1da75a9eea401c7476551372e7aaecf8b7b8c7a3a5dfbbd11eec1447d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a82fd78a3d5091878cf1ab93239e4630

SHA1
f1a269e06280842e24ad8889def79a94d761d3de

SHA256
1fc6161398b0d7b61ef2911943b8476e1cc8af4b4cae3491c92adda1d6ecdeb5

SHA512
3a2f14e1dca3de6256f43210adbb5e1326def9e92c30273141e21a33ad369d95ef522f6283a2c1aa43b4cd62a518463d870338e2e605f2e710f2a2d07c848957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b76fd747a77fd3ef6db2d820f3673a01

SHA1
2842c93b768d66d5e08bb4bfc9c9cf59be75f024

SHA256
4afa3f4078b2b31e1c6ad2aee0d4f2a4f3567b445095fb775612dfd703364220

SHA512
e763f3711e18ecf95523b62c53fd7fe88212e5ebd3c3da0ac165096425add0d5d116fc61f6f5af038617adb1bd4018b24c46d240455ffd845e9576e5029bb4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5819ad.TMP

Filesize
48B

MD5
c8d41fff59e14a5b03cd132fe30d2d1b

SHA1
d6a49e46fb2fffd7e5a43caa594c5508aeaa3ac1

SHA256
9fcf5873150ed9f2b391cab99c1d2884569e2fc20941992005ab5c66511a8c6c

SHA512
9fe728c6169f41673ca2de211c8ed00ea673b1d39e79c950cc168dc309dca31eedb4f4404c4204097c6087dd577e4d456911386d0eb58e107b828f0852388e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b286e6160e964e7d57fe6ea222b0d65

SHA1
82a9aa1f894be31e8c84ef62480b72bae54ba5c0

SHA256
d8972c096fbd91b66bbb25a800eeeb6c8f7a7864aeb350776a328967061f2957

SHA512
15f3c3bcacf683e1139b7dca86aa3a494d4e51dd7fc268ceba090ee0126d2022e024c64f3b1fbfbbe548e5fa50f9608444344cbd6cceadd3238b078a7d525833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
70a13af811940e10eb8eab1dbd8ac3dd

SHA1
91ca8dbe22d1797b5b04907aca23620e3d1909ce

SHA256
9f7c643f31a0fe83a26c61756b8b616db6a9d45ec7f02f9ee0dc65f09385b7fe

SHA512
900e1a5113efafb76210f341b8678f1ae516bb417fd50d92ffedaa4a71b5ff64bda742c5160320cde67c3470976301d0c4f47e051c412a2d258e725d9e2ac696

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS433B9DB7\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410310821043554972.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c88c0174dc7899003a5f3c8e602bb376

SHA1
9920251bc32a23430ee4832e6e722af0e76d2f04

SHA256
3fd0891c3a08d2898579db178813e991b5e741b8c8003bf8179155b76f8ce6c1

SHA512
e52e9e4f821bee14aa6fd30a2feea3430fdd5f21687e76bd0349a4bedf7b5df6b2f882c8e2eea3c65d9d5c2270e5c29f483076e2bc533ccbdb3666201640ef19

Download Submit