151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a.exe
Size

3.1MB
MD5

c81e881ec3e235fb059594ddc978350d
SHA1

1cbbe3302ea8fb9caab32c30f4412e8a500b1621
SHA256

151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a
SHA512

f43a53491787ace129dbe0040f8958d088dbb6f70983521651317741edf8d9395c1410757ff4055c2a295592c180f5393260f94b1ac2eaad431bcaf6c4845103
SSDEEP

98304:NAyXe7ykegiTNpjQpSI14jSKQoDXAy0YbJ31nu2Cmh:rXe7tiTHjY4jS1sXA/mJ5u2nh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1952	setup.exe
4220	setup.exe
2056	setup.exe
4916	setup.exe
556	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
1952	setup.exe
4220	setup.exe
2056	setup.exe
4916	setup.exe
556	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 382395.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
3056	msedge.exe
3056	msedge.exe
5256	identity_helper.exe
5256	identity_helper.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe
3056	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1952	setup.exe
1952	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1952	1064	151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a.exe	85
PID 1064 wrote to memory of 1952	1064	151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a.exe	85
PID 1064 wrote to memory of 1952	1064	151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a.exe	85
PID 1952 wrote to memory of 4220	1952	setup.exe	88
PID 1952 wrote to memory of 4220	1952	setup.exe	88
PID 1952 wrote to memory of 4220	1952	setup.exe	88
PID 1952 wrote to memory of 2056	1952	setup.exe	89
PID 1952 wrote to memory of 2056	1952	setup.exe	89
PID 1952 wrote to memory of 2056	1952	setup.exe	89
PID 1952 wrote to memory of 4916	1952	setup.exe	95
PID 1952 wrote to memory of 4916	1952	setup.exe	95
PID 1952 wrote to memory of 4916	1952	setup.exe	95
PID 4916 wrote to memory of 556	4916	setup.exe	97
PID 4916 wrote to memory of 556	4916	setup.exe	97
PID 4916 wrote to memory of 556	4916	setup.exe	97
PID 1952 wrote to memory of 3056	1952	setup.exe	98
PID 1952 wrote to memory of 3056	1952	setup.exe	98
PID 3056 wrote to memory of 1900	3056	msedge.exe	100
PID 3056 wrote to memory of 1900	3056	msedge.exe	100
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1968	3056	msedge.exe	103
PID 3056 wrote to memory of 1572	3056	msedge.exe	104
PID 3056 wrote to memory of 1572	3056	msedge.exe	104
PID 3056 wrote to memory of 2300	3056	msedge.exe	105
PID 3056 wrote to memory of 2300	3056	msedge.exe	105
PID 3056 wrote to memory of 2300	3056	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a.exe
"C:\Users\Admin\AppData\Local\Temp\151cb45dfbe9ab61f2554b913b6755429d967baeb084b6dc036cc6a14af5b95a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x324,0x328,0x32c,0x2fc,0x330,0x74c41b54,0x74c41b60,0x74c41b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1952 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241031082808" --session-guid=ac3ec464-ca13-45a0-aaab-221215e79c53 --server-tracking-blob=MWY0ZjA2N2JjNjVjNTRlMGZlYmU0YjExMjhlYTA1NDIzMjczMWUzNzQ3MmQ2Mjc3NTkzZjM2OTQ5MTAxYmI4OTp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIEdYIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=9009000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.115 --initial-client-data=0x31c,0x320,0x330,0x2f8,0x334,0x724b1b54,0x724b1b60,0x724b1b6c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
    3⤵
    - Enumerates system info in registry
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb072c46f8,0x7ffb072c4708,0x7ffb072c4718
      4⤵
      PID:1900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
      4⤵
      PID:2300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:1616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      PID:732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
      4⤵
      PID:1124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
      4⤵
      PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
      4⤵
      PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4752 /prefetch:8
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 /prefetch:8
      4⤵
      PID:4036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
      4⤵
      PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
      4⤵
      PID:5276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
      4⤵
      PID:5608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
      4⤵
      PID:5616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5634637412023557672,16912143779680850293,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
213d08513e32bb6741bec453fd3759aa

SHA1
f7df0a9a4bcd1c840e5459102672921d7912fabb

SHA256
8e95d9099eebd14015e359e21a16a7b28fe2e3a206189c7e0dc7b5bd71d0744f

SHA512
c75a4f233621bab3306e3f6509ada296f2891c8999e8fe8fa0c48a3ebf45626b5b52b1e52af1b914b4c6e0ff881ee64405779c717adeae6973f7106446d678d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
bcfd43b53a47b2dcf107efdcbd0b59a4

SHA1
75b548df2aecb2dec9a995c9ff974be78959411a

SHA256
b0fa8ff8516c233400ff93675d5091c6747a19287d70c92c470fb30978868fa6

SHA512
f473cfef0228f41b471e67ad3dbfe5715ba9aab9eb541f27445da87b8944bcd6a3560ab3e5e57a440f8a626b9137fdcd85aa2a50366f67ec61f478b4c7cea634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
037a1a1eed877c520ec2d8e877a0ef10

SHA1
2c261667a88ca76c700cf61c24167d6185f164b8

SHA256
04f352b4d334a645a09a76772ff766ee4ae359754a056d08f5772895a703cc7e

SHA512
021cf980ecf3cdc259caadb470a5557d8b0ac13d34185e8e4bb22693e26b7ce01ee5fcc833177d921635e8da3a6cb72e9133c5a6e786056db71969b515814bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
18017d974d569c93789d4b2561de9c2b

SHA1
0752cf71dbcce532080cf93a6ae318c85388c4d1

SHA256
f68cc2a4d97a9b65ce3cdaa094658c91723dcede7902984365d7016e8e76cabd

SHA512
ac315743ac5fcf3ee7426475a77a13f9c8000d47a35fc8d3ad0c08cc8b88bb9f93e38399382d1d14721dc8c66dee6714a1a2a1faf46f08084a47cb7c708b445f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
8f0333b2d3853fca142e6d20218b8131

SHA1
9454f9e8026be8267f31e6dbd104ea428f8c4492

SHA256
64970bd0a7da00de0dd959f47cd2dfbbd97f02523da07218adb0b2f290bf4eee

SHA512
62fa36c913881804751fc7708e12253d7cff01768278bdb1e72676ec03ec3027cf2895a69a54a010ad1eeacabc2d4a3abb08e05c04d39e79cb4aab0392f61672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
0ea39ac077361b0cb93254a5a44d920d

SHA1
7c3fb51736c8780e552b72941a3d165835108eef

SHA256
8d733e846540d308ed757384bc8f65a30ab490e24f0836ba07de9caa33d2f75b

SHA512
83cc9e8f7ff1b9fb4c16a869e54ea534f53b30492bb1cfeb7656e91197ec2830d416b3e3d16a88b983b459ba44add72cc58d2e7b7bf063d5c1ba9f56edfe1e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
c2b4b20b7e8cd786ef720f8c9e68595c

SHA1
bfd33001c9f5baaa0756396ab9e7a31080af5408

SHA256
431ebca1fdb54331020bf5ee5b06af7fd74055aa5ccb645d193389ee46178c4a

SHA512
36c290ae4bdfe622e67fb08d1099e655cb2de8c94ef3b16257d6ced53d6dd7405aac68f61983b91a2037af35c717f14d8be47e3848e531c83b7aae20af0ba5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
14f179a3285d349bc9324d7d8ac818d8

SHA1
d2eae67bbcdd87375b2826fc9726e0bac2a20de0

SHA256
19316c1e08bd45275d2dd9c87ed0d7c99f7f6e452ec29da0df6e4a93a0c2625c

SHA512
4a8d1ca34d37a89238e8e3b1a171625f53c2ec859d56b37a190d8bf9d5e6076e70afebb6ab351bb011ca49dddb26983a5e505f5c02c84ad52cbd49318e65fb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1710411e7f7e98471dde6eea086f36d2

SHA1
d42319b1b27bfdb83fee66175ca4155ad12094b2

SHA256
5e928df8ebd927de5e0655deef73d30729df2c1c973ebddc3e6cedb68c9a4f52

SHA512
445d2558b66d64f71f0197d8e23417b916b0589313539945ee73ed455055591263f9db6aea8c3a2410289c6a7e7e2b7e1ffcd99201010b2ea36a6ef8bffa8740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
15ce084e8304266c1976b2285e8f9e94

SHA1
c0fd7be4377690ef8d6953909b256eb52980988f

SHA256
2e2811eafbbeb29edb2c0a297fb773f41afaeeb0cb62f9cf029bb700c2c52b9c

SHA512
64f6d949d375fb771a4e14600b3138b1053ea9c283a644d1589c5acde576893cdc9001521f09f35a17e8aefaef54322a4f5947df6427de2ac4cdc97e480c8df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1b5d2da7c261a8f3801c698d4a6645f7

SHA1
dfe4cfae6d7919e153c24205b222414a52062e40

SHA256
c875e44588f6e3b7b74a61e2b2dc63f2d7c108cda79d78bb8fe9eba4f2dd2e4d

SHA512
e7458fcb1daaadae8823032c4a62b28c7baf9453c3ab8197fa01ac3bf86f4fb155e31e26e783d90618b0bd95e3d262b7a39fdebc587b6bcdb06cdb1e023dd72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2f66f677d7d519af63aca685472bdce8

SHA1
4e9d239b389332b8b4a80c47bcce57fe935c5919

SHA256
43e5fdd78ad6af4b3b90350458aeee9ed6ef216685fb517510d4521d5668b81c

SHA512
5dcaa7b86ac54d0371d5de6dfd7c033c1b365129f54289823c70380556ef976629d7b85f399fde210bf64d93fb0ea089a8768d83e816a4e56817146f2cef48f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58270b.TMP

Filesize
48B

MD5
83c63bbde9d48ccd9b8251213e2d6c30

SHA1
495b838df9ee6ed288ab5f6bcd5550ce14f36713

SHA256
4aeded921ef344bb0d69ef47f647636e0efaa78eecfcf97c48cbc3d92ada8e16

SHA512
42c3998280048988706564b013c77e60b2cde6d65aedfbe13dd1d45b5012d15984f2d9cd0d266e713cd73f7b9683a5dea4f472e66d83010fdbd7bf35fe65bb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f3f5811593d242f2eba4356f6eb31a68

SHA1
5b699c20ebc1ce7238e06987b82ab4b030d69b04

SHA256
f9728ca53902d167315ed3214b9b014f63002ae27112bc45b7d282012568d87c

SHA512
d44f9af8f62425b1c1bb81e3d7043af686748a80c79e127c8445c5b1e1ffc37abc51f1729bd45fbe41831e3bc5c7e6e9c861c9c133bab7af7d0d4285218ac89f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581d95.TMP

Filesize
1KB

MD5
a4500861cd97c12861e7e599e561d32f

SHA1
5d5f2ec0ea5262ef159889f6cc7586edc68e36dd

SHA256
a6cce9990edb6cd1261dac85ba2fb6c52cbedaed9e9b02bb937cf42ac02ca9b3

SHA512
fc641b279ad77aafd8e5858180fb52e624f88addf66210a5ea2e167c1a5b3e43d78d2025760d7a2f5a002c1b90fd146c429aa07f31c5563022e56ae759fd617f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d5cdeaa372605b3009e3274917465d9f

SHA1
5e8bdddf598b22988be9e1864891479cdea15007

SHA256
9809d399e362f25b52982ccd97f11cbd9b6e1f3da2a2fad736d25277ad4f04bd

SHA512
2e75f9ccb4c9c86540ba64447db0f1e1e81c190019972cf19a68ab46932fafce1854ba9ccee05eea4c167baf409b4d8999833ba05158960f72ff7640327d8602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd997906dee6ad9373a8086ae2534cf5

SHA1
e4da2c2f80b34c32aa21da87c327cacac311d607

SHA256
b2d70b931b811a040980a070670e3eaecd1a48468b9dccf7cd18e021e5bcbb12

SHA512
48c01813798403d06ce358a9e41d199b62fc4a7d88fa9adb00e1b0f624ccd4a41a99b2b42aff7a11f35963b9825e8c4a362fadcd6053a5842dc15ac51a15e752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82425987\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410310828081061952.dll

Filesize
5.9MB

MD5
640ed3115c855d32ee1731c54702eab7

SHA1
1ac749b52794cbadfec8d9219530e9a79fc9427c

SHA256
29b4cabc7a0e9dffbc2395b976749be0aad88357dd3b1d7e0cfc9b0c645421a3

SHA512
bebe55fdbb363b78c4a6371304f65b89e03a03cee5a8ebceee1681261d8df64a0de36888ed763c3a607ae2732ab54e2e41edb624f37a7fdf8755c40e6bb96f53

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
62251f7dd01196b3bf7a5f7e4b5d4269

SHA1
09e6a6523c1368d377ec127e0a018d2313ba56c9

SHA256
45c22d85f94fa016ae76f29e13a147448b0afd77fdb13a42cbe41598d4c83206

SHA512
b21f2f6e2a437f638548241c97eacf730279096377d076cf6e2745adbbf1a1487c6835c133de9412e21722b20b321079c067aaccdae309373870a7a450cca972

Download Submit