Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/11/2024, 16:30
Static task
static1
General
-
Target
Luna Exploit_42878198.exe
-
Size
5.7MB
-
MD5
15d1c495ff66bf7cea8a6d14bfdf0a20
-
SHA1
942814521fa406a225522f208ac67f90dbde0ae7
-
SHA256
61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42
-
SHA512
063169f22108ac97a3ccb6f8e97380b1e48eef7a07b8fb20870b9bd5f03d7279d3fb10a69c09868beb4a1672ebe826198ae2d0ea81df4d29f9a288ea4f2b98d8
-
SSDEEP
98304:+j8ab67Ht6RL8xpH4Tv7wPV6osBsBpPj7cZ+KCojTeEL78rqNkIi+bn:+j8aatLPV6oPrk38rqNj
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Setup\Scripts\ErrorHandler.cmd lua.exe -
Executes dropped EXE 10 IoCs
pid Process 5020 OperaGX.exe 540 setup.exe 872 setup.exe 4644 setup.exe 2044 setup.exe 3148 setup.exe 3636 ContentI3.exe 1340 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 3796 assistant_installer.exe 1644 assistant_installer.exe -
Loads dropped DLL 5 IoCs
pid Process 540 setup.exe 872 setup.exe 4644 setup.exe 2044 setup.exe 3148 setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luna Exploit_42878198.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaGX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ContentI3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lua.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable Luna Exploit_42878198.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings Luna Exploit_42878198.exe Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Opera GXStable Luna Exploit_42878198.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2508 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 752 schtasks.exe 4944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3736 msedge.exe 3736 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3488 identity_helper.exe 3488 identity_helper.exe 3960 msedge.exe 3960 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe 3728 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3436 Luna Exploit_42878198.exe 3436 Luna Exploit_42878198.exe 3436 Luna Exploit_42878198.exe 3436 Luna Exploit_42878198.exe 3436 Luna Exploit_42878198.exe 3636 ContentI3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3436 wrote to memory of 5020 3436 Luna Exploit_42878198.exe 80 PID 3436 wrote to memory of 5020 3436 Luna Exploit_42878198.exe 80 PID 3436 wrote to memory of 5020 3436 Luna Exploit_42878198.exe 80 PID 5020 wrote to memory of 540 5020 OperaGX.exe 81 PID 5020 wrote to memory of 540 5020 OperaGX.exe 81 PID 5020 wrote to memory of 540 5020 OperaGX.exe 81 PID 540 wrote to memory of 872 540 setup.exe 82 PID 540 wrote to memory of 872 540 setup.exe 82 PID 540 wrote to memory of 872 540 setup.exe 82 PID 540 wrote to memory of 4644 540 setup.exe 83 PID 540 wrote to memory of 4644 540 setup.exe 83 PID 540 wrote to memory of 4644 540 setup.exe 83 PID 540 wrote to memory of 2044 540 setup.exe 84 PID 540 wrote to memory of 2044 540 setup.exe 84 PID 540 wrote to memory of 2044 540 setup.exe 84 PID 2044 wrote to memory of 3148 2044 setup.exe 85 PID 2044 wrote to memory of 3148 2044 setup.exe 85 PID 2044 wrote to memory of 3148 2044 setup.exe 85 PID 3436 wrote to memory of 3636 3436 Luna Exploit_42878198.exe 86 PID 3436 wrote to memory of 3636 3436 Luna Exploit_42878198.exe 86 PID 3436 wrote to memory of 3636 3436 Luna Exploit_42878198.exe 86 PID 3436 wrote to memory of 2508 3436 Luna Exploit_42878198.exe 89 PID 3436 wrote to memory of 2508 3436 Luna Exploit_42878198.exe 89 PID 3436 wrote to memory of 2508 3436 Luna Exploit_42878198.exe 89 PID 3728 wrote to memory of 2760 3728 msedge.exe 91 PID 3728 wrote to memory of 2760 3728 msedge.exe 91 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92 PID 3728 wrote to memory of 3560 3728 msedge.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Luna Exploit_42878198.exe"C:\Users\Admin\AppData\Local\Temp\Luna Exploit_42878198.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\OperaGX.exeC:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exe --silent --allusers=0 --server-tracking-blob=ZTJjN2MwNzg1ZDM1NDBkOTYwZjRmYjYzMjJhMWYyNmNiYzc2MDY1YmNhMDY2YThkOTY2YTA2NDliNThkMzFhYTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX05MX1BCNV8zNTc1JnV0bV9pZD01YjE2YjcwODJjMDk0NTk3YTFiYjcyMjJlMjZkZDVmOCZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInRpbWVzdGFtcCI6IjE3MzE0MjkwNjAuNTc0OCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9QQjVfMzU3NSIsImNvbnRlbnQiOiIzNTc1X0ZpbGVETSIsImlkIjoiNWIxNmI3MDgyYzA5NDU5N2ExYmI3MjIyZTI2ZGQ1ZjgiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJlYjY1ODQ2My0wOWVhLTQ1ODUtYWRmOC03N2QwY2FiZWYzZWIifQ==3⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.159 --initial-client-data=0x338,0x33c,0x340,0x318,0x344,0x71518c5c,0x71518c68,0x71518c744⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=540 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241112163102" --session-guid=48baac75-04ff-457d-b899-2355cfe8b40f --server-tracking-blob=NmVhNWE0MDJjNjEzYmUyOGM1NmI1YjFlNGJjOTZhNzIwYTMzMzFiYWY3ZmU5MjYyNzAxYzcyMWY1ODFkZTg0Mjp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX05MX1BCNV8zNTc1JnV0bV9pZD01YjE2YjcwODJjMDk0NTk3YTFiYjcyMjJlMjZkZDVmOCZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczMTQyOTA2MC41NzQ4IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX05MX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiI1YjE2YjcwODJjMDk0NTk3YTFiYjcyMjJlMjZkZDVmOCIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImViNjU4NDYzLTA5ZWEtNDU4NS1hZGY4LTc3ZDBjYWJlZjNlYiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C060000000000004⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC93144E7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.159 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x705d8c5c,0x705d8c68,0x705d8c745⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3148
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x8c4f48,0x8c4f58,0x8c4f645⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe"C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3636
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8005a3cb8,0x7ff8005a3cc8,0x7ff8005a3cd82⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:82⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:12⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵PID:532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:12⤵PID:700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:12⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:82⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1416,17181930747494027486,14558320462028501833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵PID:4720
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1420
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "1⤵PID:4828
-
C:\Users\Admin\Downloads\Solara\lua.exelua.exe cache.txt2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /st 11:13 /f /tn WindowsErrorRecovery_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\cache.txt""3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /st 11:13 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "1⤵PID:3220
-
C:\Users\Admin\Downloads\Solara\lua.exelua.exe cache.txt2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "1⤵PID:1004
-
C:\Users\Admin\Downloads\Solara\lua.exelua.exe cache.txt2⤵PID:4884
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Solara\Application.bat"1⤵PID:2020
-
C:\Users\Admin\Downloads\Solara\lua.exelua.exe cache.txt2⤵PID:2240
-
-
C:\Users\Admin\Downloads\Solara\lua.exe"C:\Users\Admin\Downloads\Solara\lua.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3936
-
C:\Users\Admin\Downloads\Solara\lua.exe"C:\Users\Admin\Downloads\Solara\lua.exe"1⤵PID:476
-
C:\Users\Admin\Downloads\Solara\lua.exe"C:\Users\Admin\Downloads\Solara\lua.exe"1⤵PID:5084
-
C:\Users\Admin\Downloads\Solara\lua.exe"C:\Users\Admin\Downloads\Solara\lua.exe"1⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Solara\Application.bat" "1⤵PID:1432
-
C:\Users\Admin\Downloads\Solara\lua.exelua.exe cache.txt2⤵PID:4324
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD5786a2a29cc128960a3be691b9ff76c98
SHA15ce2fe1387cabf1c001401b8f7596259cd9299cc
SHA25616e9283a10f631bdc1cb1a5acfc348691520bbf3a03a6098c088f5aa0874c84c
SHA512e2ebe6737eaef3805c31b0a638c64855c6aaafe1506a616c43697103365bc975ae3d3d5cdc8e1b4ee4de1f4252aaf8074225698656a3c22839bfc2d44adb57de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5d3b5587eef9a555e6dbf0b6def0d1d83
SHA1cb6586d9f5945cc4b834c3ecc6c6fe8b8a1ce4c1
SHA2561168f56d9432f44ab7bbc870e2f9f94ac7bfb545bdac2a7de99779c84b0c08af
SHA512bf11a93a9f1e4342003f0eba6a46a7646b50a5927f5f0b7e8f359100cfc5566d7125f27d20afd496cb8ef09be49e281bbb7a234638761bc03c3dd660f3134e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD54021ab035fb7f8a95c0b897c032583d0
SHA1e2cac16922455250f721a33078359a5cd100ef6b
SHA256d273f6c6479d8a2e44aacc0183e51b946752c0d9a8ec5511c720f6c0b19c3f94
SHA512ff5fc7f55369ea93e585a70204e4c896a613f268c562a099b62b76ee7757ceaeccc4b50da4bb0b00b7c6f84cfd861a97f9524a1ffb1041606885b272baf51665
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD54006712b9d168b75d177aa15c45bd221
SHA17482e6ac9fe9c24370aa3261bcf4abd55d191bc7
SHA256717841a5a367ae2c4e550054414da0cc8f1f087c7bfd5cd76c6191150e1d9310
SHA512c87044db02f9db57f7ec75ba56e4d05a150f6c9592add6d29728296a8e8dec9e77bcede0f686cb398f1b8da1ad999774d6c020f9012ec48fa2df664be1987f84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD538cc4e47fb5baf3e0ec81caad919a214
SHA17863f89ddd6b6ac6fea6a55c24687977e1b2be2a
SHA25651a97d22354c673f11d5d63590b5ebee2af474f5363f0c756fe9a59caf1d9244
SHA5129aa3370fd9aaa54d2f15047a1505d5aa765a310971174fcfe0fd6d69750d32fa7c902d35d4147656eec1f68569ca780db32906690d89061200102e762bc478e8
-
Filesize
152B
MD5d91478312beae099b8ed57e547611ba2
SHA14b927559aedbde267a6193e3e480fb18e75c43d7
SHA256df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043
SHA5124086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96
-
Filesize
152B
MD5d7145ec3fa29a4f2df900d1418974538
SHA11368d579635ba1a53d7af0ed89bf0b001f149f9d
SHA256efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59
SHA5125bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c22087253081d9beda84ca67c3150568
SHA1f9b39c750bf88b6bafbd3cc71d4fe12b155fd2c4
SHA25613a4fcd165a316426abcc31ead6413379fd11f40af80faeb45d74cf4adde0b2f
SHA5127980fb4d888eedc1c620bf564f7583ad9a1d0f35b25d5309b31080fdc6f5948850a4405744c4d8c61a2fb1745101990b98d29f622c4db9c4982d37e86270b92f
-
Filesize
1KB
MD5e5d6358584c6cfbcc73015c99671b3a1
SHA125798a42946acf2c328a6fd9352d11c19a4c562e
SHA256c7d183a43d6f80a7ec24686235c2b383ec9d119fd74b1d18f9260f4ba507a207
SHA51273435dcffd99cfbd6d1bfaf5b778fa2c58db6b88c58ec7d95f2d8162363e4bfd5fc5f84c9077bbfceb2942695c80257c705e50080ce428a53b099ee540d30341
-
Filesize
6KB
MD54b4acf0eb3228f91ff79101e2ec94abc
SHA14b383d681770f8a849a8c5024b2489f7c2f8f32e
SHA2561d6a74563f5656596e5b08c32e9f8046b1e32f7a3583d7ae9c107d2cf9e7e8ef
SHA512bc27f788bff86d347b07430b4d408c81171f0ffd60d6d41b128e1f02162032fb5025be309a2c8d0186bd5c887df4052437ca9412a41f448358d9f9eb62959780
-
Filesize
5KB
MD56309b57ab87cdad23693d8197ee7c149
SHA1c05d285a3e408ec0b44a851c52ad5fb62b3e1418
SHA2565258f91a697bdf2f512fd47cb2690aea12024d245583e856886d0c1a7519432b
SHA5126427bc7778a52fbea166e4a9096c60a1853024af77294a709bfa5efbcc9f2c6b074173abcb266b0b114ff573ecf73f864c7019b972873931a3a0e97d3a308415
-
Filesize
5KB
MD57353d95265545fed9e47d556433d47eb
SHA18b7cf47f322ba93cafe35e69bf5768f7724a7f1e
SHA256b4ac539137721cb308bf3cc6dbad5345f69e335dbde5321610eace9c1552f792
SHA512a99ffb7244edb9bbc169b0ab9764e373139af1ee8fdc98cbb3df66a090fa3b905eb4c75622a2840783a94159e6845e7a0e08aad27679d2a2a31ad371e1d9cad7
-
Filesize
6KB
MD56c974ecae028cf9ce2502bf9083fc362
SHA127df1a2cd916e86d64ebad120ea2040258b6ce5b
SHA256762a3a9c7a9d4a732bcacbfe1669fa8c9a7861fb42b4d5d09439efbac90ce419
SHA51258a961b97cbf5abc24935e8501fe0e3ed5a8b40195ee4f5d25d870dc236b7d7df49f2a1ef6cc14db84dd136a64784a6bbe382319c7e2a03289de92dd5e6cd98e
-
Filesize
1KB
MD5c593d424e16e1a40a0a8a74abe859bc6
SHA1a6ee8ef4649328601781e365d311d0dfc07fdf3c
SHA256ab4359319c838bc1e8d7ef8661cb1b41cdcef45bd6df7b77d3c4d1670ac66244
SHA512124af47d207601816e83cd5d0bba9deb21a1274ef1d4feefd88ff8c24330cd5e59cee0bd3f5f0b7b821a90a8e2b751d4bc0ab02e431fb481acc9d1e0cccc31cd
-
Filesize
873B
MD5843abbd0e643bf8bd6009550daae5648
SHA1fb6e5cb83c1be8de913e1da7668fd15ada29d8f7
SHA2560ddcd2caeee9428a8139199ab2bfbff84eec2d2d8a6f8c44c3faed84b68f45d3
SHA512fe23a0e8657a30b475df884e92afa8fef6c167dbde6c881fae96e2593da00c9b0a56beb017afb0e330f9d415dcaf38c0568ef146f0f41c180f1297ba8e8cd97d
-
Filesize
538B
MD50dedb27b8bbf8c889bb698b7df1f2c1e
SHA144c1e0d0fe266339c8da5e91579c73c1952cd9be
SHA2563b965cd768c861a9998832d3208803688a0b2bfcef7cdcde9dea9038b84e72d3
SHA51238e29756cf1e303ec61f5a947abea8d4555db374484870e04d3f287b95ed3ddf53246ff8005e96ebb1ee49815cdda59866e00267fa80918f7037f053bcba5154
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD54c96736fa88606f2f30882c551cb68fc
SHA1c435cf16880991aaec76bf95f6d3bb96098d60f3
SHA256397ce1dc2cbebc68180963f3f5f339cc65f523ef44f8f13258fdbadf7b374548
SHA5128d64ab6cc263cadcefb9293a559b2a2327621c3e2af5f781c0b01c6c8baaa5813a1f2d01363881d87b01325c6c6c2cb2ecc6ef85f2aca269b90d68f5bf58cd67
-
Filesize
10KB
MD5c8e2b94a338f9397c65e9a742a0fa477
SHA1f541dd3c6005035c55824fd09c3bb027a77c17e7
SHA2569a168aee96ceec5a059c2c96aea6e8fc3c6c6dbad0c0911401c07ee2730d67f5
SHA512ccddd2cbffbf7e526aeb6a55b09daddb9081fc75055f200059ab966612baaf573744683e0dfbab59911b12296ee38da1413533d4422c197538797dd7b39aaa4a
-
Filesize
306B
MD502b3ab672ff8414f937ff51e0f04dc33
SHA1389c25910c6a0c34759f518c72b8ea0326bc035e
SHA256f8116b98ab53ce8ec6048d864dd53a77399e5d812edc7ac18770bff5742342c7
SHA512f8d95459d788e6af7b10c22240b643c3f811bbfffc4ded24cbb4062d3537d3300cd57b5f541ece93428374c4febec00f66b784de23aa39770dfd2f79980afb2f
-
Filesize
3.2MB
MD5db7e7acc37891f8c85aa6a4686747a75
SHA162c03e4c52e44e319767f08b2806194daa85bcab
SHA25644d75cf7b71338fb2866e87454c3db39a088fd17b48080a397402eedb779c1c1
SHA512ec738e2704537fa3cbd0cda12338b5606b945c0ad8f9a4231624f2287eba90020c5e3c6431fe3b388a989020e68b8dd4f40c058c541be145f0ada02c91407f40
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\additional_file0.tmp
Filesize1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411121631021\assistant\assistant_installer.exe
Filesize1.8MB
MD54c8fbed0044da34ad25f781c3d117a66
SHA18dd93340e3d09de993c3bc12db82680a8e69d653
SHA256afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a
SHA512a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481
-
Filesize
6.5MB
MD5dcc0d15e77a7872758e65deb0bfc6745
SHA11efb89e143bf5edd34d46ae8370ecc13d4c3339f
SHA25687a168a04a254b1cf1adfe732e8b7b08d5c3e76ddca4e8b7fb4e58ebef85fe64
SHA5129cb972bcd99fd03a924bbff79e8989a040d1202a77c9d8f62ea862cc6b1d258778410ad9a4de5f2aab43062f5e9fe17d7ab9baa000de98d22a47f1471d1de778
-
Filesize
6.0MB
MD51b07ce60bc1c77f0cadf13c2e62b1383
SHA1ca70d0ef99ae5d1ebf85880ee669ad1145e4d79d
SHA256e48eb19ca0210f9063f4e77c2f14293ee940eeaef2ecb9efceac7f6336cc203f
SHA51294c358b6dfef0fcb0012a3a43235292b18ebf897043baef0c110570e91cc73721b12f1f771df6d000b4097f3c0cc22dcc65330a9153c7a9643787d24da6108f0
-
Filesize
3.8MB
MD5bf6eed6cdc17a0130189a33a55ef5209
SHA1e337f5a0931f69c464f162385f1330b4d27b372f
SHA256ef2734657b11113a433abb7ebac962e2bf6bf685f05c5f672997f01875430168
SHA51290d23fd84007343e85f9fc003cf826b112fd930216a24d8c1488468443ae2a4b0c3cc2426b91c81a8228e125050e922fce05672e010e65247709fc4a7b856f1d
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
40B
MD5cbd0ea565393fed844bb50eb4333a351
SHA1655ef8cab888a40e56772c088b7918197d094e1e
SHA25628cecc8bf892bf34a4158e9455fd614d02d4c670945a5bb26c6c7149294fb5fb
SHA5122ca592d7f649eb4ab151466f351dc61ad4414a4774ae72b248565f5d830b489430a0be96137b421f81b1c226415e5723e553214c0997a010cf93b09a327347d0
-
Filesize
40B
MD5efe6825760cd7936cdc6386c5d2c2d87
SHA12e63e0d7bc372a942ac1ad59eeba0611fd3d9f7e
SHA2566094cd767609ae4ba7718ef898f258c72b20010bec1ddff426bcce8a1b32c97a
SHA51223febb78de969d6b1e4e896df507a6b8f6b914e1fa52b7fcad7dc66db8a16b521cd351d6f79bf22f1438f6869cc164dc3db0d706323a1c419bf205fbbd40bd0a
-
Filesize
411KB
MD52eb41b95f55cedda9d33f429c4b4d293
SHA17faeb44c4c501a7cb801b0939058af4a4539705a
SHA25685852663982c4048086d26e264b9ffc9fc73abea026cfb4c1be5721747f5e259
SHA512309b4d741086783ea4c2bf33e1586589faef97b584a674bda748acee347f604736ec078a9ec674ff6956516fb9ad18fa64bb8810aef450a22ac2aa79962c7ea7