Analysis
-
max time kernel
162s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
antA_bump.jpg
Resource
win7-20240903-en
Errors
General
-
Target
antA_bump.jpg
-
Size
318KB
-
MD5
18a72001b9043aa1dcd0471e1c3f79f0
-
SHA1
8614f3ff60027912dbf4a3c8775b6504a381342f
-
SHA256
af4fc7a1f4d6ebea7eeb15f584e84af31b5c0b15c53dafacf1d069731963b1c4
-
SHA512
1d3a27305533bd5f5fe401f380936475055128a24c5e09d7a87320c4858a3c424b0f6f2dc9555598ebf1dee8ff1d351c9720e39c93440f2dd508fbdc963e0679
-
SSDEEP
6144:ze4jYM6hiZE9xguZYcvTvgvXFdGVTfqEdh4ifCywWPP74VW04iy+CLp0FMeZrkBr:zjYMkZxguZvv8vfGVTfqEUGCyXcPFmpN
Malware Config
Signatures
-
Downloads MZ/PE file
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ExLoader_Installer (1).exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ExLoader_Installer (1).exe -
Executes dropped EXE 15 IoCs
Processes:
OperaGXSetup.exesetup.exesetup.exesetup.exeOperaGXSetup.exesetup.exesetup.exesetup.exesetup.exesetup.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeExLoader_Installer (1).exeExLoader_Installer.exepid Process 5432 OperaGXSetup.exe 1616 setup.exe 3512 setup.exe 5500 setup.exe 2524 OperaGXSetup.exe 5124 setup.exe 5772 setup.exe 3108 setup.exe 4368 setup.exe 4540 setup.exe 1928 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 2984 assistant_installer.exe 3284 assistant_installer.exe 5128 ExLoader_Installer (1).exe 2016 ExLoader_Installer.exe -
Loads dropped DLL 13 IoCs
Processes:
setup.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exeExLoader_Installer.exepid Process 1616 setup.exe 3512 setup.exe 5500 setup.exe 5124 setup.exe 5772 setup.exe 3108 setup.exe 4540 setup.exe 2016 ExLoader_Installer.exe 2016 ExLoader_Installer.exe 2016 ExLoader_Installer.exe 2016 ExLoader_Installer.exe 2016 ExLoader_Installer.exe 2016 ExLoader_Installer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
setup.exesetup.exedescription ioc Process File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 275 raw.githubusercontent.com 273 raw.githubusercontent.com 274 raw.githubusercontent.com -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 269 api.ipify.org 270 api.ipify.org 271 api.ipify.org 280 ipapi.co 281 ipapi.co 282 ipapi.co -
Drops file in Program Files directory 64 IoCs
Processes:
ExLoader_Installer.exedescription ioc Process File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\neuronet.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\star-border.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\snow_alternative.webp ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\discord.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\search.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\users.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\snow.webp ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-synch-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\farmbot.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\description-blank.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\rules.jpg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-synch-l1-2-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\permission_handler_windows_plugin.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Fortnite_press.wav ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\mask.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\tick.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Steam_press.wav ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\gamepad.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\plug.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\user.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-crt-string-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\vcruntime140.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\folder.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-console-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\audio\Standard_hover.wav ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Fallguys_v2.jpg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\check_circle.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\fabric_second.png ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-heap-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-crt-utility-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\msvcp140_1.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\NOTICES.Z ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\shrimp.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sort-ascending.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\thumb-up.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\translate.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-datetime-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-processthreads-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\puffer-fish.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Cyberpunk.jpg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\TastyFoodDay.jpg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Warcraft.jpg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\complain.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\ExLoader.exe ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\images\grain.png ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-console-l1-2-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-rtlsupport-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\steam.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\NoirPro-Bold.otf ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-crt-process-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\libmpv-2.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\SpaceDay.jpg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-crt-locale-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\media_kit_libs_windows_video_plugin.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\compressed_logos\food.ico ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\icecream.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\library.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\star.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\api-ms-win-core-sysinfo-l1-1-0.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\checkmark.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\search-alternative.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sun.svg ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\media_kit\ucrtbase.dll ExLoader_Installer.exe File opened for modification C:\Program Files\ExLoader\data\flutter_assets\resources\icons\chevron-down.svg ExLoader_Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
setup.exesetup.exesetup.exesetup.exeassistant_installer.exeassistant_installer.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exeOperaGXSetup.exesetup.exeOperaGXSetup.exesetup.exesetup.exesetup.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaGXSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaGXSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings msedge.exe -
Processes:
setup.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 285152.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 700696.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 505989.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeExLoader_Installer.exepowershell.exepid Process 2540 msedge.exe 2540 msedge.exe 2932 msedge.exe 2932 msedge.exe 4824 msedge.exe 4824 msedge.exe 2036 identity_helper.exe 2036 identity_helper.exe 4320 msedge.exe 4320 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 116 msedge.exe 116 msedge.exe 2016 ExLoader_Installer.exe 2016 ExLoader_Installer.exe 408 powershell.exe 408 powershell.exe 408 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
Processes:
msedge.exepid Process 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 408 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid Process 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
msedge.exepid Process 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
setup.exeExLoader_Installer.exeLogonUI.exepid Process 1616 setup.exe 2016 ExLoader_Installer.exe 2016 ExLoader_Installer.exe 3008 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exemsedge.exedescription pid Process procid_target PID 3840 wrote to memory of 988 3840 msedge.exe 87 PID 3840 wrote to memory of 988 3840 msedge.exe 87 PID 4824 wrote to memory of 4940 4824 msedge.exe 89 PID 4824 wrote to memory of 4940 4824 msedge.exe 89 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91 PID 3840 wrote to memory of 4372 3840 msedge.exe 90 PID 4824 wrote to memory of 2368 4824 msedge.exe 91
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\antA_bump.jpg1⤵PID:3124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe64d846f8,0x7ffe64d84708,0x7ffe64d847182⤵PID:988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,10383249821745054191,4565428037082247930,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,10383249821745054191,4565428037082247930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe64d846f8,0x7ffe64d84708,0x7ffe64d847182⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:82⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵PID:5448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:5564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:12⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:12⤵PID:5616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:12⤵PID:5852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6880 /prefetch:82⤵PID:6028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7252 /prefetch:82⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:12⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:12⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 /prefetch:82⤵PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7472 /prefetch:82⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:12⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8104 /prefetch:82⤵PID:5792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1056 /prefetch:82⤵PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7824 /prefetch:82⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1820 /prefetch:82⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:2616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7804 /prefetch:82⤵PID:552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6556 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,5116189779680923017,8756628067402995587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:116
-
-
C:\Users\Admin\Downloads\ExLoader_Installer (1).exe"C:\Users\Admin\Downloads\ExLoader_Installer (1).exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5128 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2016 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"c:\users\admin\desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3400
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5660
-
C:\Users\Admin\Downloads\OperaGXSetup.exe"C:\Users\Admin\Downloads\OperaGXSetup.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exe --server-tracking-blob=ZmU0MGU2MmY3NzQ3NGY0NzQzZmIxMzFkNWQ1NzIxMDI4ZWM4ODM3NGRiYjllYjQ4MTRhOTgwZTI0OGI5MWVjODp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9TVlJfT09NJmVkaXRpb249c3RkLTImdXRtX2lkPTAyZDg5NDhhY2I3NTRlZTk4MzM5N2IxMmEyYjE3ZDQ3Jmh0dHBfcmVmZXJyZXI9bWlzc2luZyZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZ1dG1faWQ9MDJkODk0OGFjYjc1NGVlOTgzMzk3YjEyYTJiMTdkNDcmZGxfdG9rZW49Njc0MjM2OTYiLCJ0aW1lc3RhbXAiOiIxNzMxNTMzOTExLjUzNzIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTIuMC40NTE1LjEzMSBTYWZhcmkvNTM3LjM2IEVkZy85Mi4wLjkwMi42NyIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9TVlJfT09NIiwiaWQiOiIwMmQ4OTQ4YWNiNzU0ZWU5ODMzOTdiMTJhMmIxN2Q0NyIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI5ODdmOTIzYi1kM2NiLTQ1MmQtYmFlZC1hN2M3YWQ4Zjg3YzQifQ==2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.159 --initial-client-data=0x330,0x334,0x338,0x308,0x33c,0x74e08c5c,0x74e08c68,0x74e08c743⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5500
-
-
C:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1616 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241113213852" --session-guid=80cc1822-dcd4-4b3d-be5f-dd2b73b22ff8 --server-tracking-blob=MmUyYWY1YzU5MmE3NWY5NmJlODVmNDIwZmY4ZTNiNDNkM2QwMzljYmNmNjM2NTVlYjkzOWU0ZDYxMmJhZGE3Mjp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9TVlJfT09NJmVkaXRpb249c3RkLTImdXRtX2lkPTAyZDg5NDhhY2I3NTRlZTk4MzM5N2IxMmEyYjE3ZDQ3Jmh0dHBfcmVmZXJyZXI9bWlzc2luZyZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZ1dG1faWQ9MDJkODk0OGFjYjc1NGVlOTgzMzk3YjEyYTJiMTdkNDcmZGxfdG9rZW49Njc0MjM2OTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MzE1MzM5MTEuNTM3MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85Mi4wLjQ1MTUuMTMxIFNhZmFyaS81MzcuMzYgRWRnLzkyLjAuOTAyLjY3IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1NWUl9PT00iLCJpZCI6IjAyZDg5NDhhY2I3NTRlZTk4MzM5N2IxMmEyYjE3ZDQ3IiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vIiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6Ijk4N2Y5MjNiLWQzY2ItNDUyZC1iYWVkLWE3YzdhZDhmODdjNCJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=20090000000000003⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS835E1EE8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.159 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x72658c5c,0x72658c68,0x72658c744⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4540
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411132138521\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411132138521\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411132138521\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411132138521\assistant\assistant_installer.exe" --version3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411132138521\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411132138521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x1064f48,0x1064f58,0x1064f644⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3284
-
-
-
-
C:\Users\Admin\Downloads\OperaGXSetup.exe"C:\Users\Admin\Downloads\OperaGXSetup.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\7zSCD99C088\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSCD99C088\setup.exe --server-tracking-blob=ZmU0MGU2MmY3NzQ3NGY0NzQzZmIxMzFkNWQ1NzIxMDI4ZWM4ODM3NGRiYjllYjQ4MTRhOTgwZTI0OGI5MWVjODp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9TVlJfT09NJmVkaXRpb249c3RkLTImdXRtX2lkPTAyZDg5NDhhY2I3NTRlZTk4MzM5N2IxMmEyYjE3ZDQ3Jmh0dHBfcmVmZXJyZXI9bWlzc2luZyZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPW9wZXJhLmNvbSUyRiZ1dG1faWQ9MDJkODk0OGFjYjc1NGVlOTgzMzk3YjEyYTJiMTdkNDcmZGxfdG9rZW49Njc0MjM2OTYiLCJ0aW1lc3RhbXAiOiIxNzMxNTMzOTExLjUzNzIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTIuMC40NTE1LjEzMSBTYWZhcmkvNTM3LjM2IEVkZy85Mi4wLjkwMi42NyIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9TVlJfT09NIiwiaWQiOiIwMmQ4OTQ4YWNiNzU0ZWU5ODMzOTdiMTJhMmIxN2Q0NyIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI5ODdmOTIzYi1kM2NiLTQ1MmQtYmFlZC1hN2M3YWQ4Zjg3YzQifQ==2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\7zSCD99C088\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSCD99C088\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.159 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x72658c5c,0x72658c68,0x72658c743⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5772
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3108
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38a1055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3008
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45.2MB
MD5f8f5d8a48f0c2cab57db0ce48c44b320
SHA1cc82c726e916a5f2a6dcdbeecef3fa4a0319ee42
SHA256d8cc2d4e4e84e42f0724e0c5e63ec38381a2c40b87b699e2c55648a56e61588f
SHA512b412014a279ae9e61a70bf07c63789f2c90129fe7f75cb967cf7400a9d81c91ee75a4e91c1fd18972d6d1dcea7a9fe7544c7f5a105fcaac0d132b1c7a29eb316
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
89KB
MD5445d7ca13d334a0838cff9d6905c1790
SHA15747ad731326797179dac0f4770e09c36a8aa248
SHA256ac47705cb831ecb13f1c94a76fe667e40af99a5ff58ab9e50a1846ec84ec3b37
SHA512096f26d1d0cfaca0faeb975c62fd0b820215905a01194f96853d3f050b0c33b1b30c96a006e3eeb2924acf939d8713df98e1a3c0e1d1d9a9a9096a0be421bb6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5d9bf4df95663e90f73b095fac0c9b331
SHA1d9ee9f0038a3e6c84ae462f70f0e765ab766fdf3
SHA25633eee7f6e0ef2807fd2ec3155230d116e768e0b2aff5ef56553eb56bf52772ee
SHA512ba0469672b442106a086da7541e31b0ada7401c391c596ff494737a131ea6ff590222842e5c9a9d3d71f11b20e337e10a9e556a691fdb3757c4390d1d25dd5f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
5KB
MD59cea608f939898677e79e208e452d9fa
SHA11d4114a77f0fbb4862184d2633458bb9d32bd85f
SHA2563019991a1f8850c597d5f8c532ecb5c6a9133742055829eb71486ae7db503467
SHA512ca4a34db9a950ab9e8b6c3af8ad655c5713a0943c6e30da06ac029a2cfbf81510418b2511451822ca9ced324193735d0567e3d56fc9d6863f081b50057d4bca5
-
Filesize
6KB
MD5441bccf5fbdeaf9dc9105362c0dd327e
SHA112a147df3a6277187aa3e85f3af054f147babd28
SHA256ccc903f1c7809a2f39f8c37ef4889e218494497823114fa97f051e84178d19fb
SHA5127dcf67503f63d52cc53eb26d0ea77e0f24d68c3d43740d7e063939d862392b5744193ba9ef1deabc14a2017f731fad57be7a09ab3c1c486975c525f7f1080913
-
Filesize
11KB
MD584b74254dda53df94d0a3719f9e1190f
SHA16fc63ef48956f375f641b463266f528261c7dc50
SHA256995022c91f9348e725f68a390aebaa8667654fba7124cdf77fa8bb75a783d838
SHA512da49070cc166c37127f95cc58943117988c2dfc4dcb98b5b7bd5225fa41b7f47e42d6951e4b2ca93d6a37c153aee475b5c3361c29858afd599332ed8e43b1278
-
Filesize
6KB
MD5de4d45f97adf7b3e8d6710d01f91948e
SHA1ddc36a3ca77f772a448e974b29f8da92aa88c47b
SHA256ad34a783243366bc1b65d0b36e5824e20068f4b03b8cd7c9dfad7c4c8888ca1c
SHA512d93bdcd728aaaaa73a0a79b3750b781d34abc04daa87c0f33fcae7c6dc8b9669947140d5a6b092e6331f7ff51308a83648b3b97e0eb1b46791885052a51dc046
-
Filesize
10KB
MD5eee5b5828c1df29994994b58836fb00d
SHA18f3fc39f669b2a22c90b40e449dc3024f61651f2
SHA256b9459f2804548bf844743029f6661636b826a4427bc896e2f72be47d8a59b25b
SHA51239bf15537d9866f32869263ef05622f91de8964e79fd26d0dd3b65bb275fc38a3b8b7d5881d4b42ce841f508e813ff5ba2835c932d151722c7aab512d259d91a
-
Filesize
11KB
MD5f8ea5812f4828bc587915216eb884a8b
SHA1e98a7d2c089db3546e3cb057e8cd17b7733778db
SHA2568d3e1026f856df8ab1cdfa4d8e692f0fdc7553f01f2a0b9f6e7971b350e1313e
SHA51215caa089977ab2a267fcc1e00bcf5bf2b8fb7c300cdfd172d41fa2fae0cf61e0aaf2f247f84d1d35d14ba91e85d0f31bde9fe218a2010ca1a932f22e2b8d11db
-
Filesize
11KB
MD5ba7a587c06d0505f15ceb87ed32b1b8e
SHA1d58c0cd24c0e06b798882c8934dab7407d1b4905
SHA256e79036a8b7fa41ab992748c5d72c35176615ea9efa6593c83d56b004e6bdb12e
SHA51244bff63f1d90edf3953783f91c50d5c420a8298bd624379871ee16585daabf06bf5637d893e7d5ccaf96b84d3ed51d62866e35979da8b235c29937000fea9c82
-
Filesize
5KB
MD56973ecc72fc575efe7cedaab60e0a5de
SHA149b15b644fdbdb86990627fd972e6635fb42e8a7
SHA256b6a0012874c83a02f5cfbd504bda1a192735599c232c3ab74a9f844c6bb69f7b
SHA5127a1ccc973a843123230dd468957ab25c0ffb67e485760ef3048f9ce1d997b6488f0cf1d072138ac99c683f98b5c1099c132be2d7e399a355494b62083f0d5eda
-
Filesize
11KB
MD55c9905d0f39002e88e71a769c80f9c73
SHA1260b0428d37fc8a34d23f36cbe107ec87bf80c34
SHA256736256ef5ffae22451173efe8929d9d60226794e7497df1ba536dfaa21fcd0a6
SHA5120aa7a41d224eda2af1dee53a5f4f9cee5822cec834711edf7ed3750e6ca5c8b5c5e48acbff28308dfe4fefe6476fe86528d40bb50c29cc80925e81a8d5ba524d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD576585502c8b64174885c5bbb2d680b2b
SHA1cba10c35a6b62c0b69b84b1e7ce629a95243caa4
SHA2565c3dca738bed6df6c8a76859be825a73e691f90ecbf715c3b18d5e7eac869dd7
SHA512ecc421fdd3ea9ec4505dbc0b9f851be9cb0362ac71e340c4664c9b1bfc4d7182b44fc90b0c69cfef68e86a097ae38bc77e53f5adb11f3c3ce05624ee551edad4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b205.TMP
Filesize48B
MD5cf27122d7ff879150468d79b43acb4c6
SHA156c0135a1b83fe7bcda73bc5ab5fad262af850c9
SHA2568aceaee83179addd2b36564b90c9587dae4c3000cdd8c9ace427378d3d1a8244
SHA512b6be06869cf00bea8b4464ece7a952e52bb4085c3101e6851e70722d1ed6eb887652d95498a40f6c6682809253dcbd7ef387a196201cd8e38914ddb6eabebd68
-
Filesize
2KB
MD5a4ca5b1259fd4358eddc789fcf367ec5
SHA14eded91db977a30649a1ca4bcae400c030bbfd53
SHA256437ff7add143fd78792fcabadf938cc96b01c38b68d64fadd4c8c52973c04982
SHA5127b43d857ff157b061ec6880d3d18ea4cec075e39eaf81a2450883662b2aa6cd499bf0400520108985d5f9950d12b48020caf67a8ac745a2558b7bd9626eafcbf
-
Filesize
2KB
MD5afbca65c5a3edec0352c7eb59a42b193
SHA183147bd37303f55cbea3657afbaa4bfd8702c0a0
SHA25645e839881cd5753524ce1ddcc359099d90cf1953b8aeb6b3a03598077dad66e3
SHA512b939c4709389f56ba5e80e59669c43db95e3c6b263e75c0082a437280cae4d426456a71c27302b11acd8a4de2333dec13e2bbd9444233203666833bf20ce4077
-
Filesize
2KB
MD520563f2da4cb145028f39d604ab08632
SHA1581a66a09c0c6c5dec06637f98940edcf657746b
SHA2564e529e9e06ced7a5dbe4cc03db6dfd73cc349a5371afda6c4aff72ed6f10f836
SHA512bd4c8f18e5b03643c7bd4d9331039144f914343ad41adda4f1776444e2e07d41367d19e909192a8386d1eaa12c740a429ed4af1522a9e2d973a38c13f3549200
-
Filesize
2KB
MD5fbd706c6f1f66829c4cac9fe65aa3c77
SHA123d2f6b7364d994de223fcfb0882c4f5f4bd109a
SHA256e79b0977793ac8750063857fa9b8bda18c87c921a551beb53b6d38f396390971
SHA512e93de58bdf71a8bb0a5c163f28252c6d2c4c30553e0f8cefd558131961e6ea133920fd3afccd9a72835a23ef0c3afe681033a71f07a68316cfd91fb08f512c32
-
Filesize
1KB
MD5c6702b6a82aee5b6c02112220e8db13d
SHA1a4a6d02c66c4264d84d1fa1e04b23472769e5fed
SHA25608a24b5871c6dccf9ec6e590e730a8289cd753faf1c62b9bb5814e79ad3f37fe
SHA512fd1981a00e0cedd869b68b007ff3f7929657a12c258188e6b10c6f3ef79262bf13129b8fca6176790c8d117d8d550fe88514e214ca1c3fe7f89223e63a734a87
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5c07bb1b20d4bc7736c5bf68470245903
SHA197365f21264b9ef9f9814a177b4fc85d88a9d71d
SHA25668e6954a6b5da867230048d129eccb76b675e9a6ee9f908e4a3b9e64614365ff
SHA5125b5c11d117ac7e3dfbc23a3694adbe01835ed3c3e40656f57eaf8efa283f7349913ca4e6bdf24305bd3b38504dad5b4fed7c67ce9da5e9939087776ebab54f17
-
Filesize
10KB
MD51020f410dae98ab94b1d69fa525bbb32
SHA1b3dd90a9fd18aa6953425129692ac3e28153b03e
SHA2569b23d85592a666f139318891c2cde5a7b34944a10407f74a22b6f019384641eb
SHA5123a50dbe6b31ea08dc70102ffe539557c581025dd3ebc3e22a92a63ffd1db757ae6d360f6f36f812a6c2a0d9a25e6ba5245f3e839ecfa3520a17ad5548df49e7f
-
Filesize
10KB
MD564064ea9af17ca1cb23017c5fe544521
SHA129740b3e5ce86b2559fd9d12a5c36c19ecfdd9f9
SHA25623afa095c086e28662b28b50600d26d51f6d76de4dd993e39eb93aa898fa8ba5
SHA512080b5c350af6a998227aa66d0d97900d2d6bf202ecf27ab279ab4f118c2a62c7b8bd54d22547e5d469ea784bc452e4045424f5e8c98746b04fae603ed1645fb3
-
Filesize
11KB
MD54609f7187af657f4e13b333b88b19afd
SHA145f821d8a0802f990c07857b40000057ed25ce9d
SHA2561767a1a0b4230bf6f71c6ed2e037e3f4b93ddd096c3d0984f6d39a24196c414b
SHA512fe07ba87744533458f126736276350bb1ce4c8c9b3f513b9ce0ddfc85e539ab572cdea4f6ba2d79134f887744f2d65432ba430e0d95faa560607b446fd307051
-
Filesize
8KB
MD5c689304ec17ad623c66ea8f80052ac99
SHA1852d713f1cf819bf98e975e853e9193b805448bb
SHA2566aa9b0c780682a6af58182d9abd149cf437a96e3f8fec209093eeed6f5d9b8c3
SHA5125526c9073e5f9926293b17fd178ea2d1e3d61a4a8a6ffcf3a417daaf9a87a66abdcdc3f5afc6dc83fa53eb63f386d9eb8e89f5f4b25d3582c9370600b236fdec
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411132138521\additional_file0.tmp
Filesize1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
Filesize
6.5MB
MD5dcc0d15e77a7872758e65deb0bfc6745
SHA11efb89e143bf5edd34d46ae8370ecc13d4c3339f
SHA25687a168a04a254b1cf1adfe732e8b7b08d5c3e76ddca4e8b7fb4e58ebef85fe64
SHA5129cb972bcd99fd03a924bbff79e8989a040d1202a77c9d8f62ea862cc6b1d258778410ad9a4de5f2aab43062f5e9fe17d7ab9baa000de98d22a47f1471d1de778
-
Filesize
6.0MB
MD51b07ce60bc1c77f0cadf13c2e62b1383
SHA1ca70d0ef99ae5d1ebf85880ee669ad1145e4d79d
SHA256e48eb19ca0210f9063f4e77c2f14293ee940eeaef2ecb9efceac7f6336cc203f
SHA51294c358b6dfef0fcb0012a3a43235292b18ebf897043baef0c110570e91cc73721b12f1f771df6d000b4097f3c0cc22dcc65330a9153c7a9643787d24da6108f0
-
Filesize
183KB
MD5b51f61c70894e92875d5530d0f553067
SHA16cfe241ad503445443463faa5f869e0ec9cf0cb5
SHA2560cb547550924bc73727d60885a82df098ead1eddb37f39b32dd46eac8e83db27
SHA512e8ed6fa9f10dbad7cd7e420aecf655079cb04d59229b8c014eec2cdae545de16566f8c784786dbb98e2c12f3f3bcdbba2d78445fed14807ec154bea0ce653ccc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4B
MD5c6894ed154a0b8e852ad30ee4ee840bf
SHA119e2b2269bb99cd29495a07274c427eb93dcbc86
SHA25662a270b29e926adc39f0daaa2f168b6efc02fe42ffc145f60aaf71fa2507aa86
SHA5123c3548874ce26856b2808557fb0517a36b837446fca1991322f569ecafc2f0a914ee6b45c6060494731217fb672dbffc74882aa751874ecba9c57b74c128a0d9
-
Filesize
40B
MD53de5e6e447dff35a8f249e5c1ba8f4a3
SHA1284d10e268fb6ceb20967e27fccc337905c21479
SHA256fd1cea1d6152ecd0d543bbb7310a22adae70dfa5b5a1e487afe9862e6e71cc97
SHA5122a5750f1ae0cfc2f75d8d18b69cfbeeea05abceb0932283ef6abbf267d6170bc02af1aae7b090b06a10cc4bbecae47c9e97716288f938d98adcf5051ae334c96
-
Filesize
269B
MD590de94dac203930a5b78859624c846fd
SHA1ecd72888fa9a686994a06b44640900247966a0c1
SHA256965a9cffa869bf0531cc12b7e3c453d0211d18996347676114271d0c2e9a1833
SHA512abfa3adf18c573136d1fb51d70acdd0cdf09becb018f8f42fe2f3e260720a7c61774129191293a0d98a8ee3580cb64f947f0130b9d0b6b664662fa6b3735757e
-
Filesize
3.2MB
MD5ddbf01732ce62e17891142dedbfded8d
SHA17f2a890bd24ec02b163901c6d58f971e435aa646
SHA256e9d345b551117260b59e9a654ae5dcef6d9807316ee61d7eb517178b1664d17d
SHA51284ffe6a26024b53f41a56c74de950f77a81dbe2e0246b9e02d25cc2eb5c267dbda7b015a5a9945af16f26c8a5761dd023edce39cd46decdeee5b359f13ef33b2
-
Filesize
25.4MB
MD551d5e87ae7bc99d3acc39daa20b03431
SHA17320a8cd779bd18f572422aa53b241fadeae6a34
SHA25607f61f7c87bdeacfe34388001489136c563f55891d1a7e4481048b0e26e888a4
SHA512273eb5f5c93df9885ce2bcdc35df234a1f99e13af7b904d7e9a257b5e75a9a38b95f2ee4bc27a4cb069718cde57804aea45cc79223b34aa211a3a5604189c7b4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e