6bba081474e42a3ce8713a0619664e069ba15e271d28cc134009af3f53c7bdd1

Resubmissions

21-11-2024 23:47

241121-3tapdaznbs 8

21-11-2024 23:21

241121-3cam2swrek 3

21-11-2024 21:39

241121-1hkn4axrfy 10

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXM_Premium_Tweaking_Utility_1.0_Cracked.html
Size

469B
MD5

8c1a6acb0cf4efaea77c25de80dad5d6
SHA1

28a858f732ce50193e5c24b3c26f8ac59957f078
SHA256

6bba081474e42a3ce8713a0619664e069ba15e271d28cc134009af3f53c7bdd1
SHA512

84ef0ba97c9a4f7a48016905a816b5cd83ad4e862eb20cac2b8e82ef42ecdc54f40aa485ae8fccf6b96bbb0ec890ffac0fbb0bf8289389d6b77ca2469d29c7bd

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

pid	Process
5524	OperaSetup.exe
5600	OperaSetup.exe
5772	setup.exe
5784	setup.exe
5856	setup.exe
5896	setup.exe
6068	OperaSetup.exe
6076	setup.exe
6088	setup.exe
5232	setup.exe
5208	setup.exe
5144	setup.exe
5780	setup.exe
5864	setup.exe
6136	Assistant_114.0.5282.21_Setup.exe_sfx.exe
3732	assistant_installer.exe
4580	assistant_installer.exe

Loads dropped DLL 15 IoCs

pid	Process
5772	setup.exe
5784	setup.exe
5896	setup.exe
5856	setup.exe
6076	setup.exe
6088	setup.exe
5232	setup.exe
5208	setup.exe
5144	setup.exe
5780	setup.exe
5864	setup.exe
3732	assistant_installer.exe
3732	assistant_installer.exe
4580	assistant_installer.exe
4580	assistant_installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	mspaint.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 191492.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2656	msedge.exe
2656	msedge.exe
4100	msedge.exe
4100	msedge.exe
2596	identity_helper.exe
2596	identity_helper.exe
5204	msedge.exe
5204	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
4748	mspaint.exe
4748	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5784	setup.exe
4748	mspaint.exe
2948	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 1912	4100	msedge.exe	83
PID 4100 wrote to memory of 1912	4100	msedge.exe	83
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2404	4100	msedge.exe	84
PID 4100 wrote to memory of 2656	4100	msedge.exe	85
PID 4100 wrote to memory of 2656	4100	msedge.exe	85
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86
PID 4100 wrote to memory of 4868	4100	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\EXM_Premium_Tweaking_Utility_1.0_Cracked.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd914c46f8,0x7ffd914c4708,0x7ffd914c4718
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5288
- C:\Users\Admin\Downloads\OperaSetup.exe
  "C:\Users\Admin\Downloads\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5524
- - C:\Users\Admin\AppData\Local\Temp\7zS49522B97\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS49522B97\setup.exe --server-tracking-blob=MDFiOTIxMGIxMTg5OWRiYWJiOTg2YTBhZTIyMDIwMjA3NjFmZGEzOTM3ZGVkMDQ2MmY2ZTk5MzE1MWVlNzNjNjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy51cGxvYWQuZWUvIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9eWVwYWRzJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1wcmVtcHViJnV0bV9pZD0xZTQ1NWM2MC01YzFhLTQ1ZTctOTY1Yi1kZjgzOWYxNGQ3YzYmdXRtX2NvbnRlbnQ9TURGX1BCXzE2NDA5XyIsInRpbWVzdGFtcCI6IjE3MzIyMzI4OTEuODA0MCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85Mi4wLjQ1MTUuMTMxIFNhZmFyaS81MzcuMzYgRWRnLzkyLjAuOTAyLjY3IiwidXRtIjp7ImNhbXBhaWduIjoicHJlbXB1YiIsImNvbnRlbnQiOiJNREZfUEJfMTY0MDlfIiwiaWQiOiIxZTQ1NWM2MC01YzFhLTQ1ZTctOTY1Yi1kZjgzOWYxNGQ3YzYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJ5ZXBhZHMifSwidXVpZCI6ImI5MjAxMTEyLTBjODItNGMxNy04MmRmLWRhNmY4NmYzM2QyZCJ9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\7zS49522B97\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS49522B97\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.222 --initial-client-data=0x330,0x334,0x338,0x308,0x33c,0x746dfb14,0x746dfb20,0x746dfb2c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\7zS49522B97\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS49522B97\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6088
- C:\Users\Admin\Downloads\OperaSetup.exe
  "C:\Users\Admin\Downloads\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5600
- - C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe --server-tracking-blob=MDFiOTIxMGIxMTg5OWRiYWJiOTg2YTBhZTIyMDIwMjA3NjFmZGEzOTM3ZGVkMDQ2MmY2ZTk5MzE1MWVlNzNjNjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy51cGxvYWQuZWUvIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9eWVwYWRzJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1wcmVtcHViJnV0bV9pZD0xZTQ1NWM2MC01YzFhLTQ1ZTctOTY1Yi1kZjgzOWYxNGQ3YzYmdXRtX2NvbnRlbnQ9TURGX1BCXzE2NDA5XyIsInRpbWVzdGFtcCI6IjE3MzIyMzI4OTEuODA0MCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85Mi4wLjQ1MTUuMTMxIFNhZmFyaS81MzcuMzYgRWRnLzkyLjAuOTAyLjY3IiwidXRtIjp7ImNhbXBhaWduIjoicHJlbXB1YiIsImNvbnRlbnQiOiJNREZfUEJfMTY0MDlfIiwiaWQiOiIxZTQ1NWM2MC01YzFhLTQ1ZTctOTY1Yi1kZjgzOWYxNGQ3YzYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJ5ZXBhZHMifSwidXVpZCI6ImI5MjAxMTEyLTBjODItNGMxNy04MmRmLWRhNmY4NmYzM2QyZCJ9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:5784
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.222 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x7386fb14,0x7386fb20,0x7386fb2c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5896
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5784 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241121234823" --session-guid=e2016c29-f223-45e7-8ebf-4c843c928297 --server-tracking-blob="MGNmMzcyNTU4ZmM3YWMyYTkwZjVkYzI2ZDk3NDE3ZjkwZGVjZWVkMzRlZWIxZTdjNGU3NTA2YmZkY2ZkMjkxNDp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy51cGxvYWQuZWUvIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9eWVwYWRzJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1wcmVtcHViJnV0bV9pZD0xZTQ1NWM2MC01YzFhLTQ1ZTctOTY1Yi1kZjgzOWYxNGQ3YzYmdXRtX2NvbnRlbnQ9TURGX1BCXzE2NDA5XyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczMjIzMjg5MS44MDQwIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzkyLjAuNDUxNS4xMzEgU2FmYXJpLzUzNy4zNiBFZGcvOTIuMC45MDIuNjciLCJ1dG0iOnsiY2FtcGFpZ24iOiJwcmVtcHViIiwiY29udGVudCI6Ik1ERl9QQl8xNjQwOV8iLCJpZCI6IjFlNDU1YzYwLTVjMWEtNDVlNy05NjViLWRmODM5ZjE0ZDdjNiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6InllcGFkcyJ9LCJ1dWlkIjoiYjkyMDExMTItMGM4Mi00YzE3LTgyZGYtZGE2Zjg2ZjMzZDJkIn0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=D008000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:5780
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0E52DA97\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.222 --initial-client-data=0x334,0x338,0x33c,0x280,0x340,0x71dcfb14,0x71dcfb20,0x71dcfb2c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3732
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0xe517a0,0xe517ac,0xe517b8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4580
- C:\Users\Admin\Downloads\OperaSetup.exe
  "C:\Users\Admin\Downloads\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6068
- - C:\Users\Admin\AppData\Local\Temp\7zS4B777A87\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4B777A87\setup.exe --server-tracking-blob=MDFiOTIxMGIxMTg5OWRiYWJiOTg2YTBhZTIyMDIwMjA3NjFmZGEzOTM3ZGVkMDQ2MmY2ZTk5MzE1MWVlNzNjNjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy51cGxvYWQuZWUvIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9eWVwYWRzJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1wcmVtcHViJnV0bV9pZD0xZTQ1NWM2MC01YzFhLTQ1ZTctOTY1Yi1kZjgzOWYxNGQ3YzYmdXRtX2NvbnRlbnQ9TURGX1BCXzE2NDA5XyIsInRpbWVzdGFtcCI6IjE3MzIyMzI4OTEuODA0MCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85Mi4wLjQ1MTUuMTMxIFNhZmFyaS81MzcuMzYgRWRnLzkyLjAuOTAyLjY3IiwidXRtIjp7ImNhbXBhaWduIjoicHJlbXB1YiIsImNvbnRlbnQiOiJNREZfUEJfMTY0MDlfIiwiaWQiOiIxZTQ1NWM2MC01YzFhLTQ1ZTctOTY1Yi1kZjgzOWYxNGQ3YzYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJ5ZXBhZHMifSwidXVpZCI6ImI5MjAxMTEyLTBjODItNGMxNy04MmRmLWRhNmY4NmYzM2QyZCJ9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\7zS4B777A87\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4B777A87\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.222 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x71dcfb14,0x71dcfb20,0x71dcfb2c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5208
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5077662328291454622,5808053664206348969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OptimizeHide.bat" "
1⤵
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OptimizeHide.bat" "
1⤵
PID:5840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x500
1⤵
PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\OptimizeHide.bat" "
1⤵
PID:1684

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WatchUnblock.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
719182e07998ae9226d45680aa1fe178

SHA1
8f8b03c110c129cb3a35841ed959de7a7266ffec

SHA256
8f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe

SHA512
2df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

Filesize
727B

MD5
fa7f2f1296c981ddb4c2901a533033bc

SHA1
c97d36333cfe007810e41862ad3466b87c123cc3

SHA256
c996d8c8e94665d43c1cb881f3d381daaf4e1e6bbcb1f4a9b6ed9075bd34758a

SHA512
b56f8cac8349ebc56020ddc0418d87da32d49931cdecaa4b55f8d956edcee7d39d19af54564ab95075a11a962a2074aba6bd005ec054344dc36c16033d0dde22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c59fe2122c01472472b32153f9357db9

SHA1
ffd45432839790442f659390e16b2b4f96c066c5

SHA256
fbe269cbc7e81263ef32c8a3b320697dc8d0b9f90d72c13b7e74b482a640b71b

SHA512
51ae31fd5603d1b6038a3ed1134143bfb757372b8daf06f471d7ca5e54c4fb2bb27c4b257149861e5e3e841070f7d1bc7488bf3f799ea39c7daa7ec62fe5eb31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
d880ed53a7a4d6f0641528d795124316

SHA1
a25d0269d0784b4c2600567bfdb595f654f697fd

SHA256
e53b0e3d52a300324996efc2ff9239e7fd44d95f07fcdf8a6d3c70dc60a8f07a

SHA512
0514e6a046fccceeefd2d372a1fd60cd170627006fa9fff483e1977e4950f64b0ab72837c8c52e7e2d83047f3229e52b43e82a142c3d4d486b278ed527f4f94e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

Filesize
412B

MD5
20b9c1d5e2b04a3007f1fbaa3cca9493

SHA1
dc51d648a1d66dd4f0ba3773b8081011552383f2

SHA256
46e94f971268a7e59407d09cf5f1d76dd4fe5a9357237e8b6496cf050151d9af

SHA512
67ee805624bfcefc9b58250ae533bfe0e393403711838341949b4734fec009d589b1635d6bebf2912ddc1dfd8a27b2596fdb62a3f32aec6a6f2d2443153d7512

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
c211417c34753d3f2f496fad20ba67d3

SHA1
863a4987e57055220f3670c1fd06f86f4f86ffb5

SHA256
66f8376f9c2b74e6f98463e40966fc2f059b8a68b5c592b3d19a580f0a5564ab

SHA512
89565e7122d9737357c04357432eda06ffb66e97e057053256a6644551e379da84aed258761caa21a6db963d4134068ccfeb56687245c726dc482cc0d2074213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
8e363edbfb542c8862381ae51efa2fc3

SHA1
380ffb459608afd82bfdc208b6e68c8198dd268c

SHA256
5580f66e6996f799e0fff7ec17bb81c3e09a3c5e323916587f8b591d07d5c0c8

SHA512
f438d7a722b3f9af820daec1661ac4c85397f78f4455057f98f7fcaeb3812df6397e5306cda8018e4477eb618f2ec8c554ca286dae1e748bd572940a474195de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a3036f607e73de1b33053c447d4a6103

SHA1
560fe820008a8fdab18d433f6972aafb5bbaa5af

SHA256
346a1bb87733acf55f9817c3b1624da4ea162a26b680f9dece17654c6c548887

SHA512
cecc5362521ea727ae9b019d09e11e233cfde7b47e644361169100f225ea091e78f020eb3f7a885ba1f01a345e1cef71e95aeac50caf763f5259997d0aedf88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
cac3c6045b064b60caad633868eec553

SHA1
eccbe428aa57a2d4cd1495c10efc67de3f2b2328

SHA256
869cb4ee53d80c1330a68ccdc0937e94183bd2119a85511b5108c50401d8d1da

SHA512
51253c02336c6eede2b72463a96ab76483849dfb309463770749ec9e8f286380b09531eb32b7b93ce25dbb60f78c7493b7b51f69b8818cbe830364ebe21ca285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9a7b99dd6c647abd48d273c80447d2f

SHA1
1f5e3e696046dba6f5cfa28f2bfd432d2649d793

SHA256
8bee6a1bac0fa9b360c457e9f2a1ec320a093bccf751c46a1cf997b24eb0828e

SHA512
04ef47a727f31ef252e1b224482f2a76497726c54b66d565178b169f0c219ae61fe1f6cd9441604498cc9602736c2bc403afb9f0e0f5434098ce2f62bde3e70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8130dc719fb83e1bbf199950585a5a5d

SHA1
f8157ef8f527b70e7ac9fde7a2d096cc9a3350aa

SHA256
057d097526eb2b5ada1e5d7634c999d34238caef6eeac315cdd2732858aa4300

SHA512
4ca516772316703a2e8c546f8bb562e1dc57f1281c1ae7e8849cd0a131e1e15ae2187f3bd0327357a367eae1998c48d0f19358e1a876705183bdf75e98b5e3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af6770be1d5ab28a448c9745a6e62417

SHA1
fd9dbaaedd9bf49ea94d5920e3daa59419895ae3

SHA256
18d4ee48c2cd1b38bafb98fdd2c99dd2e9a70a6b9edd35eac4829ad4acb900e0

SHA512
76c633520abfff931a7e6c50f5d8739e20514cc1d6b0ebebc2eef18019e2076e02842bb5be41c94fb4e82a52d5a4bb4388d7a4ce706e2b4cab09d10718cc027f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
de609fc0b15795a46a6435daec534b5c

SHA1
c6e35c6674d99979d80c5a3d88c0de2b1f558d9a

SHA256
3f8ca011f756b194c85386eca2569a60d93c239054dead42fa99d025967d69fc

SHA512
4e4e3971eb16c5de4a833c0dc8f25fe24d842195da428fb0fc60567e52eff6718c13d18a99b4938827c906ac72e589c8e941e257a44938e73547c23059be1e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
304059a5e55f0f76feb2952d0ac33459

SHA1
9b38b4e9ff487694a484807de318d1c759c18047

SHA256
1330faf9e6da3f81eccd28dbcaaa523e529a55e2534836038a02b739e1903061

SHA512
db3126359f42734629d5f87f7092ea3842f161bb9466adfa6f0c72912eeb71aecffc3f99f2038c32ee8be1933a7da5b37925e3406dbfe6faa0eb0094a5346f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab9a9aa075a0d55664619f4beecdfbd8

SHA1
01b656ddbc5bf7a76a7fbb29d03c135acdedbb08

SHA256
ff9e7d1991f95829ff253d3be8eedd5b7d05fc61d1fe0be44c716a261d102f1b

SHA512
7853472fab1e853ae6a3c75117d1bd0629ac736a6a35b39680eaca03d12a6c7f8a046a1aaefe8ef14d13f6c322bc03291b289f13351f33b8db1e1fc03cd69eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aeed4e2ef7313e05b30b0aa23624fd94

SHA1
623b0403b457f9dae9bc6d8e22a958d62764a6d6

SHA256
bd05134dc72f22558d3a6bfeee2f8a58e43cc702e858dbb9070a2feb69054c07

SHA512
7dd671327021fc769b50e7a23ff62d4f4a9b37595564e994cff27cbc69cdf24ef28ed7579099bd47e9ecb0e4db2e80b9fcf8d9be5c74647d74869dce714bc3f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
74a4b99adfc8708ae57b50d532157094

SHA1
067d035ad93940ad774c563aa4e95bd9ac83ef8d

SHA256
4f567294dd5bec9f208f48c0bf431cd10ad7afc5680b03fbbff14746b877e562

SHA512
9423f4ffbe1c174c8464870d414f2f4ec9fda12a5eab0420ba538b0436b0b1754128651ec9f1697de6f7ca8a7ab580a806605d9077faea72d2f9ef682977d02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9f509e6e409e88fbff549de18f41a7a5

SHA1
1fa6522701112b0757239b4d7bfadbbac752229d

SHA256
2e8ecfacdae77b60ed042d9c62d3f867521d04d0e154df9ed7b5b3290f404aa2

SHA512
51e51fa18c8f6e548c79a6a9c7fcdb7a738af3e42a45589ee63b70088abd4c08d5edacf5e6ffa3cb328f9782018c201af38df4ad13e87c880ae79be30cc28a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411212348231\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
3b103a9ba068fb4f932d272d19f5619f

SHA1
8270adf6a18d0101ce54afb77179d55a78a35fc7

SHA256
7e9f5f137372bf9e13383dc06c71139d92a4a7efcb5c64c570311999ecafab15

SHA512
83011d2315dfdd8838d62b66f576259882033e28e58ffb1931f97bb0a105cce5f03a4ca6c1de88611876d038f7e2ca7be626d4e0fb689d1ed8c99c6ce9adda4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49522B97\setup.exe

Filesize
5.3MB

MD5
7e293ea90477b4293d42b35b9a7eefbc

SHA1
32d9c1e87d9f8cbecc4794a106b6baddbeb0fa82

SHA256
61325bf8db458c0f321b7d3e0a0b968313556e84cd74ef062b1ab8f4d37f1af3

SHA512
6966e8a5658455a561c891b0b0d0fa2158a98a06695c3f76794def1629317ed7f29ae1762c2564154c20c0fb3285196a791583761ee65c5f274838f5cd833e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2411212348222025772.dll

Filesize
4.8MB

MD5
90f1c76397815e9755e2c266f79c5a4b

SHA1
85f9e93c084ab61f6e4d7eacc9a00575bd48f191

SHA256
6bae4a4046069b92479a475da99b408a2fd767e921e43eebe2ceea0fa8b330c5

SHA512
6992facb8d0b658be74f243dba4af807dc45ae51dc310360e3de1ebdf1e6dc5c91cf1e39e19b8074ea74285f03969e32bd89411af9c41d794437a765d7ac2704

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera_installer_ui.lck

Filesize
4B

MD5
50407f1d5931c1e7294519c8dd33de98

SHA1
222bf7898acfb0b13b7cf3854224e3789e410033

SHA256
a9bb8a000d4c40a0bf36db953af569425965683377b5ef44b9a18d34a74c4291

SHA512
c9eaaec6190b550f7bab2824952d83d83dc576616935f2fe2a4adea0553b8ce775a0572eb3ca88c00ae99fa75d2bab2d1a44eca084d5a55fbca66d4ee2f88954

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
2fa22ab10f7d6262c65be11e5769c2a1

SHA1
8f9ae2836442a76fd6c3e76a4f083adcbfcd0e2c

SHA256
6cc61267d7fbf1234620e2e42adaf5b40ec2d7dc21c4f3f26d6a3b192f2eabc6

SHA512
e28014406fec8364f0db17e156e46b0e4712ab31e45326ec4338979d8b0cd2a81c103e6775baca1627b74c3a9c7fce4cb58eb6755ea24951366501ac7524616b

Download Submit
C:\Users\Admin\Downloads\OperaSetup.exe

Filesize
2.1MB

MD5
49cb72afffa46597fc0e78dced3d3d2b

SHA1
12e9fb912016eddf94b10ff05f5d30b9031b9278

SHA256
4c1b9fa2ff780ac48c5f03484cfc1f8557241619e95278afa83db18d67c78e63

SHA512
bda5637ff3735727ef83cc212b03e24d7f8dbcb3238abc2366cc968dccf14977ae5f6aaa87556d51a1a21ad2caa670aa5f668933d9d9379b185a518b3a5dd0a4

Download Submit
memory/3120-520-0x000001E6C1660000-0x000001E6C1670000-memory.dmp

Filesize
64KB

Download
memory/3120-516-0x000001E6C0D90000-0x000001E6C0DA0000-memory.dmp

Filesize
64KB

Download
memory/3120-527-0x000001E6C9920000-0x000001E6C9921000-memory.dmp

Filesize
4KB

Download
memory/3120-529-0x000001E6C99A0000-0x000001E6C99A1000-memory.dmp

Filesize
4KB

Download
memory/3120-531-0x000001E6C99A0000-0x000001E6C99A1000-memory.dmp

Filesize
4KB

Download
memory/3120-532-0x000001E6C9A30000-0x000001E6C9A31000-memory.dmp

Filesize
4KB

Download
memory/3120-533-0x000001E6C9A30000-0x000001E6C9A31000-memory.dmp

Filesize
4KB

Download
memory/3120-534-0x000001E6C9A40000-0x000001E6C9A41000-memory.dmp

Filesize
4KB

Download
memory/3120-535-0x000001E6C9A40000-0x000001E6C9A41000-memory.dmp

Filesize
4KB

Download