e416d82e1c5bea2d8518c0a14644027c9dad8d23a930d663d3e6e11a99036472

Resubmissions

26-11-2024 15:52

241126-ta4cxatqfm 8

26-11-2024 15:48

241126-s8ypmstphk 8

26-11-2024 15:40

241126-s38bwstmhp 8

Analysis

max time kernel
148s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ModInjector.exe
Size

5.8MB
MD5

456e8d1820b74a7f6cc963d02c1a6513
SHA1

ebb63550be46eaaf9d0184f34cc6de235c61aa5e
SHA256

e416d82e1c5bea2d8518c0a14644027c9dad8d23a930d663d3e6e11a99036472
SHA512

9f333a7547492c5cf9d516be80eebff0f43f051154e611296a30fe694aaaf64b136a037b0406d27aa07abc1d7790095830b62e7a466b7c9c14ce7f7536a60aa5
SSDEEP

49152:+QNXVNXvNaYg8R59ckm3LpVAmYpi+b4BBjHQtDgznmDwOBOBJapTL2iKeRpJ6iai:zXfXVaE9OcundmtL2itpHaZFK

Score

8^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
4144	OperaSetup.exe
1452	setup.exe
2828	setup.exe
732	setup.exe
3472	setup.exe
4376	setup.exe
5092	Assistant_114.0.5282.21_Setup.exe_sfx.exe
1208	assistant_installer.exe
3520	assistant_installer.exe

Loads dropped DLL 14 IoCs

pid	Process
2220	ModInjector.exe
2220	ModInjector.exe
2220	ModInjector.exe
2220	ModInjector.exe
2220	ModInjector.exe
1452	setup.exe
2828	setup.exe
732	setup.exe
3472	setup.exe
4376	setup.exe
1208	assistant_installer.exe
1208	assistant_installer.exe
3520	assistant_installer.exe
3520	assistant_installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OperaSetup.exe:Zone.Identifier	msedgewebview2.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
768	msedgewebview2.exe
2740	msedgewebview2.exe
4332	msedgewebview2.exe
1100	msedgewebview2.exe
1776	msedgewebview2.exe
3892	msedgewebview2.exe
3760	msedgewebview2.exe
3156	msedgewebview2.exe
3248	msedgewebview2.exe
3416	msedgewebview2.exe
552	msedgewebview2.exe
3760	msedgewebview2.exe
3152	msedgewebview2.exe
640	msedgewebview2.exe
8	msedgewebview2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 345984.crdownload:SmartScreen	msedgewebview2.exe
File opened for modification	C:\Users\Admin\Downloads\OperaSetup.exe:Zone.Identifier	msedgewebview2.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2096	msedgewebview2.exe
2096	msedgewebview2.exe
3156	msedgewebview2.exe
3156	msedgewebview2.exe
768	msedgewebview2.exe
768	msedgewebview2.exe
8	msedgewebview2.exe
8	msedgewebview2.exe
8	msedgewebview2.exe
8	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe
2056	msedgewebview2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1452	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2056	2220	ModInjector.exe	80
PID 2220 wrote to memory of 2056	2220	ModInjector.exe	80
PID 2056 wrote to memory of 4920	2056	msedgewebview2.exe	81
PID 2056 wrote to memory of 4920	2056	msedgewebview2.exe	81
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 1100	2056	msedgewebview2.exe	82
PID 2056 wrote to memory of 2096	2056	msedgewebview2.exe	83
PID 2056 wrote to memory of 2096	2056	msedgewebview2.exe	83
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85
PID 2056 wrote to memory of 1776	2056	msedgewebview2.exe	85

C:\Users\Admin\AppData\Local\Temp\ModInjector.exe
"C:\Users\Admin\AppData\Local\Temp\ModInjector.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=2220.996.6730481873785563312
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x114,0x7ff9f2bf3cb8,0x7ff9f2bf3cc8,0x7ff9f2bf3cd8
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1808 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1100
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2096
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2460 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1776
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3892
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3760
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4932 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3156
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3248
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=icon_reader --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4964 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3416
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=icon_reader --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5404 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:552
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5532 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - System Network Configuration Discovery: Internet Connection Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:768
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=icon_reader --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5080 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2740
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=icon_reader --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5688 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3760
- - C:\Users\Admin\Downloads\OperaSetup.exe
    "C:\Users\Admin\Downloads\OperaSetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe --server-tracking-blob=OWM3NmFlMTI0NDk4NDI3MTY1ZWViMzU1MWE0M2M2NzcwNjY5NGQ3ZjQ5MTU2OTYwMDcxNmFjYjQ3OGYyOWIxZDp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3hlYWxhaC5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9eWVwYWRzJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1wcmVtcHViJnV0bV9pZD1lOGNmMWRhYS0xNTZlLTRkZDUtODg2OC1kODAwNzQzNjY5MjImdXRtX2NvbnRlbnQ9TURGX1BCXzE2NDA5XyIsInRpbWVzdGFtcCI6IjE3MzI2MzYxNTAuMjg2MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85MC4wLjQ0MzAuMjEyIFNhZmFyaS81MzcuMzYgRWRnLzkwLjAuODE4LjY2IiwidXRtIjp7ImNhbXBhaWduIjoicHJlbXB1YiIsImNvbnRlbnQiOiJNREZfUEJfMTY0MDlfIiwiaWQiOiJlOGNmMWRhYS0xNTZlLTRkZDUtODg2OC1kODAwNzQzNjY5MjIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJ5ZXBhZHMifSwidXVpZCI6ImUwZmNkOTZiLTY0ZjMtNDA0NC05NWI5LTk3M2M2MzNjMjRkNCJ9
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.222 --initial-client-data=0x33c,0x340,0x344,0x30c,0x348,0x7481fb14,0x7481fb20,0x7481fb2c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2828
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:732
    - - C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1452 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241126154921" --session-guid=8c464bf9-cfe1-4250-8db5-2e867d04b52f --server-tracking-blob=MDQ4MWRkMmYzMzRmNmYwZjI2YzliNDdlZmY4ODZlZmQ4YzlmMjhiMWM2Mzg1YmI2YTZjNzA0YjBlOGJiNjEyYzp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3hlYWxhaC5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9eWVwYWRzJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1wcmVtcHViJnV0bV9pZD1lOGNmMWRhYS0xNTZlLTRkZDUtODg2OC1kODAwNzQzNjY5MjImdXRtX2NvbnRlbnQ9TURGX1BCXzE2NDA5XyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczMjYzNjE1MC4yODYyIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzkwLjAuNDQzMC4yMTIgU2FmYXJpLzUzNy4zNiBFZGcvOTAuMC44MTguNjYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJwcmVtcHViIiwiY29udGVudCI6Ik1ERl9QQl8xNjQwOV8iLCJpZCI6ImU4Y2YxZGFhLTE1NmUtNGRkNS04ODY4LWQ4MDA3NDM2NjkyMiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6InllcGFkcyJ9LCJ1dWlkIjoiZTBmY2Q5NmItNjRmMy00MDQ0LTk1YjktOTczYzYzM2MyNGQ0In0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=6409000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3472
      - C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.222 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x7248fb14,0x7248fb20,0x7248fb2c
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0xd617a0,0xd617ac,0xd617b8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3520
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1712 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:640
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4196 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3152
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4864 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:8
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1796,13544476407954787456,13929020293419185072,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView" --webview-exe-name=ModInjector.exe --webview-exe-version=1.0.0+c3ce39f653ffc2c072637f61a3bd07afd7d2b8c7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=880 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
f5e4c751668a377a295effbcc236323e

SHA1
a4377a42f0d65b1a05d6e9ea6ee96e9f4aa53712

SHA256
125c37f2e969506980f0aaea906f07a672255ad8b6be39c863992c36963cdaca

SHA512
f6a7c92040082f5ce73baa144c6f227bd55fdca48ff26a71580a70d11e09576bfe81e3704630299e78fb0d41488cdfcef2bbaebb95956b783fa7b8961917705c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

Filesize
727B

MD5
e5760a86cb8b1c7c398b782efb832ede

SHA1
65d802019fdbaca3b7694a0015f4a447a26e0e79

SHA256
29fec95ac9873ab5a81e5d331cf19fa896ba39b600cdf043a06cc2007702a40d

SHA512
97bafcae7a2012a5e658773edceaec78d39961d3e83b9996b7cbcfb3417321dd8ba128e7a9bc84aed72c04f39931023f33a2481e754cee33673f8b43b5cb1300

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
164608912055c0b2941a1f57047b69e3

SHA1
118d785241381ff775e8c94264411d178269ea0d

SHA256
415fc85e7419fc80bc049c92bade799931d8631a6595ed65a9fb281197ad811e

SHA512
229339cc6f07d0839d4daa713b6a9e204e06743b728513d60698e43fed29aa0174f43b038ece2f1c077f64809c41bd8b3d33c4302fd6a5a655ebca7af8ad355a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
1bf24fd45f228c46ec8464d0a50aaece

SHA1
e3ba284263355bb182aaeb5269eb3dfcd0345abf

SHA256
9824d54b36b0ab0d1a004db02c894cf027dd649f30deecd05ad405eebd8e76f2

SHA512
013aba24540ede112a6a59489e072a7ecaba65691631dd9ba13a3141a7c0d1a3e804c6e521da14c548973e73b0770f6dd2159dbfec317786de72b9bd2bda9c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0F90096E7DCB862ED66CE39084FC7811

Filesize
412B

MD5
a28470f0e364a83703864d96dd9d1e39

SHA1
acfcf645a4a77f8ef4ba671b493550da430a15b4

SHA256
1cdbd0b2f5bf1896f76d3a179f433cf8f0a55a2fbe6edeaa701d0f0c8f80c297

SHA512
77508946e022a8868076a44a4180dec6daec9779dbdb3450a2db25383a06f5016fa00a94cb99b57b26d7c14b1340124d23e430a27cd6208e47b1040515b0a0dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
d508d00335126068d6b20f03c746259b

SHA1
fc41d1cfe5eb10d92caa1905c767e5f15a3e1405

SHA256
1f399f4bee2f33056bc948fe18fd8c95663b685294bfbcd5b0b39e4c1a020f09

SHA512
d0e78c9413db070b21873962717c8f1773c01734f5a8e44a4cbd6e81883b83c293d6296b1fa5c1ec935d54dd17432a335d1731424efe7c001896b112b9d2b9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\ModInjector\pslUXVJuEoT6r4WDqyw8QCKQ5+7TeLU=\FluentWPF.dll

Filesize
328KB

MD5
8cadfd021139b7eea4ea78cfd67b5f77

SHA1
b983ae5eb7c2867206d8a727d914d96b27e8e642

SHA256
68f0ae5371d81e6c320487aeb0f1214bc6b0f50ea8cca840db99ede88014e298

SHA512
76f52734fc20da094733dd175105c38902b780d818ce99438e1e0445470351c86fc9dc483a9832568d8159bc6f0e1ba4b433c1505d6d04462b7095cf700d38aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\ModInjector\pslUXVJuEoT6r4WDqyw8QCKQ5+7TeLU=\Microsoft.Web.WebView2.Core.dll

Filesize
1.0MB

MD5
003f6e9c93608c77f07cb3677b7e71c6

SHA1
dffa911b59034a56b4dc7fef20116b72f1d3c74a

SHA256
4e848ba0ea2c2fd11cca74d9d206daee07f1bc119b70beb1bb516584081bd690

SHA512
8ec0a96cb674b87dd848386e9aa5f7477a3d78ad200a9e7670ae9e3fecd27da4cbbb276afaf1e5b40bea29a046ef76011e741924541fbf9b4c3185c64e056f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\ModInjector\pslUXVJuEoT6r4WDqyw8QCKQ5+7TeLU=\Mod Index Injector.dll

Filesize
1.1MB

MD5
5a648fcf86304a29c91f61bf303dcd06

SHA1
cd03b15e73e3499ab533b20a15d857cdf26553f3

SHA256
2473b49afca1ea5cdddc5f2403d9e13366426027f11f66cdcdb4b30a8fe52c30

SHA512
8268e7742bba079d50d54677afedde4ac8fe4d1fb3375cd33b740f8c67712aa22cd7d857ec2f03050747d7a8abd15b7b291d542d60b63e245bc052ee375ea617

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\ModInjector\pslUXVJuEoT6r4WDqyw8QCKQ5+7TeLU=\Newtonsoft.Json.dll

Filesize
1.8MB

MD5
ab65620c75d4187565957069cdf343b1

SHA1
433221e3abdbf4b3edf9085fcd465de95578f7a9

SHA256
081d2744e37dac60cb04cb5da12b55d8bc7dafc4a20c0cace598d63be877340a

SHA512
4abd1bf4e7effc9afde1293d691a86293f096714b4cdec25100963f0ebbb95a5ee759b7a566570604a744f75336b61912541ecf4ffc245f3a30efc7be6a09f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\ModInjector\pslUXVJuEoT6r4WDqyw8QCKQ5+7TeLU=\WebView2Loader.dll

Filesize
161KB

MD5
3fac859547077abafe806ff1e4709f47

SHA1
0366df220c5d224ee64a42c929574407d2e6d2c9

SHA256
f4d811cda483adb33220c5a856c5ec8dca3a095fde54b44f08e1279a6a5efd33

SHA512
9b7b7aabf6bdc11dfd74430336e02d7d2b96b6bbf352f1e2d158a4900bead364900820af56cf9af25366ff5704e2ffcc2458d45dc3efe00ebd0843d127ab7435

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
3b103a9ba068fb4f932d272d19f5619f

SHA1
8270adf6a18d0101ce54afb77179d55a78a35fc7

SHA256
7e9f5f137372bf9e13383dc06c71139d92a4a7efcb5c64c570311999ecafab15

SHA512
83011d2315dfdd8838d62b66f576259882033e28e58ffb1931f97bb0a105cce5f03a4ca6c1de88611876d038f7e2ca7be626d4e0fb689d1ed8c99c6ce9adda4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\dbgcore.dll

Filesize
166KB

MD5
612a3bebcf72256296103e034ace0236

SHA1
4e722e00e3294194224ae348477e3898c01b47b3

SHA256
3e20d38b7f1ab5dcbb1057f06f4dabf64e57b71d12a7335b4c5601b5b4a6047c

SHA512
dde0aabbe0905408c8df74fb51232b322e233dc43fc34f4ddac9a5e626359d7e4948d41f3fcbb95f0a635cbd229953757ba456a095b2b3523bb7a851663e6302

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411261549211\assistant\dbghelp.dll

Filesize
1.7MB

MD5
3f68b6ab3dcfd45911952ed4f5d75197

SHA1
c24c63d36a26f2320ae1c70b282769fae1e18b48

SHA256
e2f7ff92d8b959239e535b1824eac0bcf21b3134418a7b0411fa0c92ab6259e4

SHA512
5e6e031c5b802f667dc846f5dddd3c3ff5ad810b6274633bf519aa07d6a4eb7cd1c810b04f9fd552e0f6c7bb7285db0d3dc64b7a5690899583ae30bdc4e3c09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0301A868\setup.exe

Filesize
5.3MB

MD5
7e293ea90477b4293d42b35b9a7eefbc

SHA1
32d9c1e87d9f8cbecc4794a106b6baddbeb0fa82

SHA256
61325bf8db458c0f321b7d3e0a0b968313556e84cd74ef062b1ab8f4d37f1af3

SHA512
6966e8a5658455a561c891b0b0d0fa2158a98a06695c3f76794def1629317ed7f29ae1762c2564154c20c0fb3285196a791583761ee65c5f274838f5cd833e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
c9dce59b0fe04b2bf6d3f77483d95dc8

SHA1
73dacd888a7f5cc44e476d980d39b101aee59f17

SHA256
8a48fe95d50ca826bd37cfce85478a349073e1d433af0c6e544052d7d1ba7a1c

SHA512
ab4a9bf66f6cc8057cc68192d32d5ba863d33ae3bacb4a839d81f53724f8507c3e81621e6dcb92694170592771229f85d6b6631edb0b102f6d8ebad0eb08e422

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
108885324170e303048aa517f66e9fb6

SHA1
7590a453a346628e5dbf28d437b81a7487499edb

SHA256
89f2c0aa8b802efc275030dfb1d6d08d72bf2202e469c9add5a0d607d3497911

SHA512
805a78ad4f5aee325add16dcd54fd72d964f2aab9b26e1b33d724ebab3d025319cb754354e9197c7890288880eed4a3289463c86332633dfce501d0633cb4c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
41fff24287cf52810a9d2045b34ba970

SHA1
45f381460e11ee4366b17b9887ca7f607d711a1e

SHA256
f517de7faf5cfef6556f5dda9beeb5119e335cd2d5bed3f4f60a3b8ce9a80f19

SHA512
916d0ed2428367943127c2cb86f802fe0a45350a6b9eca49ef28171cf8e6c29dbcea9a63d038bb1f53e433f331b55b468d74d93d75be8cb63e6cb9a7d83236cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe57f443.TMP

Filesize
48B

MD5
b4ae6657505762d41355d3847f8955ad

SHA1
74e266f6b5b1b40147689498540b9b8993ae6bc8

SHA256
c726e9bfde8bb8d3c66371ee4daf91157d177a8f4802d3ee0bc50faf02573650

SHA512
72fcfdb6763a646cded8c4bac82157776cf99152b38bf5c6d7d3fcb4c9622de1db2701223bb2074d9d5bb56b1d0fc25a293cdf858ffb693f89b34a6981c1ecef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Network Persistent State

Filesize
1KB

MD5
d867f107a755384b94b4ec2fd62c651f

SHA1
f715ea628cfb61d497db2947ae3dd8ee906d950b

SHA256
2b810a6cd3158008084870de63c63db65d953140d074e4c487209928160555a0

SHA512
7feb84da580d7012d65be59c9e426d068482e203007ef7e5cc71ccd52e8afb1cc96d4637fcadc09578b972e451de0f0dd1330f61d8528604e7c95dcce8fc5683

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Network Persistent State~RFe58b030.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Preferences

Filesize
4KB

MD5
64a2d20cb1a194420ace7afbf914f0a2

SHA1
067208fc68d38e69fb6eef64ee65509a30d10e8e

SHA256
8dd0a4f28fc64dd94ee338a068a68504f5966e20231f49de5fc5352dee25742f

SHA512
bd3acd8531f882a3d83a877976c894675a9e07a39eacd071b7d6c6c7918f053093c6d3cd2e09c975f210348573120a47e52f872ecc4c421aa7adb92a3ddc1a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Preferences

Filesize
4KB

MD5
733255015d6f45b239717434f06a83df

SHA1
e8bfa643524b1c259c49121b22df50798e3fcfbb

SHA256
ab95705a9b4b28d471ade1345d353d8fe189fb31d7d3567de19cdcd95bd20f8e

SHA512
77aeb503f3078b9ae3ae352f6cfc3ccd05e690bd39542dc8ac304c2fdf006e83f38b80cc45fbe2fcf9aef7795c88768ba51e56b00f7a37161b91c6016902addd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Preferences

Filesize
4KB

MD5
d914461db1de24678446e97ad0a43484

SHA1
ebd2661ab02d7c9833d07b1c289ea2d1c60b4771

SHA256
e9c9b3bcef0ed586848923f8850045cd5d567e862c21f3b42666f6792c459d9d

SHA512
b178725bdeb3cd098136bc6e3a2e47357378b90c60a74707b3b5f8bffe59db17aa8195c8c461da66886a67d744e8dd8e963c61e2dc1ec280680d5fd0f883592b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Preferences~RFe582bfd.TMP

Filesize
3KB

MD5
d7c2bad5de4012c23f05093d6f20f365

SHA1
3c39d0b784c700f68601bd2e8ecb440e90367d27

SHA256
6d1e3e901c97e2c2b7c66070baed748d24a8bd124894cf67b526d95c687f46a7

SHA512
a4f6381e0b5a058e82e6426418b9c684daf3c7f57aae556b425a6f5e51253dc6dd17a9d7ea0f127a4f12f7457eff9eb72eb30a64c2e7d92cab1de5348b1d89fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\TransportSecurity

Filesize
872B

MD5
baebee65fb3213cb0e586fe0376d1305

SHA1
0d9422c2a40a03d26fbd9a2c6a265376022f78dc

SHA256
8dbe3a48895f0054d022d78cffba373be8461a8f48f09bb95d29bef5a35e748a

SHA512
c8cebe00973dd3a43c61198764dcfc44c0cb35c86d83e3201ce9c20c372be404de2ac27db9924d3f0f90c378c0a61b0b36b53dc7e0ccea08e95bed3fafbdb164

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\TransportSecurity~RFe582621.TMP

Filesize
705B

MD5
7c6835a0a2a02cc794a39f55124ba181

SHA1
ec4c401780d7019338dc9345de458b2d901f9b9b

SHA256
bd4dbe23257f98a03a0aedc68295831003c7fdc8fd104bb7da2b83d5ee65705d

SHA512
bcc1e0a200426d76eab778de7c66f9b173bdc539abe268d06669bd87c8ded77dd83dc231c56e19d6fe16758d6313ed8b96411157bad9540e986b99d59c6c30f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Local State

Filesize
8KB

MD5
7654e32ef560656921f077cf88db670e

SHA1
b802318bf1dc82e7db2da322473c719611652240

SHA256
5ee88cf4f06aa3d8c782a05169e821c78b1f09dea91770fb9c77d196cfef45e5

SHA512
33c8aeee927a222b2a794d0580723e331049f6bdeb78ea35b056ff82ba944abb0892ff983bf9375de7128878712ac24503211442bbc59512560c94e7db97a835

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Local State

Filesize
8KB

MD5
7c086c5ed51cbef3d94ba931b96282f0

SHA1
e81d934f51520d25ce874ac64b7695db5603660c

SHA256
956ba202fa9ccb94c2b59adfcb3e7b00661b505180bff350137491a90c2fc17e

SHA512
e68a456d38c4936967712ddcb96a9fc24ed8af11d2ffad95ca4e1147d4d141bedae450119e6afb098eee29de799825105a66017f18183fe788ba09a3f2e28950

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Local State~RFe57dbba.TMP

Filesize
8KB

MD5
5ee5c0d217108aa109f910526e0bce07

SHA1
a26a204c0c8979b561f30f5ab60529f96d4fb422

SHA256
2bb356846f4b6af960c34f73d8d380e232e2c13ee1320e5116a445917333083a

SHA512
33bfcbb1963a2230bd2c0184b5c09f395056ac9b0f1b704d686e2ff6f61928ec55a813eb8fe6b16f7b9175cdb39bb7a9d2427ca3b43b828322407f63f6b8d4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Advertising

Filesize
24KB

MD5
131857baba78228374284295fcab3d66

SHA1
180e53e0f9f08745f28207d1f7b394455cf41543

SHA256
b1666e1b3d0b31e147dc047e0e1c528939a53b419c6be4c8278ee30a0a2dbd49

SHA512
c84c3794af8a3a80bb8415f18d003db502e8cb1d04b555f1a7eef8977c9f24e188ae28fc4d3223b52eab4046342b2f8fd0d7461130f3636609214a7b57f49cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Analytics

Filesize
4KB

MD5
da298eacf42b8fd3bf54b5030976159b

SHA1
a976f4f5e2d81f80dc0e8a10595190f35e9d324b

SHA256
3abd2e1010e8824f200878942e0850d6e2620a2f0f15b87d32e2451fdda962ec

SHA512
5bf24c2df7cc12c91d1fb47802dbac283244c1010baa68bfae9eb5eb8ee25758156bb1e21f6cc3f55e7d71e5c330888ffd41469b2630eb86237c9970d7ede75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Content

Filesize
6KB

MD5
97ea4c3bfaadcb4b176e18f536d8b925

SHA1
61f2eae05bf91d437da7a46a85cbaa13d5a7c7af

SHA256
72ec1479e9cc7f90cf969178451717966c844889b715dff05d745915904b9554

SHA512
5a82729fd2dce487d5f6ac0c34c077228bee5db55bf871d300fcbbd2333b1ee988d5f20ef4d8915d601bd9774e6fa782c8580edca24a100363c0cdce06e5503f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Cryptomining

Filesize
1KB

MD5
16779f9f388a6dbefdcaa33c25db08f6

SHA1
d0bfd4788f04251f4f2ac42be198fb717e0046ae

SHA256
75ad2a4d85c1314632e3ac0679169ba92ef0a0f612f73a80fdd0bc186095b639

SHA512
abd55eff87b4445694b3119176007f71cf71c277f20ea6c4dcadfb027fdce78f7afbcf7a397bd61bd2fa4bc452e03087a9e0e8b9cc5092ec2a631c1ebb00ee25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Fingerprinting

Filesize
1KB

MD5
b46196ad79c9ef6ddacc36b790350ca9

SHA1
3df9069231c232fe8571a4772eb832fbbe376c23

SHA256
a918dd0015bcd511782ea6f00eed35f77456944981de7fd268471f1d62c7eaa3

SHA512
61d6da8ee2ca07edc5d230bdcbc5302a2c6e3a9823e95ccfd3896d2e09a0027fece76f2c1ea54e8a8c4fa0e3cf885b35f3ff2e6208bf1d2a2757f2cbcdf01039

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Other

Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Social

Filesize
355B

MD5
4c817c4cb035841975c6738aa05742d9

SHA1
1d89da38b339cd9a1aadfc824ed8667018817d4e

SHA256
4358939a5a0b4d51335bf8f4adb43de2114b54f3596f9e9aacbdb3e52bef67e6

SHA512
fa8e1e8aa00bf83f16643bf6a22c63649402efe70f13cd289f51a6c1172f504fedd7b63fc595fb867ecb9d235b8a0ea032b03d861ebb145f0f6a7d5629df8486

Download Submit
C:\Users\Admin\AppData\Local\Temp\ModInjector.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Advertising

Filesize
2KB

MD5
326ddffc1f869b14073a979c0a34d34d

SHA1
df08e9d94ad0fad7cc7d2d815ee7d8b82ec26e63

SHA256
d4201efd37aec4552e7aa560a943b4a8d10d08af19895e6a70991577609146fb

SHA512
3822e64ca9cf23e50484afcc2222594b4b2c7cd8c4e411f557abea851ae7cbd57f10424c0c9d8b0b6a5435d6f28f3b124c5bc457a239f0a2f0caf433b01da83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2411261549205811452.dll

Filesize
4.8MB

MD5
90f1c76397815e9755e2c266f79c5a4b

SHA1
85f9e93c084ab61f6e4d7eacc9a00575bd48f191

SHA256
6bae4a4046069b92479a475da99b408a2fd767e921e43eebe2ceea0fa8b330c5

SHA512
6992facb8d0b658be74f243dba4af807dc45ae51dc310360e3de1ebdf1e6dc5c91cf1e39e19b8074ea74285f03969e32bd89411af9c41d794437a765d7ac2704

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
69b0934cc1e555c408a9fe1930128bdd

SHA1
7ee528a792282e1d7cec741bf6be010e3bd543f5

SHA256
d4e872d87787a9ebc2f8cd2fa6b70ec278065dcc5d4a6113a879481409b190d3

SHA512
3d7ebd288d5c2c113cfb8d1280ea7cc0a404065a2a148e36ba05bac3af6b8fdf2337823aefdfa43af3a67be9355fa174ff122280dac0842a2eabf96ee6731ee2

Download Submit
C:\Users\Admin\Downloads\OperaSetup.exe

Filesize
2.1MB

MD5
26736bf196f38af4a3c53606783e27ac

SHA1
92f9c402385c7ce3b51ce99c300af7f40c43efbb

SHA256
59e5178a91719d07948739abccfcd2d03832eca0e92e7d2aae1ec8602fbda6c1

SHA512
6ae3315b825ea0c322ae28885597b759279fed54b1cd50e5fc22edc8e38f4381fa769960624eda65d2ef8e019bd5f218438d7ab0a7d754f1e336c301b1ba0890

Download Submit
C:\Users\Admin\Downloads\OperaSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/552-245-0x0000020011810000-0x00000200118E6000-memory.dmp

Filesize
856KB

Download
memory/640-495-0x000002B4195A0000-0x000002B419676000-memory.dmp

Filesize
856KB

Download
memory/1100-192-0x00000186DF4E0000-0x00000186DF5B6000-memory.dmp

Filesize
856KB

Download
memory/1100-45-0x00007FFA17780000-0x00007FFA17781000-memory.dmp

Filesize
4KB

Download
memory/1776-199-0x000001E6366D0000-0x000001E6367A6000-memory.dmp

Filesize
856KB

Download
memory/2740-276-0x0000018E17410000-0x0000018E174E6000-memory.dmp

Filesize
856KB

Download
memory/3152-518-0x0000016E71ED0000-0x0000016E71FA6000-memory.dmp

Filesize
856KB

Download
memory/3248-233-0x0000018F74910000-0x0000018F749E6000-memory.dmp

Filesize
856KB

Download
memory/3416-244-0x000001EE4E810000-0x000001EE4E8E6000-memory.dmp

Filesize
856KB

Download
memory/3760-155-0x000001A2E9AD0000-0x000001A2E9BA6000-memory.dmp

Filesize
856KB

Download
memory/3760-275-0x00000211B23A0000-0x00000211B2476000-memory.dmp

Filesize
856KB

Download
memory/3892-200-0x0000017A5E350000-0x0000017A5E426000-memory.dmp

Filesize
856KB

Download
memory/4332-581-0x000001A3C23A0000-0x000001A3C2476000-memory.dmp

Filesize
856KB

Download