hxxp://fdsfdsfdsdfssfd

Resubmissions

22/01/2025, 10:46

250122-mverqatkcl 10

22/01/2025, 10:44

250122-ms7dyssmb1 8

Analysis

max time kernel
60s
max time network
98s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22/01/2025, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://fdsfdsfdsdfssfd

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 904577.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5136	msedge.exe
5136	msedge.exe
2932	msedge.exe
2932	msedge.exe
2184	identity_helper.exe
2184	identity_helper.exe
5568	msedge.exe
5568	msedge.exe
5560	msedge.exe
5560	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4768	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3904	2932	msedge.exe	77
PID 2932 wrote to memory of 3904	2932	msedge.exe	77
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5696	2932	msedge.exe	78
PID 2932 wrote to memory of 5136	2932	msedge.exe	79
PID 2932 wrote to memory of 5136	2932	msedge.exe	79
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80
PID 2932 wrote to memory of 5352	2932	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://fdsfdsfdsdfssfd
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffbbd233cb8,0x7ffbbd233cc8,0x7ffbbd233cd8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,13279252084168441416,7127477507663012900,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:3804
- C:\Users\Admin\Downloads\OperaGXSetup.exe
  "C:\Users\Admin\Downloads\OperaGXSetup.exe"
  2⤵
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\7zS4A2355D8\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4A2355D8\setup.exe --server-tracking-blob=MmY2YjUzNGU2ZDIyZGEwZWRhOTg0OGQ0MmI2ZDZiNjdmYjZkNzA4M2JhYWU2NDk3ZDA0MGYxNjhjYzU2NTk1ZDp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1iaW5nJnV0bV9tZWRpdW09b3NlJnV0bV9jYW1wYWlnbj0lMjhub25lJTI5Jmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuYmluZy5jb20lMkYmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkYmZGxfdG9rZW49ODc1NTA0MzUiLCJ0aW1lc3RhbXAiOiIxNzM3NTQyNzE0LjQ2MzUiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTAuMC40NDMwLjIxMiBTYWZhcmkvNTM3LjM2IEVkZy85MC4wLjgxOC42NiIsInV0bSI6eyJjYW1wYWlnbiI6Iihub25lKSIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6Im9zZSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJiaW5nIn0sInV1aWQiOiIwZGNkNGQzMi1iNjkyLTRkMDYtODU3Zi0yY2RmNzMwOTY3ZWMifQ==
    3⤵
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\7zS4A2355D8\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4A2355D8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.152 --initial-client-data=0x33c,0x340,0x344,0x314,0x348,0x74cafd9c,0x74cafda8,0x74cafdb4
      4⤵
      PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
      4⤵
      PID:960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
eaf6bb309bed9f1590dcc55cfb42fa6b

SHA1
484ed42c63f5e0b7e8b5f97edaa739fdf298b35f

SHA256
be1da06a6d84d5f694efc5da9a4694eb6be3fa41dbb350b13e5c11574bf511b5

SHA512
90b49b2b948d0d28c19b03150c2251b59121fbc37a916456ed2a266d90d69a0ad0349c9b16124e7f7d39ac2b7b3a17c40a2c5b4e2680e9a5dc7e7046676472c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
98d70d8fde879863e335effc096ebf17

SHA1
568ed7835ed50a6c3813520b03cb4166e675460e

SHA256
d66d7c507ffc8a088d197e15a1902bdf2402a305c141ab472e65e0893521f893

SHA512
747904ce2512b789d7156b400fb7044a63e144442fc43c2f52beb2206c023185ae04bf276e2ca7701d82f95a5d8f0581b695f623c5f25082c87788d7227f1078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1c25287767ed7930afe5f4f9242d2f24

SHA1
d2018d4b3f4c921f7f9fe9e786bc05d631f56817

SHA256
d9ec56d8dadb5ef925379a9a47b16404d6fe044ae3316588d5bac89fa6ff7d7e

SHA512
ccaa47dd6ecca578a51a22569057d8f5481fd40c306c5ed24c5b16c2769e2c457de793478a3ce80a63499628c277c7e4a3b90e612b991b454335ea797b0d3acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9bc5a0ceae3ebde9b90d8e470d83b6df

SHA1
a3202f952bd4afebab6f9f36cd23d677d97556f6

SHA256
4105a2dc284f76b32c70d9a4bf08c7d139bedcd80508c6b03694b494f00b2b63

SHA512
049aeb0245d67d87add754321007fe7ed94d229563babf2335941e41e634882f4f53b2ce497a62d57d3a237082ec167c2cb1a8ae53477281a1f2d2df838a7dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f123198effe4226cf44cd1ff6e8bb75

SHA1
cd93001b2e1bc6702a451484bc8847bd98ec47c6

SHA256
5efbfa915a34b69ca5267cd58ddfb7a53318d36a6db05bca851e4dd3738655a8

SHA512
ba2925c76eeb714c01f1f397720e8a6567ee1e97785416cd98b759e12e6f374ba3c279b390a566365cdb9ecd03ead8ba31f5aed84e80076e9ca98c318cb81aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ea832768c30377df88143fe3a5d35eb7

SHA1
ad34a71d418cdc376daeb5cbd1dbe4942b5c9f16

SHA256
0e8db1776a335ba97e72ce97c328d6bc90e78150131b1ec43f0bebaa960aa502

SHA512
0335fceeec5e68628503f1232a7bd403ef52b65a593c4607e228e54af54129e41724074e67ff9535558c0a98e9c58ad3e25a2cd106b4d35b30efa72244f84c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5819cc.TMP

Filesize
48B

MD5
8a8467136f96b1a43c46e3f1e47eaa32

SHA1
408a63103a27500620b8b80470be0be1e315055a

SHA256
5f79610fd938b0aa6c7f15283f968facd65c1289f071b6995fbe12d03ebced7e

SHA512
a4c151269813126a3cbe5b8eb6d05c76cc11efd7c908421ba035557026f7cff784fd40ec377b4cf8add557d18c7ba8267ec16cbf7ec062a920b9505b43c57eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
04c2302824fbc52b1c28d28f307f3edb

SHA1
3632ef650523e08c8337cfe0d4e687f097fa5e9c

SHA256
5594a0cb61afaa87d4651daff624275402c27d7f708e622202306a5b1fb37a12

SHA512
9558971e3885b14ec9ca9194e2744925c78c1d2b83840dd22849188fd173a2995321b945e1d57de860cec3f817e9f0ffd3d2ef4ca92c8714b9caef63ac248c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b94.TMP

Filesize
1KB

MD5
274820d432e7930dff07e99f50edba5b

SHA1
7b93cbb6ef7b6c7e33b9b3e6048cbe8c8fe26672

SHA256
06f5bee6c2d055bf7f736de272993520c03a6106f12bac265b4df0cd5563ceb5

SHA512
6e17fa4ea6a258e222b6b9e61ab6bc6e8e25ff0a3f62e5d986d738a992752b1073559cac9e7abf3c93ac5632335244e4e450143ff51d9129ed3c8d140bfac112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
45d235c9ca354829401e50059ef40022

SHA1
97bd2e3c24187b44d78f7a149a61920519d8b995

SHA256
9dcd39332756308b56daca3be0eaf44b380bc032f666fbbef41b242d7bc1587a

SHA512
c542739a455eeb1511a4dd50168108d2d46fe9914fa5e9cd2743516d23b23d20054027f81e1440ff3ef22c10c7b702b709af67d139a5c006c05465b717e91e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
60c9d5191bc485a73f544e21f691c74d

SHA1
c272c61eb4f696a8660de05c70b4403e8074a1ac

SHA256
bb3c92df477393a9048957b83ea97a197a0e3ccc7624548b277ca55b32e109b6

SHA512
4196a42c1bd5e94cd98e03fc0cec72653261954132ff6d268327024432b26a905bd9ff4f9ee2a5f0b2b9b10ded360ec0d16d7b83fa343060232791dda0235b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

Filesize
1.4MB

MD5
71e4e54d24ae28dcd8026eff3b6a5054

SHA1
02617dd4470a68ba3f4ec9c5b35575d9c52a88d8

SHA256
217b2d0784fe580c2ce359f5a43a46b448f2583ba91b9852ed2c17f5fb729808

SHA512
fbe07d1899b61ebf03c833e333ac11c70d5b63dd0b917151e41238c4567d2ee40efb5a6d801683dd8a290fadee45ad9025b4d75610487b65d9d8d284f3d1a632

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

Filesize
1.0MB

MD5
f1351b93bcc633c72d759f4a7019fda9

SHA1
a9dfac70492d5ceea0711a31ce7baf5693a44a51

SHA256
000e0c4e33fe0529e9c9b36580d3133c3044a2cc8827b9eee70eaeb0af60173e

SHA512
2946881fd4ae27d45e011291b65e3bb4de63f50b292926928bc14675068fb6d4a3aea6a515bf3a9efc4cd61f30a69194608d6cf85347ac03b432fd1486ab3ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

Filesize
1.4MB

MD5
83d38a93d4bf59254a3d6ddeb5f1c3f9

SHA1
6e3b568ccbb2880582441d06596b457cca24361a

SHA256
fdb4ed61650b59bdf76b6f9b538db5fe01c271a2b055bff959e3f4c9942ed80a

SHA512
db1b780fe2c326d9619837fbeaced6a2bb2f9704f2f1b9b384bb2e6dca1eb994c29f2b5c3bbf6d62b6d4687b66fc3c482a7c6eba348dc65963e22ab6d9c97b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A2355D8\setup.exe

Filesize
1.9MB

MD5
c381e38d713b90917e0fd08c15c67c9e

SHA1
703701b106a246a5183e4048038f5cd0695bfb3e

SHA256
6b9afa9c8324ac05008af1ff2bb71f91593b146470ab0041d3dde9c7d49ab81e

SHA512
b1850f73531b9e4ec2827fbdbcaba4912e169e79519b02cc06ddba87b6ab49721b7482d6fb691655b6aa249af89784ca2179ea35e4d98077da39b4256978efd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A2355D8\setup.exe

Filesize
1.9MB

MD5
be8c1b733853fe2a071ac766540ebc92

SHA1
be939133ff885cf67c8da09c7834b486c8290bf3

SHA256
78b4da3c9a5752b284775b865269621e440477785cdd95d721b85fc1aea62adf

SHA512
a5fdce9ec9733fdf5cb3a3615910d8dd9943e11e768a1ca61e8a63b3600ef63a530425688823fe8a19c07c38f6d8863a4d3efa0564972abf85f45db7ede0227a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A2355D8\setup.exe

Filesize
1.8MB

MD5
fa8606f3c4e18fdacd35bdede45eb44c

SHA1
4c809a626dec8fcc6dd42955b0c3daaaf47326fa

SHA256
5efdd95cb3bf3ecc6d2c72530c33b484048ad7f60c81eef2751e964c3294c073

SHA512
d11d199cea3ab36b2adaedd2b25da0139c0587742ca8c7323041bdf19e8dc9976da8d4c70134ef9d9264d4340404087ff55406e8b049db4b2bfe60f671cf5465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2501221046102232176.dll

Filesize
1.8MB

MD5
4592fa26b5e7bf72bbfb6e30da4bea80

SHA1
d94ff648aac0bc10b5b608417b4c39ee0572a542

SHA256
2bd1455201ea97324d97854c62d9b3b25b7877823c2adf8254b7f332880a229c

SHA512
86b0a34db9fc695163ced6480609da7c82b160960a68074f7944d112ec6ac9fcbd95e18136a3d8a2bc87fc0d984cef6fed401c6dff0ea957cac99a94ed3c2faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2501221046125255468.dll

Filesize
1.6MB

MD5
2e82d589a8691d9db4002d9ff15ef7c9

SHA1
3b27fa69512505d3681b73287b7ec7e81b1a7c76

SHA256
cbb800c7d6f818af58fccd8faeacbab26e75182aee065d28ebf7c98fcfa6d68d

SHA512
41a8b95e29e82bd1d50d1f9cd95245b2d4c2cad0bd5dc16176fedc8c4018f0dee8e35dd790042b8abc13d957161edbd083634b0ffe476bf6f617183ffeab838e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2501221046125255468.dll

Filesize
1.6MB

MD5
87d1c3f85f43d0041ea008abe076c14c

SHA1
3a59e294e7897f28206c26643fa9250eeb2bf3a7

SHA256
a7b9adaef1df5f500ec16c9082d5fd3cf909cfad4660144931bfd4ab2e8a1206

SHA512
c5180677e0ef6c0cf028258eaa64f0a584cb2282409592de34cd96a28e2b44b9224370c63c041bdd6dfc4ff0a014ca2a406c44f6bca7e804f1099d5b8589a661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_250122104616748960.dll

Filesize
1.6MB

MD5
25da245562892e1966bbb82f7c7bd70e

SHA1
1b0a6e195bb4a3739d6b86d93da92763c8730c5f

SHA256
333a5b0598c4c9a66e80734bab6f7836348e1d03504739dc15546003294cbe8d

SHA512
3a87ab280c9c8df383b99406cad24ecab0454c7c5abed74efbb66a5ca8e07e06d55f0853fe94eaf0cc6155a0e18136be08da721570db34dea4ce5f9508c56906

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe

Filesize
3.8MB

MD5
c8ce00861e3ad1d09766ce3a6c42171d

SHA1
e9422dc2aaacf59a07fefc54618d0b5288974e49

SHA256
d835ed6fff51b5f4503da40693c0a812d0177c26605772991e02e102662d2deb

SHA512
90c74d1c06cb68f989b8bc09f5b6f63e33ac95434dbbeed87f310d36994f15faa233008e8ace1a7ad872ec5be2fe2017582be919f4cde7ce503c34646aacc559

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe

Filesize
2.4MB

MD5
2bf0f4bd0998fdd2c3a8084a3ebaa9fc

SHA1
59cac81e71821e621a5d7909bf0378f51825d14b

SHA256
076b1b6e4930dbc69dfe75bfb2883f89475c4642efadb8e0caa31de47eca8601

SHA512
6af724e58aea82acbf43c76c6a65494f598b8f9b2986cff92f0f2011504d722e2ff912a80f068298fb5f9d7274faa659eebe7eee07e40f963593499121930516

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe

Filesize
2.0MB

MD5
6b715c1c69063cc895ea0226c61b6f05

SHA1
c37efc40a67d9e4d35661486588f35d94986d738

SHA256
0c6e7a1cedcee928da82b220d41f75cce83b6db4be109bced446e08a8a4fdbf9

SHA512
855b70d29c287b1a28a9c5a6372967e8da742eecea5985cb9bfa3fe8f22c92ee54d4cbcbbe614078a11cdfb8c482db915763ebae41933f86df1af97b9d74d2c2

Download Submit
C:\Users\Admin\Downloads\OperaGXSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit