1bac804e989cca3a8776d0241a45d2175df95a255a144121e60626cb0dd0dce8

Analysis

max time kernel
187s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaSetup.exe
Size

5.1MB
MD5

7cb2c11c1433f6560439cfb41bc28a3b
SHA1

7380a1eeec6717167710db3384c6fcbabe3ded8a
SHA256

1bac804e989cca3a8776d0241a45d2175df95a255a144121e60626cb0dd0dce8
SHA512

effdd3f8ea4acaae9bd3faaa004e468411037f28f63a21668c6b7de6e3f62629aa5ebd040b1d15b9cb44f5a88ddb0cb5d649e4b7b4f44bf031a5279c3b664ba5
SSDEEP

98304:90NFI6666666666666666666666666666666x666666666666666fwwwwwwwwwwG:PPMki6zio75L3pf3dedO4keCIwkoYbgm

Score

9^/10

discovery evasion ransomware spyware stealer

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

5008 bcdedit.exe
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

259 508 powershell.exe
261 508 powershell.exe
264 508 powershell.exe
266 508 powershell.exe
269 508 powershell.exe
Downloads MZ/PE file

pid	process
5008	bcdedit.exe

flow	pid	process
259	508	powershell.exe
261	508	powershell.exe
264	508	powershell.exe
266	508	powershell.exe
269	508	powershell.exe

Executes dropped EXE 14 IoCs

Processes:

OperaSetup.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeassistant_package_sfx.exeassistant_installer.exeassistant_installer.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exe

pid	process
8	OperaSetup.exe
4732	Assistant_109.0.5097.45_Setup.exe_sfx.exe
2644	assistant_installer.exe
216	assistant_installer.exe
232	Opera_109.0.5097.68_Setup_x64.exe
4088	Opera_109.0.5097.68_Setup_x64.exe
5788	Opera_109.0.5097.68_Setup_x64.exe
2704	assistant_package_sfx.exe
5288	assistant_installer.exe
5804	assistant_installer.exe
2456	Opera_109.0.5097.68_Setup_x64.exe
4700	Opera_109.0.5097.68_Setup_x64.exe
2636	Opera_109.0.5097.68_Setup_x64.exe
5980	Opera_109.0.5097.68_Setup_x64.exe

Loads dropped DLL 22 IoCs

Processes:

OperaSetup.exeOperaSetup.exeOperaSetup.exeassistant_installer.exeassistant_installer.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeassistant_installer.exeassistant_installer.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exe

pid	process
2772	OperaSetup.exe
1840	OperaSetup.exe
8	OperaSetup.exe
2644	assistant_installer.exe
2644	assistant_installer.exe
216	assistant_installer.exe
216	assistant_installer.exe
916	OperaSetup.exe
1856	OperaSetup.exe
4216	OperaSetup.exe
1904	OperaSetup.exe
232	Opera_109.0.5097.68_Setup_x64.exe
4088	Opera_109.0.5097.68_Setup_x64.exe
5788	Opera_109.0.5097.68_Setup_x64.exe
5288	assistant_installer.exe
5288	assistant_installer.exe
5804	assistant_installer.exe
5804	assistant_installer.exe
2456	Opera_109.0.5097.68_Setup_x64.exe
4700	Opera_109.0.5097.68_Setup_x64.exe
2636	Opera_109.0.5097.68_Setup_x64.exe
5980	Opera_109.0.5097.68_Setup_x64.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5112 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
5112	icacls.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Opera_109.0.5097.68_Setup_x64.exeOpera_109.0.5097.68_Setup_x64.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOpera_109.0.5097.68_Setup_x64.exe

description	ioc	process
File opened (read-only)	\??\D:	Opera_109.0.5097.68_Setup_x64.exe
File opened (read-only)	\??\D:	Opera_109.0.5097.68_Setup_x64.exe
File opened (read-only)	\??\F:	Opera_109.0.5097.68_Setup_x64.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\F:	Opera_109.0.5097.68_Setup_x64.exe
File opened (read-only)	\??\F:	Opera_109.0.5097.68_Setup_x64.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\D:	Opera_109.0.5097.68_Setup_x64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

260 raw.githubusercontent.com
261 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
260	raw.githubusercontent.com
261	raw.githubusercontent.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 5 IoCs

Processes:

Opera_109.0.5097.68_Setup_x64.exeOperaSetup.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Opera_109.0.5097.68_Setup_x64.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Opera_109.0.5097.68_Setup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OperaSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OperaSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{4EEC5CB0-2416-46BA-81F8-30182B78F970}	msedge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaSetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

NTFS ADS 2 IoCs

Processes:

msedge.exeOpera_109.0.5097.68_Setup_x64.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 266145.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Opera_109.0.5097.68_Setup_x64.exe\:SmartScreen:$DATA	Opera_109.0.5097.68_Setup_x64.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exemsedge.exeTaskmgr.exe

pid	process
2732	msedge.exe
2732	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
3644	identity_helper.exe
3644	identity_helper.exe
5716	msedge.exe
5716	msedge.exe
6084	msedge.exe
6084	msedge.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OperaSetup.exeOpera_109.0.5097.68_Setup_x64.exe

pid process

2772 OperaSetup.exe
232 Opera_109.0.5097.68_Setup_x64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exechoco.exepowercfg.exeTaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	4684	choco.exe
Token: SeShutdownPrivilege	2996	powercfg.exe
Token: SeCreatePagefilePrivilege	2996	powercfg.exe
Token: SeShutdownPrivilege	2996	powercfg.exe
Token: SeCreatePagefilePrivilege	2996	powercfg.exe
Token: SeDebugPrivilege	1952	Taskmgr.exe
Token: SeSystemProfilePrivilege	1952	Taskmgr.exe
Token: SeCreateGlobalPrivilege	1952	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exeTaskmgr.exe

pid	process
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
2300	msedge.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe
1952	Taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OperaSetup.exeOpera_109.0.5097.68_Setup_x64.exe

pid process

2772 OperaSetup.exe
232 Opera_109.0.5097.68_Setup_x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OperaSetup.exeassistant_installer.exeOperaSetup.exeOperaSetup.exemsedge.exe

description	pid	process	target process
PID 2772 wrote to memory of 1840	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 1840	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 1840	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 8	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 8	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 8	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 4732	2772	OperaSetup.exe	Assistant_109.0.5097.45_Setup.exe_sfx.exe
PID 2772 wrote to memory of 4732	2772	OperaSetup.exe	Assistant_109.0.5097.45_Setup.exe_sfx.exe
PID 2772 wrote to memory of 4732	2772	OperaSetup.exe	Assistant_109.0.5097.45_Setup.exe_sfx.exe
PID 2772 wrote to memory of 2644	2772	OperaSetup.exe	assistant_installer.exe
PID 2772 wrote to memory of 2644	2772	OperaSetup.exe	assistant_installer.exe
PID 2772 wrote to memory of 2644	2772	OperaSetup.exe	assistant_installer.exe
PID 2644 wrote to memory of 216	2644	assistant_installer.exe	assistant_installer.exe
PID 2644 wrote to memory of 216	2644	assistant_installer.exe	assistant_installer.exe
PID 2644 wrote to memory of 216	2644	assistant_installer.exe	assistant_installer.exe
PID 2772 wrote to memory of 916	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 916	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 916	2772	OperaSetup.exe	OperaSetup.exe
PID 916 wrote to memory of 1856	916	OperaSetup.exe	OperaSetup.exe
PID 916 wrote to memory of 1856	916	OperaSetup.exe	OperaSetup.exe
PID 916 wrote to memory of 1856	916	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 4216	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 4216	2772	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 4216	2772	OperaSetup.exe	OperaSetup.exe
PID 4216 wrote to memory of 1904	4216	OperaSetup.exe	OperaSetup.exe
PID 4216 wrote to memory of 1904	4216	OperaSetup.exe	OperaSetup.exe
PID 4216 wrote to memory of 1904	4216	OperaSetup.exe	OperaSetup.exe
PID 2772 wrote to memory of 2300	2772	OperaSetup.exe	msedge.exe
PID 2772 wrote to memory of 2300	2772	OperaSetup.exe	msedge.exe
PID 2300 wrote to memory of 2848	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2848	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe
PID 2300 wrote to memory of 2176	2300	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a8,0x2ac,0x2b0,0x280,0x2b4,0x755be1d0,0x755be1dc,0x755be1e8
2⤵
- Loads dropped DLL
PID:1840

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
2⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\assistant_installer.exe" --version
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x726038,0x726044,0x726050
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:216

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=0 --enable-installer-stats=0 --consent-given=1 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Program Files (x86)" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=0 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2772 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240426231342" --session-guid=5d2432b7-38ff-476f-bdd6-b4d6ca2fae85 --server-tracking-blob="YTkxYmRjOGUwYjczMWRhMDlmM2UxMGYwZTVkNzAyMTMyNjk4NjU5YzRjNDY5NDQ4ZmMwYWU5YTA0ZTFjZWQ3Yjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP2h0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuZ29vZ2xlLmNvbSUyRiZkbF90b2tlbj01ODA0MDI5MyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxNDE3MzE5OC4wMjkxIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7fSwidXVpZCI6IjU2NTUyMjg1LWQ2NjUtNGY3Mi1iYmMyLTVjMTg2OGIwZjBiMiJ9 " --desktopshortcut=1 --wait-for-package --initial-proc-handle=400D000000000000
2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a4,0x2b4,0x2b8,0x274,0x2bc,0x7196e1d0,0x7196e1dc,0x7196e1e8
3⤵
- Loads dropped DLL
PID:1856

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=0 --enable-installer-stats=0 --consent-given=1 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Program Files (x86)" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=0 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2772 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240426231342" --session-guid=5d2432b7-38ff-476f-bdd6-b4d6ca2fae85 --server-tracking-blob="YTkxYmRjOGUwYjczMWRhMDlmM2UxMGYwZTVkNzAyMTMyNjk4NjU5YzRjNDY5NDQ4ZmMwYWU5YTA0ZTFjZWQ3Yjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP2h0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuZ29vZ2xlLmNvbSUyRiZkbF90b2tlbj01ODA0MDI5MyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxNDE3MzE5OC4wMjkxIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7fSwidXVpZCI6IjU2NTUyMjg1LWQ2NjUtNGY3Mi1iYmMyLTVjMTg2OGIwZjBiMiJ9 " --desktopshortcut=1 --wait-for-package --initial-proc-handle=7C02000000000000
2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x29c,0x2a0,0x2a4,0x274,0x2b4,0x7196e1d0,0x7196e1dc,0x7196e1e8
3⤵
- Loads dropped DLL
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller&arch=x64
2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd8c7b46f8,0x7ffd8c7b4708,0x7ffd8c7b4718
3⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
3⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
3⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
3⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
3⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:8
3⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
3⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
3⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5684 /prefetch:8
3⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
3⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
3⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
3⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
3⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
3⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
3⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
3⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6516 /prefetch:8
3⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5796 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
3⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
3⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
3⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
3⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
3⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
3⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
3⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
3⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
3⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
3⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
3⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,11008402625391137208,108352319410131702,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5312

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
2⤵
- Blocklisted process makes network request
PID:508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vq3wisb\1vq3wisb.cmdline"
3⤵
PID:5136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6150.tmp" "c:\Users\Admin\AppData\Local\Temp\1vq3wisb\CSCF7DFCCD8C4A6400889731F13E2479889.TMP"
4⤵
PID:1716

C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133586469520618991"
3⤵
PID:4292

C:\Windows\System32\setx.exe
"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "133586469526599066"
3⤵
PID:1116

C:\ProgramData\chocolatey\choco.exe
"C:\ProgramData\chocolatey\choco.exe" -v
3⤵
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" choco feature enable -n allowGlobalConfirmation
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\ProgramData\chocolatey\bin\choco.exe
"C:\ProgramData\chocolatey\bin\choco.exe" feature enable -n allowGlobalConfirmation
4⤵
PID:3932

C:\ProgramData\chocolatey\choco.exe
"C:\ProgramData\chocolatey\choco.exe" feature enable -n allowGlobalConfirmation
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\myisp3vv\myisp3vv.cmdline"
3⤵
PID:640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7371.tmp" "c:\Users\Admin\AppData\Local\Temp\myisp3vv\CSC5BE4F6D518434A40894AACB046C51C17.TMP"
4⤵
PID:1180

C:\Windows\system32\powercfg.exe
"C:\Windows\system32\powercfg.exe" /hibernate off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set {current} bootmenupolicy Legacy
3⤵
- Modifies boot configuration data using bcdedit
PID:5008

C:\Windows\system32\Taskmgr.exe
"C:\Windows\system32\Taskmgr.exe"
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1952

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:(OI)(CI)F
3⤵
- Modifies file permissions
PID:5112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5368

C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe
"C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:232

C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe
C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x28c,0x290,0x294,0x26c,0x298,0x7ffd5eba7c80,0x7ffd5eba7c8c,0x7ffd5eba7c98
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4088

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Opera_109.0.5097.68_Setup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Opera_109.0.5097.68_Setup_x64.exe" --version
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5788

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262315371\assistant\assistant_package_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262315371\assistant\assistant_package_sfx.exe"
2⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262315371\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262315371\assistant\assistant_installer.exe" --version
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5288

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262315371\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262315371\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff730691638,0x7ff730691644,0x7ff730691650
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5804

C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe
"C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe" --backend --install --import-browser-data=0 --enable-stats=0 --enable-installer-stats=0 --consent-given=1 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Program Files (x86)" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=0 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=232 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240426231537" --session-guid=32dd9907-3c64-40b2-a410-cc98c3d7325b --server-tracking-blob="NjFkODk4ZWJjMmNmNGQ1YjllMzkyYmJlMjJiYmQ5MDY3ZjdhY2U0Y2Y1NWMzYTQwM2Q2Zjk0N2YzZTU1NDA1Yzp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=D40C000000000000
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2456

C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe
C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x284,0x288,0x298,0x260,0x29c,0x7ffd7b357c80,0x7ffd7b357c8c,0x7ffd7b357c98
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4700

C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe
"C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe" --backend --install --import-browser-data=0 --enable-stats=0 --enable-installer-stats=0 --consent-given=1 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Program Files (x86)" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=0 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=232 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240426231537" --session-guid=32dd9907-3c64-40b2-a410-cc98c3d7325b --server-tracking-blob="NjFkODk4ZWJjMmNmNGQ1YjllMzkyYmJlMjJiYmQ5MDY3ZjdhY2U0Y2Y1NWMzYTQwM2Q2Zjk0N2YzZTU1NDA1Yzp7InByb2R1Y3QiOnsibmFtZSI6Ik9wZXJhIn0sInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fX0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=900A000000000000
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2636

C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe
C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x284,0x288,0x298,0x260,0x29c,0x7ffd7b357c80,0x7ffd7b357c8c,0x7ffd7b357c98
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chocolatey\config\chocolatey.config.1180.update
Filesize
8KB

MD5
098b8cd4f64a71c394780021b468a26d

SHA1
b8b9bd04891b5a9dae0a89d31f615f6b28ad8fec

SHA256
4d1d5405b2460ece564c67d045cd05d9e2f6d23d2ab45cb0535a67273d99984a

SHA512
eb6c962867525ea71df51fec50801ae557f7f54fe335a8b8b40eef3468864fafe268e3fda5940443ef09eff12cc8426dbd9d52f3db13f720be3f64ca921426a8

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.4684.update
Filesize
8KB

MD5
cbccded419ec9f3f25eba050724e209f

SHA1
b0c5b8f3b8e0d6ebd0b5ce2b9d48207d85c251e5

SHA256
84921656d654b9517a44c8763b3724b2397863098473f6acceebc8d5b685a76b

SHA512
8d2dec0fd1f57e393812047852cc61c0de96639bea420ad5cd16953a0113c42c731f88f197376285ad26f16be62e5c1b48d8a841dc77bbc8db6e98d99b7458ff

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup
Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log
Filesize
4KB

MD5
2fba6ea4396dd4e21cd0e2ec1963872c

SHA1
f7b4874daadace49f9ef0db2d8f6afc2e57d8809

SHA256
b3f97d9d47c63765516b09050f992bd836d8f979ca9c21bc8ef7ffaf62013e7d

SHA512
020466341425fbb2b4de20db103a76869937438a6ef7afde940696354a1a800bab5c19a75d5edb2464c7ce9d8c256c87d12ac017fdd68f01970c24985613400f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_B7ED31D77D311A56FDCB56A0083B3E0B
Filesize
314B

MD5
d3a8db8b4b383456b08a89bbc13438b5

SHA1
a8353a5fe7965e8d724671f76e1e8cbaf672a8f3

SHA256
6aa73bc29edd407a347b9466a99c6864e85535d729739cbd15fd9b0c6520f18c

SHA512
be775c76e15f5945d06208a3d8729340af7beac71ae9fe2126a1b18f67c720738cec8a7f633b68f994c28c68111993fd3345516be88294075f0f8361323d9cef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_17DD39A60A87A85D0DDEF9FD164BB3E9
Filesize
471B

MD5
f8c999952d6f606be7de8ed9d5fa77aa

SHA1
60ab2646250e4694e2f501b2f60a0ca6c0221e4b

SHA256
ee59cc2ad10156b8fe6c87a60c753944b08008a35f30a2871d3b3b22e351e9bd

SHA512
5e3215b055c29a3040fe763440c741fd6e389a5f4874fa42b15cb55998f9a3f144483d0af408e293af9870b83a1963a131c7ad71556f36ac6648f6a880eb3cb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0343D08A98AFAA7CAA7068BD558BE887
Filesize
727B

MD5
6e84f216efdb5b67053e333c4ab179da

SHA1
46890d03ca62e8e463eb432a5ae68b10f8880d87

SHA256
ac65ff6cd4b913eedd1b29087d2df76bed5d2b9625fe22e1d9578c70e38fdb5f

SHA512
7915a3edf60b38fbdce9f49aacd6322b58b5742f64403f8d036d804b2b99a418b0244822d36871efe8df049cd00e39ededbced948cc6a3431c9f08fddd1058e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize
471B

MD5
59bc4dc1361710110d8c36aa12c5a4ee

SHA1
b34b210e94585af028f58f9d2060e814dd4c3d9a

SHA256
acbccd0a17e12ec657db5308596508f3472986f10367bf6ead0069ffd43fe37d

SHA512
4249ac9d7e76d8647f66c54c30225cd6ba2c4796be9b35e89f374d3c507911361a9585d5be232cfee5722b31e70601c356dc084055b29bbeb7b581d3c1e8ce9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_B7ED31D77D311A56FDCB56A0083B3E0B
Filesize
400B

MD5
c8738accf84bb15ccf1607127ef05442

SHA1
a2ee4fc846a92977fc15078b32a89f8253274a53

SHA256
76398768e24650c30533c590b2c64612c2ddf9642d8f3662d0cf6a904ab52f3c

SHA512
3a098eadb3e4279716f9b97e5eac0de652f9dfed416fe760e1da5c207eb3a20c8c70cc43a7b5fcc554a65a1488a47f5bb0b7bc7fa76dc6b8e683657d9bdcbced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_17DD39A60A87A85D0DDEF9FD164BB3E9
Filesize
404B

MD5
853e462e6370a6de6f3357a2b04f3516

SHA1
5ff2b049c6ee830a7c2923f3428f80e1e850e645

SHA256
7d0fa5f719991ba73feeb5acba56b22f90222647d51b1972ee26995846382105

SHA512
0b363d61960b4a505c398a9ec5e4c6645e35dc5507ed006e35ef5b23978aca79ca454559230ebcd52dab272d411286aadc285569e5263e112b3707d36fcd96ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0343D08A98AFAA7CAA7068BD558BE887
Filesize
404B

MD5
a0df886dfc5e1452c24d203bc6ff0afc

SHA1
dcbbfa0c5c986aeabab2b6565c504efe81feb500

SHA256
2b7d2c7f535a000251a6a454f8905142e4a1f6026e5b40a9d7c5e78de39a70ce

SHA512
b260b9044f365b4a9e11e2be612c7ac05c9057c4b9a4a1bb006c27821c361e8a3b402dcd3474fdb037b51f1f9a06efbb48d20ac392fffe473642d732905e193a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize
412B

MD5
da85606102cf39229f13af43d166deb4

SHA1
bf980699cc587b6e0302dd86f9e3f627e96f5acf

SHA256
8e943f7a1802e4849ff7e8757626c5d22141d883a2b679f7609d92d00a55a64a

SHA512
9a8e517284e45457bdc9b357fe9c0410c90f51bf2ff3df7a5056883c2e3437c1754a75fb7bb8cc7f14be3855b34c50f324945d2dfa0243bd167e01531ecbaf70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
38KB

MD5
c351596c5609b6855d5103176e043d81

SHA1
e640235c5f0559611fde74b24978403aec7793eb

SHA256
44ad694b7a3cd786fb83f5bc1dbc75b80494d3d5e342a56a9f2b332d04b05d81

SHA512
ef3663ff0133d28a6bd9eae9ad153790e98542a161b9b8adefef3915319df47dcaaab9b1821f76545126c5225985cb38a50d5daf31a50782ebe7f550d621be16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
Filesize
1.1MB

MD5
34a02dd7f8b393eff0b3f133576adb8e

SHA1
b512edfa50e3ad8f44064e7805443032f8cc9b28

SHA256
f38d66808f86e685fd596c778cf5e8dca79d1d0b223c008d9b31b636bce2299f

SHA512
53d2669725bece4eb3f9c9d2e9714ff9e73dade82a63c0056cfe9e6bf2cd905866e38fafd0d89ca4a2eb9406ecaa7aa89221cda4641a355494b21922d42ec48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
437447fdf553d5cfb3c24e82de72340b

SHA1
8e725579b833b2d2ae7f2af74f3e6e360707619f

SHA256
07ddb6b41191ed66c989633235632614474696cf725b7e2921140460b0656ff3

SHA512
b0bdfcc50b3542228c2350084281668405da471e850db3ac4d5585a207aa91d7327cfe5ef196b9c350525182576579cdfea2a33f2df61ea3ed98fa13971db0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
6KB

MD5
27a0f4e19b1433f778639869d50daf8f

SHA1
8c0cc84053747c3f62bd1d2ef70ac52b33d1ffb5

SHA256
86ff9cdeb233a0401dcc7d7dbac307636f2613d3a3804856b0ea6d75d5816246

SHA512
48528f45fa2b651723b80affa92001803a16469c2564dfa6d0b8d3791fb2b1d5895aaa400e7a2b07953056a7655e26d4ccccd63bd56eec23883fcab27356c851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
7KB

MD5
9a9890a891232e9e4d3f6107c0d4ba6f

SHA1
c623b2cc2866c067799adcf24aec0d03cfe3313c

SHA256
af51680bf11c406780a69f1f07da29daed78a57f0cd777dd9b19e6b03e2983fb

SHA512
3e9a22f853ea665ac008d90014b83ba96543765e597414e9dc4adab32f0185dc426617c2de276c31645416dc78bf5f56ef7ac3417364d44ce712efec1e208cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2dc4ea224c25a100ab9e9d5f1d830f36

SHA1
789fed55b2965410812cb04c6f153e75558285fc

SHA256
d00cbcf1f4f9ed5e0bb2dbf8755d8a852b00902d718587d8d74f4f206fab0390

SHA512
f0ebdb0b45c6b9a0e4f8a2e821fd952a659ea72d4f946ad936208fb4324a925b4b2f7683c7a6e556f920edc063fdb5c8ce2d64b309eb4bec3e538d44e9eef180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
b2552197bf13598ad34f0413df349ff7

SHA1
a03ea4ca13ee03e5851a21a702196218fd6ff056

SHA256
2187121b326ad94bce9c46d74c9f5edfda4b986bbd6840505fe18e91e67b17b2

SHA512
cceb9f94eaa20504c937fd5ed6807ae31877aaa7bd89f4b792d7427d7b1c328519b38359f4fb2ed70cb6f1ab38a17cde5690f2f3ff570e62ec668155ba2d0a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
334d1becc179f6c9d601b74be0fa32a9

SHA1
f32fadb65e3bccbc458d537ba1b3f74f2b0c5712

SHA256
65291b67622f16b4805875ba8fb553bfb1cfd2b5d03680db22915ad32d7ecb55

SHA512
69785631175b9d3f2c25fa28773e62d78f1739d25be9278848f59906dfe2b4f6ce54c0f9b353cf53229636af7e5f0753713cda60b5831ec56ad3343f82324b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
1f59f5830f1da56017152a09de98650c

SHA1
97ffb0afdd646878172b4fd8b146577becdf4a06

SHA256
9f9c7a32ec5704d58ee1ed60e18e98178db321e4aa4c168cbec9c8bbada2f8f7

SHA512
85a31f4c3608ea63ac5d0a72a75cab10bdd322eebed492828745bb5cfd4aa8f151cb9e5c46500e899c0bbec0be797adadf098dcc3c1529d80d155d4521d99678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
292b9a5b8f9595e17d8d1ce4d3ec9dbd

SHA1
c0d1769b07da2a5f71cceebb482bb86f302b201c

SHA256
6a894c7170b5f8aadcfc5306791f39507c28a83a87e0947630c1c803d87337bf

SHA512
6f15e3d7eb9a3c86c4da596d87c89e7c3e828953bff4850462e02cf54ed7c90b7eb92ebfeb28424af3e86e69e16b24763dd3db03624a5021e31e74fe8d51f756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
a2e74e8e7af38d750f48b17e2e392a34

SHA1
ce806048d757940d45c45b8b14177aafbb899664

SHA256
292bb6859476707961c063cbf6ab4724bc9ec6d7feaba3cd0ff6285f37247c8e

SHA512
15cc4675b1bf7dbb723b0de3c696472290b88afef4c5650a8d8cc4ccd9b10991739bfadf55456e19a292dfb9e36ec1a37bcb715d8f04d0c6cb2bdf9ef5fadffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
8d6fbb40ffbf2141d708f6ab0b2fe9dc

SHA1
023c5c390e59a8457ef39382593cd273cb98f138

SHA256
041fb8a813e16ce3ee310b7da289214e51ba96f7336d249343ace1f6b10f9daa

SHA512
b1d9e83b217eb2f1f09550e65f0469edcf57833450d7111c14975df67e1bbb22d97129fef0609eaf88273ca72b32491e1312ed5da8392e0e45a39c1c3b24eaa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
5c4441e877044cac278e3b2f25af734b

SHA1
aea4cdae3ac9d74597f08a8a235bdc4ed2b81af9

SHA256
5888b3fe5e79e1a06af7d1626fdea96af39e72d87ce01b8cf2050800195ea5e5

SHA512
ff84fa8c471440fa42b146a577cc42cec7fcf0c5ff9db8a3436ba4b3e0394b7a6895f7b713b4d4ea7ab7a634b7d98b396f355893e8cf36ae7b7320092f1a8976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
20fccd7a72429048427b1786a2d401d4

SHA1
4685a71da7dbdbdbebdf78059a08cff17a631bfc

SHA256
eb3243b7d79d70e90d933a6b41699039b53fb45a43d83a281d5c4ea5772e5d84

SHA512
2341f1c1ac2ca31efb2c8e3cc29f3f9d0d1256e1e23c19bf0641e692aff604d35ff70ce95f75a26e0db8898d57a20dbfacd7922aef9a85e9493c68ac3dd5a513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5875c7.TMP
Filesize
1KB

MD5
c986fa4223084e3eedf72f6746d80620

SHA1
4e6ad70cc341fc00b954520c749df3d080468380

SHA256
7e14815e480fd13fb7b5f5245669472f2b22ee907ad6baef5a625a970ab9125b

SHA512
22a101b1c43925d65a90a21b4c3f55118d4a9dd28539d3a540ea4fb24bc55acc5ffd7d0769e9344e212f43d24b43cce1e480b8d64493fb1242f66f29d3764200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4fbf3a70c1f4740657307ead656cf62a

SHA1
2e6ffb63c51647f81c4c791c88a258838e5b8550

SHA256
d32d3303bec16a15990e9e3a680f354560e353cb7f854ff6145d1f874fb23324

SHA512
ef590f01a57e45ba9b5366d5a92380d3236d58f2677dea399f3e6147a40d014dfcaffcc762ced53fe8fe108e153430caeec152f1286af85b89479be21b7ceb3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f95797e45496500b3b0f793b92cedae0

SHA1
d39fe28480d99115876d94b3acb01628fb37b8d6

SHA256
fcc578618578912d6eb372df8861c99ca358edc099e4687d4b101064ec28617a

SHA512
c6d9860c3e29039f0f0b04c7f7dd868ffe23531e2c519d88d7a9c9d75d5d4ffb3e7a7863a8dae2118652e6ca2278e8c1e691c8bc6b1330c410346eab22d6ad44

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
Filesize
5.1MB

MD5
7cb2c11c1433f6560439cfb41bc28a3b

SHA1
7380a1eeec6717167710db3384c6fcbabe3ded8a

SHA256
1bac804e989cca3a8776d0241a45d2175df95a255a144121e60626cb0dd0dce8

SHA512
effdd3f8ea4acaae9bd3faaa004e468411037f28f63a21668c6b7de6e3f62629aa5ebd040b1d15b9cb44f5a88ddb0cb5d649e4b7b4f44bf031a5279c3b664ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\additional_file0.tmp
Filesize
2.5MB

MD5
15d8c8f36cef095a67d156969ecdb896

SHA1
a1435deb5866cd341c09e56b65cdda33620fcc95

SHA256
1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

SHA512
d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\assistant_installer.exe
Filesize
1.9MB

MD5
976bc8e5fe65f9bb56831e20f1747150

SHA1
f9e7f5628aaaabed9939ef055540e24590a9ccfb

SHA256
f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0

SHA512
2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\dbgcore.dll
Filesize
166KB

MD5
9ebb919b96f6f94e1be4cdc6913ef629

SHA1
31e99ac4fba516f82b36bd81784e8d518b32f9df

SHA256
fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119

SHA512
a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\assistant\dbghelp.dll
Filesize
1.7MB

MD5
544255258f9d45b4608ccfd27a4ed1dd

SHA1
571e30ceb9c977817b5bbac306366ae59f773497

SHA256
3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68

SHA512
2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404262313421\opera_package
Filesize
103.9MB

MD5
b7e7c07657383452919ee39c5b975ae8

SHA1
2a6463ac1eb8be1825b123b12f75c86b7fff6591

SHA256
1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9

SHA512
daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404262313422622772.dll
Filesize
4.6MB

MD5
45fe60d943ad11601067bc2840cc01be

SHA1
911d70a6aad7c10b52789c0312c5528556a2d609

SHA256
0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add

SHA512
30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240426231535046232.dll
Filesize
5.6MB

MD5
a7def17ddc007dab46dfa2bdff9f325b

SHA1
f548972f7d35fbb1d37f6afff1ed4dc622bd6eab

SHA256
1187f65eeb0877b0d36d0f3b0850734a6bef04c642563061b501d5b68f4d0da7

SHA512
ec94c53e585922a8d5bbbbaa307dd6b3492ee119e76cf515c6d8df5e5cf4c2137b5cedf7c50fcfaa192913b6c6f0fde07c6b4a0230a76cb336ec122c82fce7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjcq5m2p.ou1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
34a5ca00967682ec4dea805a3933d821

SHA1
b0f08db43bc368a0446b49af0651a9b3b0d6218c

SHA256
55347cbb1076a7d039c463e3ef946cac37b4d2f7378dc1219e3a336b09d64c51

SHA512
37b4a7c18ab60872bba260cdd78f65fd8ccd5ed93885b26fe7d3948b425c69fd3ff72e4d719159b236bf07348712bf590377cdd5f2fe5060495393bdbf927cee

Download Submit
C:\Users\Admin\Downloads\Opera_109.0.5097.68_Setup_x64.exe
Filesize
110.0MB

MD5
e2f5233209305e48300546cd957aa76f

SHA1
f4fe3c474536afb3f60d8111228d9915e6c9c5a5

SHA256
12f1fc8bea2f061f044874f880adda18144530e210af234a2d2ba63d547aa30f

SHA512
db565ffcc7fc22be35c08227528e1da3223d394c2b8ecd050f48d66c99563895836b7b27eab7b83e1cca6a7fd47535f0cf02a1fbb0972a53b37a88b5a317d8b5

Download Submit
\??\pipe\LOCAL\crashpad_2300_MBRFEKSYXKKIOIJU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1180-903-0x0000026964660000-0x00000269646D6000-memory.dmp

Filesize
472KB

Download
memory/1180-904-0x00000269645E0000-0x00000269645FE000-memory.dmp

Filesize
120KB

Download
memory/1180-867-0x000002694A600000-0x000002694A622000-memory.dmp

Filesize
136KB

Download
memory/1180-853-0x0000026947E80000-0x00000269488F8000-memory.dmp

Filesize
10.5MB

Download
memory/1180-866-0x0000026964520000-0x0000026964570000-memory.dmp

Filesize
320KB

Download
memory/1952-1066-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1067-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1068-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1073-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1072-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1074-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1076-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1075-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1077-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/1952-1078-0x0000026BC26A0000-0x0000026BC26A1000-memory.dmp

Filesize
4KB

Download
memory/3932-931-0x0000000000EF0000-0x0000000000F18000-memory.dmp

Filesize
160KB

Download