hxxp://fun[.]x1os[.]com

General

Target

http://fun.x1os.com

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2644	setup.exe
2164	setup.exe
1056	setup.exe
1660	setup.exe
4508	setup.exe
1196	Assistant_111.0.5168.25_Setup.exe_sfx.exe
616	assistant_installer.exe
2212	assistant_installer.exe

Loads dropped DLL 9 IoCs

pid	Process
2644	setup.exe
2164	setup.exe
1056	setup.exe
1660	setup.exe
4508	setup.exe
616	assistant_installer.exe
616	assistant_installer.exe
2212	assistant_installer.exe
2212	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{C58F6D45-990A-454B-9716-45D5EA0C437D}	msedge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2644	setup.exe
5304	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2644	4088	OperaSetup.exe	132
PID 4088 wrote to memory of 2644	4088	OperaSetup.exe	132
PID 4088 wrote to memory of 2644	4088	OperaSetup.exe	132
PID 2644 wrote to memory of 2164	2644	setup.exe	133
PID 2644 wrote to memory of 2164	2644	setup.exe	133
PID 2644 wrote to memory of 2164	2644	setup.exe	133
PID 2644 wrote to memory of 1056	2644	setup.exe	134
PID 2644 wrote to memory of 1056	2644	setup.exe	134
PID 2644 wrote to memory of 1056	2644	setup.exe	134
PID 2644 wrote to memory of 1660	2644	setup.exe	135
PID 2644 wrote to memory of 1660	2644	setup.exe	135
PID 2644 wrote to memory of 1660	2644	setup.exe	135
PID 1660 wrote to memory of 4508	1660	setup.exe	136
PID 1660 wrote to memory of 4508	1660	setup.exe	136
PID 1660 wrote to memory of 4508	1660	setup.exe	136
PID 2644 wrote to memory of 1196	2644	setup.exe	137
PID 2644 wrote to memory of 1196	2644	setup.exe	137
PID 2644 wrote to memory of 1196	2644	setup.exe	137
PID 2644 wrote to memory of 616	2644	setup.exe	138
PID 2644 wrote to memory of 616	2644	setup.exe	138
PID 2644 wrote to memory of 616	2644	setup.exe	138
PID 616 wrote to memory of 2212	616	assistant_installer.exe	139
PID 616 wrote to memory of 2212	616	assistant_installer.exe	139
PID 616 wrote to memory of 2212	616	assistant_installer.exe	139

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fun.x1os.com
1⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4068,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=5032 /prefetch:1
1⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5076,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:1
1⤵
PID:560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5288,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:1
1⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
1⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5444,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
1⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5876,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:1
1⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5912,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:1
1⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6256,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:1
1⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4772,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:1
1⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=2012,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6540 /prefetch:1
1⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6280,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6320 /prefetch:8
1⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6448,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=1016 /prefetch:1
1⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6616,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
1⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5508,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:1
1⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4820,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:8
1⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6288,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:8
1⤵
- Modifies registry class
PID:488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=5500,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:1
1⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6628,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:1
1⤵
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=7092,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:1
1⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6736,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:8
1⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=7252,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:8
1⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=7232,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:1
1⤵
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7712,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=7724 /prefetch:8
1⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8164,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=8200 /prefetch:8
1⤵
PID:1536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:700

C:\Users\Admin\Downloads\OperaSetup.exe
"C:\Users\Admin\Downloads\OperaSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe --server-tracking-blob=NGMxNWE0NDkxZTRjMDhhOGJkNzAxZDczODM2Y2VjZjZiZWM3NDAxMzFiMzhjY2E3YjQzYTg0ODljMDcwZmFlZjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9YmluZyZ1dG1fbWVkaXVtPXBhJnV0bV9jYW1wYWlnbj1VSyUyQi0lMkJQZXJmb3JtYW5jZSUyQk1heCUyQi0lMkJFTiUyQi0lMkJKT0JTJnV0bV9jb250ZW50PUpvYiUyQmdlbmVyaWMlMkJOZXcmaHR0cF9yZWZlcnJlcj1odHRwcyUzQSUyRiUyRnd3dy5vcGVyYS5jb20lMkZ0ciUyRmZlYXR1cmVzJTJGZnJlZS12cG4lM0Z1dG1fc291cmNlJTNEYmluZyUyNnV0bV9tZWRpdW0lM0RwYSUyNnV0bV9jYW1wYWlnbiUzRFVLJTI1MjAtJTI1MjBQZXJmb3JtYW5jZSUyNTIwTWF4JTI1MjAtJTI1MjBFTiUyNTIwLSUyNTIwSk9CUyUyNm1zY2xraWQlM0RhYWNkZTk1MWYwMjYxMTE1MzJlNjhmMjUwNjA4ZDc2MSUyNnV0bV90ZXJtJTNEd3d3Lm9wZXJhLmNvbSUyNnV0bV9jb250ZW50JTNESm9iJTI1MjBnZW5lcmljJTI1MjBOZXcmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZmZWF0dXJlcyUyRmZyZWUtdnBuJmRsX3Rva2VuPTEzMTEwMTQ3IiwidGltZXN0YW1wIjoiMTcxODk0MTI0My43OTQ2IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNC4wLjAuMCBTYWZhcmkvNTM3LjM2IEVkZy8xMjQuMC4wLjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiJVSystK1BlcmZvcm1hbmNlK01heCstK0VOKy0rSk9CUyIsImNvbnRlbnQiOiJKb2IrZ2VuZXJpYytOZXciLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9mZWF0dXJlcy9mcmVlLXZwbiIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6ImJpbmcifSwidXVpZCI6IjExNDFlNTIwLWYyZjYtNGU2My04ODI3LTk2MTVjYzRjMDVlZSJ9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x314,0x334,0x338,0x304,0x33c,0x74eba128,0x74eba134,0x74eba140
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2164
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2644 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240621034108" --session-guid=de737f67-3842-4d3e-8d3f-2a4fdc2a3b4e --server-tracking-blob=MWJmNTNhZGU3MDEwNTE4YjVmNDE3NDNjNjM3NmJiZDgzNzIwMjgyNTZiMGVmODM5MjZhZTk3NGI0NTkwYTUxYzp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9YmluZyZ1dG1fbWVkaXVtPXBhJnV0bV9jYW1wYWlnbj1VSyUyQi0lMkJQZXJmb3JtYW5jZSUyQk1heCUyQi0lMkJFTiUyQi0lMkJKT0JTJnV0bV9jb250ZW50PUpvYiUyQmdlbmVyaWMlMkJOZXcmaHR0cF9yZWZlcnJlcj1odHRwcyUzQSUyRiUyRnd3dy5vcGVyYS5jb20lMkZ0ciUyRmZlYXR1cmVzJTJGZnJlZS12cG4lM0Z1dG1fc291cmNlJTNEYmluZyUyNnV0bV9tZWRpdW0lM0RwYSUyNnV0bV9jYW1wYWlnbiUzRFVLJTI1MjAtJTI1MjBQZXJmb3JtYW5jZSUyNTIwTWF4JTI1MjAtJTI1MjBFTiUyNTIwLSUyNTIwSk9CUyUyNm1zY2xraWQlM0RhYWNkZTk1MWYwMjYxMTE1MzJlNjhmMjUwNjA4ZDc2MSUyNnV0bV90ZXJtJTNEd3d3Lm9wZXJhLmNvbSUyNnV0bV9jb250ZW50JTNESm9iJTI1MjBnZW5lcmljJTI1MjBOZXcmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZmZWF0dXJlcyUyRmZyZWUtdnBuJmRsX3Rva2VuPTEzMTEwMTQ3Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE4OTQxMjQzLjc5NDYiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI0LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyNC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlVLKy0rUGVyZm9ybWFuY2UrTWF4Ky0rRU4rLStKT0JTIiwiY29udGVudCI6IkpvYitnZW5lcmljK05ldyIsImxhc3RwYWdlIjoib3BlcmEuY29tL2ZlYXR1cmVzL2ZyZWUtdnBuIiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiYmluZyJ9LCJ1dWlkIjoiMTE0MWU1MjAtZjJmNi00ZTYzLTg4MjctOTYxNWNjNGMwNWVlIn0= --desktopshortcut=1 --wait-for-package --initial-proc-handle=9409000000000000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x324,0x328,0x32c,0x2fc,0x330,0x7298a128,0x7298a134,0x7298a140
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4508
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x379f88,0x379f94,0x379fa0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2212

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" CamSystemGlobalSwitch 344 262 90 31 webcam
1⤵
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4988,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:8
1⤵
PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\additional_file0.tmp

Filesize
2.6MB

MD5
dfe86cd1ab9fe5055dba3ead830574f6

SHA1
800ba6757bf301a918a800ce15a3853e3941e019

SHA256
f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f

SHA512
d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\assistant_installer.exe

Filesize
1.9MB

MD5
a8c564c798ae8160230297d361952dd6

SHA1
34a45ee9eb7733ae9afbebb9f2951288a27f9df5

SHA256
3f48e5331890159921f7b65103c4b06bbf08552065718313761647d1648f8a64

SHA512
141ac3356a2fee32121231308cdd8afa5f76695185d66bba9fa977b66e5c6bad8bd4ea4656acdc743cd6b6f85c28a16626ab07f8b2c72652de82b4fb21c0bb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\dbgcore.DLL

Filesize
166KB

MD5
ff0364394f7bc74d0c68040a5fbcda6f

SHA1
d19ce25e7d0e3043c377c5770b0f20cb42bd0295

SHA256
3bd944ca30b77f9ce8a1f503a7ee0dbcb77b92ae9fcd68907abe0ef2e9275053

SHA512
0676de1a65cc9c209f544e921f45c5eb8c5d42fb391ae1f370b0a2bedd26740f75f32ea5f17497d86e03edd6cf281ca51a7a54380a82de152d0e25a28297ccfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202406210341081\assistant\dbghelp.dll

Filesize
1.7MB

MD5
eeb07dc97790e8b075d6938759fe6ee1

SHA1
afb099be8ee28fef6488b5d253ba910b081a3b1b

SHA256
2808772ce1653cdf659f4781c718a9dd6f3ac547d52a1080462487baccaeaf78

SHA512
e541d839562c5045b5af0cc7ad2129393383df3fc528193cdef1a31ded4e894ffb8a02d34a009b3d6543d4987616534caaefa130a2b55ea73baf37ee0a294980

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8FFC5FD8\setup.exe

Filesize
5.2MB

MD5
6a39877aba485cd09c090e4e24f53de6

SHA1
ada29b30d665203b7e6cda8f1b6114699ba472a7

SHA256
2daba944e443aea09f4d50a0ac5ea2a6bb85b6f861c83c1bbd284e6d81e8a7e3

SHA512
ecab25931ed2d985b396e62d5930dd5c7edc3c0835e3e3df3058197bb8800491a8ea13fc824935bcf187a848a29da176c7dd7dc8f43aaca108e17fed76dfb32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2406210341077082644.dll

Filesize
4.7MB

MD5
b05a49fe0b700420401974a62cea7be6

SHA1
1dec7981c1d5eab1952c69c512dcc3877241c82e

SHA256
12f8a3f3569cecd209e1a6e229e7e6c3d130ab1694fdf71c10d5e3b5154ba703

SHA512
34fc1e8a9e046400107ea0e1be1aeb7d1d8a5e71380733bbce0ac5d15ee9b58762b63f7de4591762b6a7c32f5be83122bbf757d3a88a6f78e6d2c06ffd596833

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
be89800a1a9ec8bfa53d008ba5defd71

SHA1
46992b105c1d8eede153990de9e0b856180adea4

SHA256
e8868ec215ccb72cd7d482eb5b3bc303251946c3c15fee1a983c519c8deeb646

SHA512
0f1859046eee9e1be39aad41f759742de045b0bd9b278b48df2517a33b8168b262530563418e84c35bb6c03b49d0805d39d5ebc849e154f08ac4dc7995863011

Download Submit

Analysis

Sharing