hxxps://www[.]bing[.]com/ck/a?!&&p=dc2750039c3e05eaJmltdHM9MTcyMDQ4MzIwMCZpZ3VpZD0xZmMyN2IzOC1jNTQyLTY0NmUtMTQ2MC02ZjU0YzQ2YTY1YWEmaW5zaWQ9NTIxNg&ptn=3&ver=2&hsh=3&fclid=1fc27b38-c542-646e-1460-6f54c46a65aa&psq=download+opera+gx&u=a1aHR0cHM6Ly93d3cub3BlcmEuY29tL2d4P21zb2NraWQ9MWZjMjdiMzhjNTQyNjQ2ZTE0NjA2ZjU0YzQ2YTY1YWE&ntb=1

Analysis

max time kernel
102s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.bing.com/ck/a?!&&p=dc2750039c3e05eaJmltdHM9MTcyMDQ4MzIwMCZpZ3VpZD0xZmMyN2IzOC1jNTQyLTY0NmUtMTQ2MC02ZjU0YzQ2YTY1YWEmaW5zaWQ9NTIxNg&ptn=3&ver=2&hsh=3&fclid=1fc27b38-c542-646e-1460-6f54c46a65aa&psq=download+opera+gx&u=a1aHR0cHM6Ly93d3cub3BlcmEuY29tL2d4P21zb2NraWQ9MWZjMjdiMzhjNTQyNjQ2ZTE0NjA2ZjU0YzQ2YTY1YWE&ntb=1

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
2664	setup.exe
4420	setup.exe
436	setup.exe
2268	setup.exe
1348	setup.exe
4576	setup.exe
4416	setup.exe
1304	setup.exe
2744	setup.exe
4412	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
1240	assistant_installer.exe
928	assistant_installer.exe

Loads dropped DLL 9 IoCs

pid	Process
2664	setup.exe
4420	setup.exe
2268	setup.exe
436	setup.exe
4576	setup.exe
1348	setup.exe
4416	setup.exe
1304	setup.exe
2744	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2744	7zG.exe
Token: 35	2744	7zG.exe
Token: SeSecurityPrivilege	2744	7zG.exe
Token: SeSecurityPrivilege	2744	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	setup.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 2664	4404	OperaGXSetup.exe	111
PID 4404 wrote to memory of 2664	4404	OperaGXSetup.exe	111
PID 4404 wrote to memory of 2664	4404	OperaGXSetup.exe	111
PID 5092 wrote to memory of 4420	5092	OperaGXSetup.exe	112
PID 5092 wrote to memory of 4420	5092	OperaGXSetup.exe	112
PID 5092 wrote to memory of 4420	5092	OperaGXSetup.exe	112
PID 2664 wrote to memory of 436	2664	setup.exe	113
PID 2664 wrote to memory of 436	2664	setup.exe	113
PID 2664 wrote to memory of 436	2664	setup.exe	113
PID 4420 wrote to memory of 2268	4420	setup.exe	114
PID 4420 wrote to memory of 2268	4420	setup.exe	114
PID 4420 wrote to memory of 2268	4420	setup.exe	114
PID 4420 wrote to memory of 1348	4420	setup.exe	115
PID 4420 wrote to memory of 1348	4420	setup.exe	115
PID 4420 wrote to memory of 1348	4420	setup.exe	115
PID 2664 wrote to memory of 4576	2664	setup.exe	116
PID 2664 wrote to memory of 4576	2664	setup.exe	116
PID 2664 wrote to memory of 4576	2664	setup.exe	116
PID 4416 wrote to memory of 1304	4416	setup.exe	125
PID 4416 wrote to memory of 1304	4416	setup.exe	125
PID 4416 wrote to memory of 1304	4416	setup.exe	125
PID 4416 wrote to memory of 2744	4416	setup.exe	126
PID 4416 wrote to memory of 2744	4416	setup.exe	126
PID 4416 wrote to memory of 2744	4416	setup.exe	126
PID 2664 wrote to memory of 4412	2664	setup.exe	127
PID 2664 wrote to memory of 4412	2664	setup.exe	127
PID 2664 wrote to memory of 4412	2664	setup.exe	127
PID 2664 wrote to memory of 1240	2664	setup.exe	128
PID 2664 wrote to memory of 1240	2664	setup.exe	128
PID 2664 wrote to memory of 1240	2664	setup.exe	128
PID 1240 wrote to memory of 928	1240	assistant_installer.exe	129
PID 1240 wrote to memory of 928	1240	assistant_installer.exe	129
PID 1240 wrote to memory of 928	1240	assistant_installer.exe	129

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bing.com/ck/a?!&&p=dc2750039c3e05eaJmltdHM9MTcyMDQ4MzIwMCZpZ3VpZD0xZmMyN2IzOC1jNTQyLTY0NmUtMTQ2MC02ZjU0YzQ2YTY1YWEmaW5zaWQ9NTIxNg&ptn=3&ver=2&hsh=3&fclid=1fc27b38-c542-646e-1460-6f54c46a65aa&psq=download+opera+gx&u=a1aHR0cHM6Ly93d3cub3BlcmEuY29tL2d4P21zb2NraWQ9MWZjMjdiMzhjNTQyNjQ2ZTE0NjA2ZjU0YzQ2YTY1YWE&ntb=1
1⤵
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3812,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:1
1⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4376,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:1
1⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5372,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:1
1⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5516,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
1⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5540,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:8
1⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6048,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=6032 /prefetch:1
1⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5960,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:8
1⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6044,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:1
1⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6024,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:1
1⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6860,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:8
1⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6868,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=6876 /prefetch:1
1⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=7296,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=7204 /prefetch:8
1⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7788,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=7980 /prefetch:8
1⤵
PID:1348

C:\Users\Admin\Downloads\OperaGXSetup.exe
"C:\Users\Admin\Downloads\OperaGXSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\7zS431627A8\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS431627A8\setup.exe --server-tracking-blob=ZjQyNTAwOGY1NDg5MzIxNDI5Njk2YzQ0NjhlNTAzZGM4NGQ0OWUyMTA4ZWUyNThmOGNkZDhkOGE5Y2YzMTI0Yzp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1iaW5nJnV0bV9tZWRpdW09b3NlJnV0bV9jYW1wYWlnbj0lMjhub25lJTI5Jmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuYmluZy5jb20lMkYmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkYmZGxfdG9rZW49ODM4MzU5MzMiLCJ0aW1lc3RhbXAiOiIxNzIwNTI0OTA1LjQ0NDIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI2LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyNi4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6Iihub25lKSIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6Im9zZSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJiaW5nIn0sInV1aWQiOiI5MzJjZDUzYy1kY2M1LTQ4ZmEtYjY1ZS1iZWMyNWE1ZTA3YzAifQ==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\7zS431627A8\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS431627A8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=111.0.5168.54 --initial-client-data=0x330,0x334,0x338,0x304,0x33c,0x74c91138,0x74c91144,0x74c91150
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:436
- - C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4576
- - C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    PID:4412
- - C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0xfb4f48,0xfb4f58,0xfb4f64
      4⤵
      Executes dropped EXE
      PID:928

C:\Users\Admin\Downloads\OperaGXSetup.exe
"C:\Users\Admin\Downloads\OperaGXSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\7zS4E342488\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS4E342488\setup.exe --server-tracking-blob=ZjQyNTAwOGY1NDg5MzIxNDI5Njk2YzQ0NjhlNTAzZGM4NGQ0OWUyMTA4ZWUyNThmOGNkZDhkOGE5Y2YzMTI0Yzp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1iaW5nJnV0bV9tZWRpdW09b3NlJnV0bV9jYW1wYWlnbj0lMjhub25lJTI5Jmh0dHBfcmVmZXJyZXI9aHR0cHMlM0ElMkYlMkZ3d3cuYmluZy5jb20lMkYmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkYmZGxfdG9rZW49ODM4MzU5MzMiLCJ0aW1lc3RhbXAiOiIxNzIwNTI0OTA1LjQ0NDIiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI2LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyNi4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6Iihub25lKSIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6Im9zZSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJiaW5nIn0sInV1aWQiOiI5MzJjZDUzYy1kY2M1LTQ4ZmEtYjY1ZS1iZWMyNWE1ZTA3YzAifQ==
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\7zS4E342488\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4E342488\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=111.0.5168.54 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x73d01138,0x73d01144,0x73d01150
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=8184,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=8148 /prefetch:8
1⤵
PID:2224

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\OperaGXSetup\" -spe -an -ai#7zMap29176:86:7zEvent16455
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6764,i,13449985004032019519,10418033681721867105,262144 --variations-seed-version --mojo-platform-channel-handle=6536 /prefetch:8
1⤵
PID:3844

C:\Users\Admin\Downloads\OperaGXSetup\setup.exe
"C:\Users\Admin\Downloads\OperaGXSetup\setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\Downloads\OperaGXSetup\setup.exe
  C:\Users\Admin\Downloads\OperaGXSetup\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=111.0.5168.54 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x71ea1138,0x71ea1144,0x71ea1150
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS431627A8\.opera\Opera GX Installer Temp\opera_package_202407091135151\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS431627A8\setup.exe

Filesize
6.4MB

MD5
97d3cae40268951e9e8da731c0820f0a

SHA1
34358b04b5fb6c97a94a4bad28bdeed5888b2241

SHA256
e19f63f813df6f8b2d0e6ecc09e91b81caf6d330acde1996296120ae58e67baf

SHA512
ba0c7ab04c8a1ff77c900d9f84e57eb1846e3bd697982884ad8790a65ff6fb8aa19d622368bbd9f8efaf79872d207f3e568e57fe3d7288c912591f7c02adf3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407091135149272664.dll

Filesize
5.9MB

MD5
c6cbf40287bc8a4ec0f0801b8a6905ab

SHA1
5a62c2d2acbcc3bb8bbad3a5913f65b134008966

SHA256
344093a219d1b4ae17ef4a188d87057e0c83c897381a9883eb76b9f06fb08160

SHA512
7704f3d09d2d6b08d624427a950d3a31ba750a3327862b6d96b5e60e3b6450f36860e5f55b5b39ff46b0105d6f6eaec32f344e2beae112757e8c52e359014b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera_installer_ui.lck

Filesize
4B

MD5
496d6f4c1b171ec6e5b866ec6761411d

SHA1
6301ac87c28de920f561477d210b7cd676456ad7

SHA256
60a7c6685dbe8927fa43ba1e16d026bfccabbeecbeb9957ad4b1fe70fce23d0d

SHA512
ab33c953fe50a57609d8e5247afa4b9482621d95bda403d7133db967adcefa50d613bde050a400823d6975234b4155c8ff10a8d23a984b58bd3053e17c633e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
b380998a865f6075966a3be443cc39e0

SHA1
89900a87a3447617eb7f282466053518fff7bdbe

SHA256
0a450cdd1b4307a6be70ad94824152c6f1bab0aa09a3f1d996169802f0a69bc7

SHA512
77dc577dad692b49f30e3558c62221193fd636af6fe59e1699cfa87ae5d43f8db4e113cef7ed2cbb76fba5d789471026f5c6ce32de70fca76a8edff5b0ec5d1c

Download Submit