neshta | f894d3df8c6df4117d44d958382a5ba47ab288e2cc5e7fd8c793ceef1a21a220

Resubmissions

30-07-2024 22:59

240730-2ynw5ayajh 10

30-07-2024 22:56

240730-2wvlwsxhma 10

30-07-2024 22:49

240730-2rrpfatbrk 10

Analysis

max time kernel
99s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO/OperaSetup.exe
Size

2.1MB
MD5

6c01a631f7c31ce735c757a33537e95b
SHA1

60bee89ee0f2da909c83d2e71413afdb2c4e3648
SHA256

7f1b8f48b9b9e7a43b4689e2d4fcf0ace7a251e4801d5b0d666414e7604359e0
SHA512

6e1d49190afd096ddf469273e8e59531fe7a951ca262d6b90035f69c6510e6c949fcb781fa6031f47b81016654b832544563c9b124165e3a18b23bb3311101f8
SSDEEP

49152:iNEyYMnDfIZ54N+FVbKDR5s5R+M8nAZWVqNmHhO:4EIxO8s5R+MZhQ0

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral4/files/0x0006000000020246-32.dat	family_neshta
behavioral4/memory/1628-134-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1628-190-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral4/memory/1628-192-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation	OperaSetup.exe

Executes dropped EXE 9 IoCs

pid	Process
2876	OperaSetup.exe
2160	setup.exe
2492	setup.exe
3124	setup.exe
3424	Assistant_112.0.5197.30_Setup.exe_sfx.exe
3540	assistant_installer.exe
2068	assistant_installer.exe
5056	setup.exe
4948	setup.exe

Loads dropped DLL 9 IoCs

pid	Process
2160	setup.exe
2492	setup.exe
3124	setup.exe
3540	assistant_installer.exe
3540	assistant_installer.exe
2068	assistant_installer.exe
2068	assistant_installer.exe
5056	setup.exe
4948	setup.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	OperaSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~2.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~4.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI391D~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI9C33~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MIA062~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.15\MICROS~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	OperaSetup.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	OperaSetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	OperaSetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	OperaSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_112.0.5197.30_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	OperaSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2160	setup.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2876	1628	OperaSetup.exe	84
PID 1628 wrote to memory of 2876	1628	OperaSetup.exe	84
PID 1628 wrote to memory of 2876	1628	OperaSetup.exe	84
PID 2876 wrote to memory of 2160	2876	OperaSetup.exe	85
PID 2876 wrote to memory of 2160	2876	OperaSetup.exe	85
PID 2876 wrote to memory of 2160	2876	OperaSetup.exe	85
PID 2160 wrote to memory of 2492	2160	setup.exe	86
PID 2160 wrote to memory of 2492	2160	setup.exe	86
PID 2160 wrote to memory of 2492	2160	setup.exe	86
PID 2160 wrote to memory of 3124	2160	setup.exe	87
PID 2160 wrote to memory of 3124	2160	setup.exe	87
PID 2160 wrote to memory of 3124	2160	setup.exe	87
PID 2160 wrote to memory of 3424	2160	setup.exe	88
PID 2160 wrote to memory of 3424	2160	setup.exe	88
PID 2160 wrote to memory of 3424	2160	setup.exe	88
PID 2160 wrote to memory of 3540	2160	setup.exe	89
PID 2160 wrote to memory of 3540	2160	setup.exe	89
PID 2160 wrote to memory of 3540	2160	setup.exe	89
PID 3540 wrote to memory of 2068	3540	assistant_installer.exe	90
PID 3540 wrote to memory of 2068	3540	assistant_installer.exe	90
PID 3540 wrote to memory of 2068	3540	assistant_installer.exe	90
PID 2160 wrote to memory of 5056	2160	setup.exe	93
PID 2160 wrote to memory of 5056	2160	setup.exe	93
PID 2160 wrote to memory of 5056	2160	setup.exe	93
PID 5056 wrote to memory of 4948	5056	setup.exe	94
PID 5056 wrote to memory of 4948	5056	setup.exe	94
PID 5056 wrote to memory of 4948	5056	setup.exe	94

C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\OperaSetup.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\3582-490\OperaSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe --server-tracking-blob=ZTJhMGM1ODhiNDE1ZTFkM2UzYzUwYzQyNWU2Njk0MTdkMzVkYmE5ZjMyMzc1MjZkNDFlOGVkY2M2YWNlOWU4Njp7ImNvdW50cnkiOiJDTyIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9YmluZyZ1dG1fbWVkaXVtPXBhJnV0bV9jYW1wYWlnbj1Xb3JsZHdpZGUlMkItJTJCU2VhcmNoJTJCLSUyQkVTJTJCLSUyQkNvbXBldGl0aW9uJnV0bV9jb250ZW50PUNocm9tZSUyQi0lMkJFUyUyQi0lMkJCcm9hZCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmVzLTQxOSUzRnV0bV9zb3VyY2UlM0RiaW5nJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEV29ybGR3aWRlJTI1MjAtJTI1MjBTZWFyY2glMjUyMC0lMjUyMEVTJTI1MjAtJTI1MjBDb21wZXRpdGlvbiUyNm1zY2xraWQlM0RlNzBhYzdmM2U4YTQxY2ZjN2U5YmExN2U3YzkzODEyOCUyNnV0bV90ZXJtJTNEaW5zdGFsYXIlMjUyMG5hdmVnYWRvciUyNTIwY2hyb21lJTI1MjBncmF0aXMlMjZ1dG1fY29udGVudCUzRENocm9tZSUyNTIwLSUyNTIwRVMlMjUyMC0lMjUyMEJyb2FkJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJmRsX3Rva2VuPTczMTIxMjk5IiwidGltZXN0YW1wIjoiMTcyMDU1NDU2Mi42ODA4IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNi4wLjAuMCBTYWZhcmkvNTM3LjM2IEVkZy8xMjYuMC4wLjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiJXb3JsZHdpZGUrLStTZWFyY2grLStFUystK0NvbXBldGl0aW9uIiwiY29udGVudCI6IkNocm9tZSstK0VTKy0rQnJvYWQiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS8iLCJtZWRpdW0iOiJwYSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJiaW5nIn0sInV1aWQiOiI0ZDhkNDM2ZS1jOGE0LTRlY2EtOTZkNi00NDYxMWI4M2M5OTQifQ==
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.61 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x7349a128,0x7349a134,0x7349a140
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\Assistant_112.0.5197.30_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\Assistant_112.0.5197.30_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.30 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x1e8f40,0x1e8f4c,0x1e8f58
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2160 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240730225031" --session-guid=169fbd70-b905-4ace-83b9-5967d37448ec --server-tracking-blob="ZWFiZTYwZDJkYjFkMmI3MWUxMmM4YmNkYTU0NDY4MTE4OTg0MDgwN2M2MTBmNzY4MzMzNDBmNGQyMDE0OTc4ODp7ImNvdW50cnkiOiJDTyIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9YmluZyZ1dG1fbWVkaXVtPXBhJnV0bV9jYW1wYWlnbj1Xb3JsZHdpZGUlMkItJTJCU2VhcmNoJTJCLSUyQkVTJTJCLSUyQkNvbXBldGl0aW9uJnV0bV9jb250ZW50PUNocm9tZSUyQi0lMkJFUyUyQi0lMkJCcm9hZCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmVzLTQxOSUzRnV0bV9zb3VyY2UlM0RiaW5nJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEV29ybGR3aWRlJTI1MjAtJTI1MjBTZWFyY2glMjUyMC0lMjUyMEVTJTI1MjAtJTI1MjBDb21wZXRpdGlvbiUyNm1zY2xraWQlM0RlNzBhYzdmM2U4YTQxY2ZjN2U5YmExN2U3YzkzODEyOCUyNnV0bV90ZXJtJTNEaW5zdGFsYXIlMjUyMG5hdmVnYWRvciUyNTIwY2hyb21lJTI1MjBncmF0aXMlMjZ1dG1fY29udGVudCUzRENocm9tZSUyNTIwLSUyNTIwRVMlMjUyMC0lMjUyMEJyb2FkJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJmRsX3Rva2VuPTczMTIxMjk5Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzIwNTU0NTYyLjY4MDgiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI2LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyNi4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6Ildvcmxkd2lkZSstK1NlYXJjaCstK0VTKy0rQ29tcGV0aXRpb24iLCJjb250ZW50IjoiQ2hyb21lKy0rRVMrLStCcm9hZCIsImxhc3RwYWdlIjoib3BlcmEuY29tLyIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6ImJpbmcifSwidXVpZCI6IjRkOGQ0MzZlLWM4YTQtNGVjYS05NmQ2LTQ0NjExYjgzYzk5NCJ9 " --desktopshortcut=1 --wait-for-package --initial-proc-handle=FC0A000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.61 --initial-client-data=0x330,0x334,0x338,0x300,0x33c,0x7155a128,0x7155a134,0x7155a140
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\additional_file0.tmp

Filesize
2.6MB

MD5
1bf64fd766bd850bcf8e0ffa9093484b

SHA1
01524bb2c88b7066391da291ee474004a4904891

SHA256
58794b1bf4d84bd7566ee89fd8a8a4157dc70c598d229ec5101959f30b6f3491

SHA512
cdf2830edc5d4f30beae41591f3a1bcff820f75444d70338a4c6d36e10df43475f383a9f291b619a008452c53e0dddf65547f217386389000535d6d264854e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\assistant_installer.exe

Filesize
1.9MB

MD5
9afe96db501220cf42b262fdac954dc8

SHA1
d3471998f674b267256e72a30977a79abcd8fca9

SHA256
fc5608bf95bb02e889aa9be15abc5c066acd62ba07f886b323383e75909a2566

SHA512
ecff52ca7467e3948faa244c1fc7c3d4d1f1dbe74077d071b78147729a078cc6a676212e0606111edcf542d554045c4f5a4d502545b2f0a285cda6c5d0b69b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\dbgcore.DLL

Filesize
166KB

MD5
e0274730d20eb9571d59f2da20d165a2

SHA1
b746aeca5f7cbee0de163309c9d207c94f9b8d64

SHA256
c5c4c6430bcfe6118a4f499c94afa460401e369dc548a24688532c95fd202ec5

SHA512
d95998b69e6c3d25037e12e038f2773960de2d18df1af0342fd805c7c349bd630a21d0e0fe7490baaf274e90781ebf6a2667e64593f9d91174d040bfe640bddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407302250311\assistant\dbghelp.dll

Filesize
1.7MB

MD5
6e9976cc7b2def7a37106703e47626a5

SHA1
edcb4758f8ee56e9c6515f912d5024aeca9ead50

SHA256
fd8840fab4b61db4e9e09168e5b1b4f0e9bfea0a64482fd475ab63c712b92b9c

SHA512
27091e6ad001dac22897a295806925e02f693096d79667e587de74ca955ffb9b2773b22c83e306e7164862524e02ad028e68684c2ca7d9e4da1ff03787dd40ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\OperaSetup.exe

Filesize
2.0MB

MD5
080bf22fdb2e1db7c9bd20433b1fde60

SHA1
03c250d60170c9ed13dd475ca44b5439a34e8813

SHA256
17ce89c377997b79f5de5d83d72e700b79b9bc7fbbff2c55c36fed74cb9699be

SHA512
285eedf2742650d18d6f7d489901cb92472fda95dece3a473aded805a55a7419cf11bb2d801299cdd9ac29b57586889d4d4b87589fe0c62398ac3456821b0617

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC3B0C137\setup.exe

Filesize
5.2MB

MD5
5b591929769effed06e395c91c7ca453

SHA1
caab87c0d3011d6deed74308e51ec530f7c5eef6

SHA256
d927f1cdb6c5ac43386c213d7d7aca13c6b5e403cf35bf8d598c3839bbc66fab

SHA512
a30f8fe5f4532457c0bd9070c0fcf2470207edabdb1f11698b6fc788442e9f04dd1e2a738b098e5488dfe736418d0b7f1ccd21bd9348108e54e88be1521a5cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407302250302882160.dll

Filesize
4.7MB

MD5
6c4fbcf80809c394e13e2b72f4fc3136

SHA1
493c0b254279edff867d1a6ca5d88c57ba01dc87

SHA256
6bd58a7d9a6f076c6b52602988ac75f598e73a3b53bc2762a45606a14c0d893f

SHA512
a01e30c786f8187279f88eddb31b7f33f450302eded8f81edd525b4b9cf884f49680ab5352b763d1042834469616e0d04257b2ad4294a3d86788ef03bcb983c5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
4a7218afd09f873b6116a216a97781d5

SHA1
8460b9456c737dbca0898bb207fafaf7f769ee8a

SHA256
4cbc0e56af3d0ddac6974234b61e9d935d8a37243373730b13dfdcfab1ede60d

SHA512
83b9de7d77606ab38be86c07317aeb2b1e04cfa2d245bb5efa4a153bc5675143b242788f4396144b84d8a4deaa79a4666097b4ec74f84042430a84cd4386c61c

Download Submit
memory/1628-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1628-190-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1628-192-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads