f7908f4fca5db961066654736243cf95a31ea41fe28eab5a2c2eaafaa356e88d

Analysis

max time kernel
252s
max time network
255s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-09-2024 10:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

OperaGXSetup.exe
Size

3.1MB
MD5

3487ada558b8b296d9d36833d8273123
SHA1

58bce514995aa27bc13c303db7ecf30229d7d4b7
SHA256

f7908f4fca5db961066654736243cf95a31ea41fe28eab5a2c2eaafaa356e88d
SHA512

456c2df36a7c6af710a2f41713ab6dee5a9ebd66c8f6accaa85f6bb884e6fa201cb5d68399328f9211edfab2af4092811fdda744a55d1c5d70a1bb1861c3c3aa
SSDEEP

49152:ONEyYYC1hqiJckG38dBFOhg5/6qF3rjb/h4CNcTCP8xphzSNtOSe+aSt:kEP1y3+0hgh6u/ZcTCP8BzONaSt

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3416	setup.exe
4996	setup.exe
4804	setup.exe
3160	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
3532	assistant_installer.exe
2896	assistant_installer.exe

Loads dropped DLL 3 IoCs

pid	Process
3416	setup.exe
4996	setup.exe
4804	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700049440482049"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe
4668	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe
Token: SeShutdownPrivilege	2804	chrome.exe
Token: SeCreatePagefilePrivilege	2804	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3416	setup.exe
3416	setup.exe
908	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 3416	3892	OperaGXSetup.exe	81
PID 3892 wrote to memory of 3416	3892	OperaGXSetup.exe	81
PID 3892 wrote to memory of 3416	3892	OperaGXSetup.exe	81
PID 3416 wrote to memory of 4996	3416	setup.exe	82
PID 3416 wrote to memory of 4996	3416	setup.exe	82
PID 3416 wrote to memory of 4996	3416	setup.exe	82
PID 3416 wrote to memory of 4804	3416	setup.exe	83
PID 3416 wrote to memory of 4804	3416	setup.exe	83
PID 3416 wrote to memory of 4804	3416	setup.exe	83
PID 3416 wrote to memory of 3160	3416	setup.exe	85
PID 3416 wrote to memory of 3160	3416	setup.exe	85
PID 3416 wrote to memory of 3160	3416	setup.exe	85
PID 3416 wrote to memory of 3532	3416	setup.exe	86
PID 3416 wrote to memory of 3532	3416	setup.exe	86
PID 3416 wrote to memory of 3532	3416	setup.exe	86
PID 3532 wrote to memory of 2896	3532	assistant_installer.exe	87
PID 3532 wrote to memory of 2896	3532	assistant_installer.exe	87
PID 3532 wrote to memory of 2896	3532	assistant_installer.exe	87
PID 2804 wrote to memory of 3852	2804	chrome.exe	91
PID 2804 wrote to memory of 3852	2804	chrome.exe	91
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 1364	2804	chrome.exe	92
PID 2804 wrote to memory of 3408	2804	chrome.exe	93
PID 2804 wrote to memory of 3408	2804	chrome.exe	93
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94
PID 2804 wrote to memory of 3064	2804	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\7zS43F1E7A7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS43F1E7A7\setup.exe --server-tracking-blob=NTM0Nzk4NTYzYmU0M2E5NmY3MDNkMDU4YzJhZWI4ZDA4MTVkMWY5OWY3ZjliNGMyYTAyNTQ5MjBjODZlMzc2YTp7ImNvdW50cnkiOiJJRCIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1vcGVyYS5jb20mdXRtX21lZGl1bT1yb2MmdXRtX2NhbXBhaWduPSUyOG5vbmUlMjkmdXRtX2NvbnRlbnQ9JTJGaWQlMkZneCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmlkJTJGZ3gmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZkbF90b2tlbj05OTA1Mjc3NiIsInRpbWVzdGFtcCI6IjE3MjI5NDI4MzUuMTM1NCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjcuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Iihub25lKSIsImNvbnRlbnQiOiIvaWQvZ3giLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InJvYyIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJvcGVyYS5jb20ifSwidXVpZCI6ImUyYWJkNDllLWM3ZmYtNDdiMS1hNDUwLTFmNDkwMjQ3ZWM4MCJ9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\7zS43F1E7A7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS43F1E7A7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=111.0.5168.99 --initial-client-data=0x33c,0x340,0x344,0x338,0x2f0,0x745e1160,0x745e116c,0x745e1178
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4804
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3160
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0xe04f48,0xe04f58,0xe04f64
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff8d5e2cc40,0x7ff8d5e2cc4c,0x7ff8d5e2cc58
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3760,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4376,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4552,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4920,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4372,i,15018385715306242685,7715482568566352264,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3970855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ed612dcf350d4bb71e4dc53050635262

SHA1
3ddb909cf367dac0140fcf30fff8f778139d94f3

SHA256
08ade48aa7c3c3fd32b96688275404a59bfceee4a7ad900d032fbd56d1dea166

SHA512
da48215cdc486fbc451134e93492f424847754a570b7358f02a18a03a7cc086e266a1fba6100e4d921ff43c42a10fd1c90409ac8c52b042223c6ac87d21eb453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1fd433f557432cd5454ebdf9a6fb27b0

SHA1
c381036a7f01f6fcca719f95041561b5bbb848f2

SHA256
de07dc6121c285886a17a0b438f3ae7843d50ff6446dec774315b245559d3d05

SHA512
2a6fc7f5d5f8b127bd1c24d946b3f1d7f0e404a3cad80bd356bb7b7c9848fe46a3656a11fd91dbd488231440e9fde98a8b1b5be656a3e21828f56a3e3a736ce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d694d0e8a079418abf0d905d64d51191

SHA1
a1a91fff54fd2a6027c79d843bc550ed62914d12

SHA256
451551680a2687163e53dc5a2ec11c8c347bb1df4aaa56658aa9fcd123afa14b

SHA512
c00209aa838786970c18b93bcc320422b7c594f11205b41e6bea8cb11cb16bc8b83b6043297964c240921745f068cd0b7911f3d304daa2bcd9dd2c2737f82c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
22a0caab8b199f21465c904c8d29acac

SHA1
3722f07342e1242a37ee58c54339f09b381d79e7

SHA256
deb5158629167d1aa792695687130185b42e5e207d0bee49db805ec8ed2761fd

SHA512
8eede4c0a921bcec4be71c4b7ecd11a2dcae632474242c22e2ac68c7ed2b2e311826edebadb08ad4743007eca8818d4d70ca0dd77b88f87738cce8923810be87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ff053646d7f3725209530d5499a7659

SHA1
1377faf93c23b3a5262b733b0d15b38d601c26b4

SHA256
a890b7b8c237b026841718ecfebc27fe9c06c0844927ed4d990dc6e2810db0ec

SHA512
d2f080570ddd624fc146a1e6fb49434fd0623320fe6f52404f29ed6b0f0f323f71264746fb913b09f6a68c8c3f6dd819b8a59824cda512ddcb9feaa5bcfe7dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b007ac6e062ae387d155872ba592df0a

SHA1
c04302c0bfdf1b5978ce28a9427b67f051869a69

SHA256
31a1ab1f3e43fa96b81121bdb8d14aee9d7981a5527f383da1859c8606827c8f

SHA512
359b3de1ddce732a4a50b073515b5f5f41b10e0d7477e4dc50d5978f31c09e5547376f1ec8ef6f26e39c0a082feffc6b17f815fabb21a7b17ef597bd691da297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f880a2293c2d3c0d918941a962e73c4

SHA1
c45e185ee62ef2d9f87bf1367ee893053b0d2706

SHA256
e6fa371500a8cebb272b63097b17bf5a87cbd0bc5814758d8c22e31a35bf214c

SHA512
5f596e80b99788fa5a0e76ae5e99d55766a234f93b48a1227360bdfbce5b2cb11e0a398b1640fee9b84b357b707b230924f62218f7b4395b7bb2ccc29f44a0a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b46f5e0576ff100c36c6a8e20cada5c1

SHA1
99d292b5c9c3725e0cdc806b61a63597408494eb

SHA256
d9f7fc736da08bdfa09d9a5a4b259405447c9510579e21cf308fe4decf69c68f

SHA512
70c4435a68635057df5d53deb0f0258fdf192521f5ed37bbf987ba9ceee17f5fa912b2cbea9561203843299143a192c92f7c9e1fd552eaaff27b608306cb7d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad9fdcd1309fad81b8d6cd5c144d1bd1

SHA1
fa91e3df07942ec76fa864e8ef885d6503d5eca3

SHA256
963dd4a3c015a3173825e05a0af0af4115fefd2739963bbefd57896264ff5ef9

SHA512
ccfef80aaaca7bc40dcdf1eeb1d0f56a8044a8e1bb8be122c30ae43a1d5dee6c9d292944c2d7225b4d9a8f4b7ece882002f916ca06742c1715f42ca611fe3b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
078dd93ebb665689607483fc725030e9

SHA1
dac4ad33eca52b4ec17edcc23eec2d4793e47455

SHA256
bb046178adcd63bdb2dbb7d4059bb1045cacbdb19d1563393d87fc2546036a87

SHA512
83322dfebe976ca4ac2de108f58d82b2c290e246920efc491cde6d3269cfe515e0bf7c4845bdfafdcc980d546b114e47544a0da12d7ad7d377b0fed75ab1f254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b6dc7d57f331a5740e87f851a5a40c8

SHA1
03c481f8e1b55eead4ac2bbc110576e8b0a429e5

SHA256
44cf5fef503a73d6b92621638211b3051c8b60a85b9cfeb4a7981f3b6284f937

SHA512
91efa2e16bda84932aae4bce65b01fe07317e24212199aebe0498a7ee32e092c0c8ee181b49e97b07125984a2d8c5bf40794238166030c847103f091e971ed51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee9827171c73438367d2597b53afa14c

SHA1
4ef14dedc0f375f76282f061622400ea3c9883b0

SHA256
535d2210188e8eb2b41fcd0c0c5ab0349140dea13ceb3d59507bd272431cb021

SHA512
bba74600f6f45cd234179500c18ab93b4d1c6e05092a2e19ce12b0549e9e0c5c7083fda14661d75c6c6b05e9dce8ef179d820a3a9fa9567834873eb070c4eccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f18e3a1b9cf1a2eca2307637a7224e18

SHA1
3ecc75912cbd77b07c05c263d94782c48cc35e36

SHA256
5792e5c4eeb8bd25b6c59798c030eae619816ae87d69f96c8b8cd7a88039cfe3

SHA512
302d184bc5e00ba3ff09474b739cff5f4d9e36e574bce556bf6d679684cadfdc2f17987790167c482b503f0fd547ffc583c4302b4e4691964ef9a697e7b7ae74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d336626a0adbd9da88cb7dc70b51a96

SHA1
91f072220b04953226c3280cd4aaca754d4110d9

SHA256
d27b088156511ba7823de310be815072614c0f400ae9e0022bce1cc7567cd341

SHA512
57cf5f880387590ba14ad14609251e17b32616c896edf8bbffa2ad6ff1ad08514d5df824aa57d5ba2b98fbf76c6472c496bd36d58149c4adf100cd2311de4824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
605d08bb00d1d28054e5070dfc0dddd9

SHA1
54726867d80b28116c18f7e8837428a8144d2a2f

SHA256
b637fedf4982af30bcf29caafae7c5bc8865e549fa150561c2d4cde14c8fdff4

SHA512
03cd59eefac37d37c3005acb5076aedb553541a3932fbc53664fb24692d845e5be7913898fa2e32c4a349cd49e649bc458b46c272474286f46a9e45be4ad7a4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9bb5ce4359c490d50d391502a379df66

SHA1
a995b6f4002ed02c5b9dd13d433f09a8b2ea30ba

SHA256
27f19f756732019d048baaabc2884e3c1e944b806a56844a857d3e8af1a44a13

SHA512
d04d906417aa78e25fea9521f59cde228e852a7a606a1b28deceb3b3ea8d82f708dc9d5dda6d31c51e48fd31839cb36ce529666e32c00856f8801e8ec6a537e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce2e7d7a7a2fdc1c160e58fd7c9c8dec

SHA1
e0cb79a330acb0503d2c66d2b9ae4b0b63c86752

SHA256
093d593426e64ece85e932f6a2bb1f45a2c5040b04f42b3041bc9f43706cda56

SHA512
cd53c47bcbbcb83d819ab48b0f2c75ab06afcdf6140672a3986584933d6d7bdeae72d34a86109120ca5ec34a02d5c1701516033d89e389a983992893af960a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a61eee5b4c119c98e249cb6d1a4d6d67

SHA1
bdacb8c059f939a78d4e045543e1f9ba66f2b93f

SHA256
d0e059792ba1733762a043d7b3995e8f36efe1fee9f76d82b18a5cad5942d06f

SHA512
2851aabc90cfe2476b37a86fcdbb8c442bb149e89ef0d867a2072b9af335e6b418607fd92b3295c81e23d19da716e5bb1680b00d23009aa1a9826a11446caf54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b4c497702926257a215edcdb182bcd5a

SHA1
a5c2d86ced5548204a23b74946288f1ee9f88071

SHA256
00b6b782d3b370b652ad1ec8ef4c2685f90ce609a56e08b6fad2d762b4bd1a0c

SHA512
3f43449bcfeaf8653b18fae7ebf6ca5ef8fd69286d1c8894438ef6d2a2a7f8bb955f6876d015a278e9f4c62311c900c1eb730dd7dfeb2cd4578c92c27a55fc77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
e3760764c9f0372a041b5d2602b21836

SHA1
9ced4f2e0aa80b14854e8eb2f3496ce55388189a

SHA256
7e0c4e290f51254b783147050649d122ab37f2cd343269d9b5c969b0f31767fe

SHA512
7324e2117daff7166bcde054d5184fd0ed3d1640d972e79d7a0fa5514f35bcafa4b7ed23f1d5d92edb051dca1d4416209f06d9e8bbd4267679fd599cda22aee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
5c14b0f4ab51e16c094af60b43edbb4e

SHA1
2b8ed68f461b4770712660f5f2fcd318d4f5c53d

SHA256
741ce5583ddc1f0a0cdaf814ffcd621bc89300abf1c38673e1bd6c2b8c473fa8

SHA512
6158a030d36183a8659abcfd33af4c30113e0c1512162048d1a18f2565c9ea956efebb89ab2318a6ec95ab927a37a53f9b274c41887eff4b18c2c84fd09abf94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
9315986e566ba1d54972f9ca057454d4

SHA1
d865a8c33d8ee54743ec66dceca861ac32acd7c0

SHA256
f1fbbc56851c5cda8bcd0be89c4141fcaab0b6454ec79416fb01002490c23fab

SHA512
30eff653b51b804bf234d0b5641b1161dd02339bbf8ae9dce5e9107820a4e85b903dcf1fedb8ec511ce7e1be222221866b9180b902beeb2daeef77ef1edfeda0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
e7580e27a18573905ed4ffebb65fd242

SHA1
3c739f231064f45e14c0f8463f260a9d1dbf8c57

SHA256
f908979a899eead0c77733a816989a63e6c292821edbda1b691b1aac38e97c08

SHA512
2c03cb528ea952da8e07a7872b6a81139be91f21c47ded06855b3b3b895d67b19cc2acd004b9bea3e8982d736811cf236763e6fc2bf585356d5bb1ee1888a734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
241KB

MD5
85bde52428e7cfccc88c282255ba5c7c

SHA1
a551eaa6f5707fd7398c9df0cd7be0155630598d

SHA256
db218824c7815c8da8b5d546df7de0b48350b75444951d80b846c00a8116455b

SHA512
c6e26680bf29cf2daa6468dac98e07d12f8f267e5b9ec5dbc6726b5734c0a9c7a87382e9cc1d1cb24ad5da8f2d8819db2ecf3209f8101de2db95314057578eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
207KB

MD5
f3afd2d54aaf52cc6151a524d986435d

SHA1
fc68738b1dfe41a249c97fbb599dfe9e8f99560c

SHA256
e9145020b0b40f330a9a9e297cc5d6bca9e3d070ca77689dd54c713ab8f6bc6e

SHA512
29fcab10a6b4588a3034688f55d326a8e29c5d5b01e768332464dce7214bb12e342531614a60558545986dc6fb60d1aacc132c4317de83a56a12ea4f7e855e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202409051015001\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS43F1E7A7\setup.exe

Filesize
6.4MB

MD5
241331bede4cd250aeead156de3225c0

SHA1
4e6ebbfda62706203c7f3016d136560854841358

SHA256
b476f1c8521db36255a862af284f462eef77c4fd5233adb002137af7835f5e86

SHA512
9eb8f3970645315c73e80cea2af9364d8aa68d4e3383cdf21dd0393fc74857538639793e995a66b6bd58f086738981ffc364a06b23b129fab380d0e59532d712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409051014599453416.dll

Filesize
5.9MB

MD5
4510a03cd9a85d34ad47ed84097ed4a4

SHA1
a1a761249bbbe8dffcb3fac37ed570c89e130379

SHA256
cafaa2ac106c340ca91acbbd483379cd3c2273d2cb795349db6b07c7272c0433

SHA512
95b4b9de8818e025608f7a77b3281e879bbaed5bbde6cfcbbd4bcb1b6c6cf09706b68061b7264d90c3374c2a0072f91afffc5b617fec12921407c72b63b2be62

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
7e466e88088e137c410263277d890559

SHA1
e3b89db5dda3d7af4ff6943aa64c22bc52661696

SHA256
f793bfdf8421d2ad89e08b1f4d8f2e823e047c4e98f7b8453fb3642749717d90

SHA512
73851a294ffbf9e6450493259dd6113a22ba6d8d920bd3dc900e21e8b076585c718a6af4f5caeff2b4d6e02874daf8f4b52119f5a14e1734746263bb6c07bcbc

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads