dc074ad6fcb6a29b76b8da45c84ecb811c3ddcd662d93ec69f0929578c267383

Resubmissions

10/10/2024, 16:18

241010-tr5x3avbrc 10

10/10/2024, 16:17

241010-trhsjavbnh 7

Analysis

max time kernel
348s
max time network
385s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10/10/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaSetup.exe
Size

2.1MB
MD5

46252fe1a6423fbbd272b168d98c00ba
SHA1

fd4ede984fea0e0a15f1b03ec1ee7aa7393903cd
SHA256

dc074ad6fcb6a29b76b8da45c84ecb811c3ddcd662d93ec69f0929578c267383
SHA512

ac68428d96d606d87d83f22e31585d3944e83f7cf90a101d685867970d2a6a6df54e6f84daffafb04e7f38bfeb61001291178c30cbfe0ae926995b27045d9592
SSDEEP

49152:RVAbwC95j527tIqUxHzKHhDLsRikQUTsoUq8IcgXzNGLRg9x:3AM7tqxTKHnqsoUq8ajzx

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
216	setup.exe
5024	setup.exe
2120	setup.exe
4964	Assistant_114.0.5282.21_Setup.exe_sfx.exe
1228	assistant_installer.exe
1568	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
216	setup.exe
5024	setup.exe
2120	setup.exe
1228	assistant_installer.exe
1228	assistant_installer.exe
1568	assistant_installer.exe
1568	assistant_installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	firefox.exe
Token: SeDebugPrivilege	4796	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4796	firefox.exe
4796	firefox.exe
4796	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
216	setup.exe
4796	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 216	2948	OperaSetup.exe	73
PID 2948 wrote to memory of 216	2948	OperaSetup.exe	73
PID 2948 wrote to memory of 216	2948	OperaSetup.exe	73
PID 216 wrote to memory of 5024	216	setup.exe	74
PID 216 wrote to memory of 5024	216	setup.exe	74
PID 216 wrote to memory of 5024	216	setup.exe	74
PID 216 wrote to memory of 2120	216	setup.exe	75
PID 216 wrote to memory of 2120	216	setup.exe	75
PID 216 wrote to memory of 2120	216	setup.exe	75
PID 216 wrote to memory of 4964	216	setup.exe	81
PID 216 wrote to memory of 4964	216	setup.exe	81
PID 216 wrote to memory of 4964	216	setup.exe	81
PID 216 wrote to memory of 1228	216	setup.exe	82
PID 216 wrote to memory of 1228	216	setup.exe	82
PID 216 wrote to memory of 1228	216	setup.exe	82
PID 1228 wrote to memory of 1568	1228	assistant_installer.exe	83
PID 1228 wrote to memory of 1568	1228	assistant_installer.exe	83
PID 1228 wrote to memory of 1568	1228	assistant_installer.exe	83
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 5016 wrote to memory of 4796	5016	firefox.exe	86
PID 4796 wrote to memory of 4644	4796	firefox.exe	87
PID 4796 wrote to memory of 4644	4796	firefox.exe	87
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88
PID 4796 wrote to memory of 2764	4796	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\7zS48B96BA7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS48B96BA7\setup.exe --server-tracking-blob=MWMzYWZmMTM5NzQ3NjBmNGUzZGYwOWM3MGQyMGFmYmNjOTVlOWZjM2NhYmI5NWMyZWZjYjg2NjdhNDM2NjFhZjp7ImNvdW50cnkiOiJHQiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9JTI4ZGlyZWN0JTI5JnV0bV9tZWRpdW09ZG9jJnV0bV9jYW1wYWlnbj0lMjhkaXJlY3QlMjkmaHR0cF9yZWZlcnJlcj1taXNzaW5nJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGY2xpZW50JmRsX3Rva2VuPTQ3ODI2NzE3IiwidGltZXN0YW1wIjoiMTcyODU3NjAwMC43NjU4IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyOC4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi8xMTQuMC4wLjAgKEVkaXRpb24gc3RkLTIpIiwidXRtIjp7ImNhbXBhaWduIjoiKGRpcmVjdCkiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9jbGllbnQiLCJtZWRpdW0iOiJkb2MiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiKGRpcmVjdCkifSwidXVpZCI6ImU5MjQ3MWM0LTIwNjctNDk4YS05ZjkwLTBmODBmZTcxZDEyZCJ9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\7zS48B96BA7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS48B96BA7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.94 --initial-client-data=0x304,0x308,0x30c,0x2e0,0x310,0x72f61a74,0x72f61a80,0x72f61a8c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x10a17a0,0x10a17ac,0x10a17b8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.0.2045180508\1824344081" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22f93ea-3ebf-4bca-88a6-421fa51e62eb} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 1780 1dcd4be5b58 gpu
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.1.1539258484\926474055" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b23d1eb-7129-4d01-bbef-9eeb01450bba} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 2136 1dcc2b72b58 socket
    3⤵
    - Checks processor information in registry
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.2.1319318747\1513063583" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2852 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3afb66fc-a436-4e53-8367-78bda778ce62} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 2820 1dcd8fabb58 tab
    3⤵
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.3.389014618\1093799117" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {404e33de-360a-469d-b1fc-c8c253891adc} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 3452 1dcd95e4d58 tab
    3⤵
    PID:4128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.4.352922510\10675836" -childID 3 -isForBrowser -prefsHandle 3904 -prefMapHandle 4464 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62805c8f-ab78-4fb6-989d-155850f7424d} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 4488 1dcda710158 tab
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.5.1299290790\1120907643" -childID 4 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be054021-7c05-49e5-8642-e0a72491d673} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 4864 1dcd75e3a58 tab
    3⤵
    PID:4540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.6.1135779411\705282423" -childID 5 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ca0c0b6-51bd-42c6-b632-5212dbe0d214} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 5032 1dcdb877358 tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4796.7.1289465445\1617428335" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1336 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d525a9c-5293-4961-9cb1-eb3dd9320192} 4796 "\\.\pipe\gecko-crash-server-pipe.4796" 5232 1dcdb878858 tab
    3⤵
    PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
3b103a9ba068fb4f932d272d19f5619f

SHA1
8270adf6a18d0101ce54afb77179d55a78a35fc7

SHA256
7e9f5f137372bf9e13383dc06c71139d92a4a7efcb5c64c570311999ecafab15

SHA512
83011d2315dfdd8838d62b66f576259882033e28e58ffb1931f97bb0a105cce5f03a4ca6c1de88611876d038f7e2ca7be626d4e0fb689d1ed8c99c6ce9adda4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48B96BA7\setup.exe

Filesize
5.3MB

MD5
d2b32d2ca95b09c440db5f37788a3829

SHA1
d0f5f06b9050ee2cc9202e6eae18349ab1257d70

SHA256
6cab004538645353524008c307f897f76a1b46282ea6761cc88fdd4b6fe3e9ca

SHA512
cc091d48ff9abf5add640bfdf99148b466cfded3cafc8451f87cf3723fd4b7f096e4b518216fbf7482f34167dc8deea5de251fe369bccd28ce2bf56b09163a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
9ad88df5469312788110ec187fd52cf1

SHA1
127573930cc91fff8261ecdd3f8a54b9383f0bd8

SHA256
4728a9f18807c83f5aeff414291e76f5417a0a76675d9c3f9247e76aae99a99c

SHA512
64b4fd67cd7f7f096c10b80ce9347dec740433b16c4896658583a9596fd87033210169822bb848b3fae193f0e19c9d09424046775b406f4e2d2b5d60fa8c586c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\295c5981-dbbd-4c19-9151-980fe410775e

Filesize
10KB

MD5
53fb286bb363adf5580b08021d692c97

SHA1
c24a2efbc67736dbce258fca66f10ad7c074fde3

SHA256
65f5ebfc26edfa6b38a0f320ba6981eeadad276bb7224446b1826e666ce2dc6d

SHA512
0aad09dbe5f7bd8832a7aa4a2434b07138ab5d96d1393c1701d4fa1d6d15b6296b18d6c6db456ca46e3c4579d85722777549ccff19d435d0c8ba5ae10c916a73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\88d9f396-f58e-4db1-a006-b096bbea7eae

Filesize
746B

MD5
1acd9de09c597630683b219306299bcf

SHA1
f8bb3937259a2915648a157c2e6f01f269a3fe7c

SHA256
4459d7029e70f47b1d144367e7baef8650cae31ebefda05162782f49ec3c1287

SHA512
69e564193d2dedfba47f67c4abe99710307285efea74b4869b1e2823c1119351b975f580dea5cac8e3c7c561ec792c8ad5ab8b4f29fc1f657d07f6a92bf43206

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
8ac70388baaf1be663dfa414f2b76696

SHA1
4921ff66117cf69ae923f189a5b4a0cebb3e93f5

SHA256
b4c7e97f5ac1efd60e04ff91cb8b2737d53e70bd204138677fae9f269fce7400

SHA512
362db97e450d62eefa6ce0f379079eaa6265e1646be508048f8273aa649531fb93eb74882d58876c3ee4ee77102f942de365c5028590972764657e9d08478c88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

Filesize
6KB

MD5
3330e346c5dfcd12250dfbb3051f64fa

SHA1
ec002b138a89276638c14d3bc2c831eb58e03baf

SHA256
6eb550c736394087cc0927b570c8ed55fda7ded85fdd4209843b0daac4e100cf

SHA512
7f27779f1226fd33bf746e7616c79beeaf08a61202397eeffb6e22f300d426ca912cef2973cb55e736b6ae2753ef48742aa62676be306adfb3fae2bf3b75032e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4

Filesize
885B

MD5
9038a3c613eb944ca376a96f1dd9fc5d

SHA1
76f40cdb54d71a60b37b43529245cb6b0f4916d9

SHA256
5ceea7d7a1b5e6d645214ee0929bb3ba0294f0974c7c471bfdbe63fce0743b3f

SHA512
38b3d2e3e8655bfe82ae3f9fab32c7e62d97f4f36f375eb87f59d388d218376c48c739af8cf614ce92ad30bd9b99984a7f40abeab16b884f4554196e91c3b435

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0d0013d9708d9fef539adc917f5b87f6

SHA1
5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

SHA256
f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

SHA512
851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
109416ed91f4154f9e0db2bfd6830e6c

SHA1
9a6b7219e33a9ca2c5db5d86c3b86d95abbf4bdc

SHA256
c3e84defce5cbca666d418060f88508a77d507e57d8aeebe9c38e2090ff30e9c

SHA512
a61f8e5e264ae56825b02cab0611a1a5eca1b8c9596ef6e7c32493647ab0f82ec24af146754907f56868e7d272ce6c1eaddb263b71f1ea740c5ec3d8d96c9a25

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\dbgcore.dll

Filesize
166KB

MD5
612a3bebcf72256296103e034ace0236

SHA1
4e722e00e3294194224ae348477e3898c01b47b3

SHA256
3e20d38b7f1ab5dcbb1057f06f4dabf64e57b71d12a7335b4c5601b5b4a6047c

SHA512
dde0aabbe0905408c8df74fb51232b322e233dc43fc34f4ddac9a5e626359d7e4948d41f3fcbb95f0a635cbd229953757ba456a095b2b3523bb7a851663e6302

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410101618371\assistant\dbghelp.dll

Filesize
1.7MB

MD5
3f68b6ab3dcfd45911952ed4f5d75197

SHA1
c24c63d36a26f2320ae1c70b282769fae1e18b48

SHA256
e2f7ff92d8b959239e535b1824eac0bcf21b3134418a7b0411fa0c92ab6259e4

SHA512
5e6e031c5b802f667dc846f5dddd3c3ff5ad810b6274633bf519aa07d6a4eb7cd1c810b04f9fd552e0f6c7bb7285db0d3dc64b7a5690899583ae30bdc4e3c09f

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_241010161836697216.dll

Filesize
4.8MB

MD5
a0a086eadb30b33d556ace427e6fe3b5

SHA1
ccd76ed307469d0e2ec59a57f4b9ef5f6db42123

SHA256
99ad2bef393791036eb600f35cd5ba5c7d9cdb28676ceb5fb6fbb748515e2f16

SHA512
f2208b5ad4180d7bfb1b6eab3f18f52692505d5fc84ef34118e16659421a099f11fad1ea49233951057bbdfcf173c13d9927fb2ea984629b8fe60cd91c8c14a6

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads