xworm | 8b55f3a58422ac0e9d0808e5f909c7666ff2e35cf42ef486639b271a263d4a05

Analysis

max time kernel
96s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExcellentPc.exe
Size

3.8MB
MD5

c442314955c838b624c2e192bf5047b8
SHA1

aec181fb91ddbaccce6446e6cb13b1cc7bf3dbc1
SHA256

8b55f3a58422ac0e9d0808e5f909c7666ff2e35cf42ef486639b271a263d4a05
SHA512

f99c3c47fb540ad2cfdfb94fcee42344a33ac5504e2dae2f553fb62192fd5b5ffff9d7a44a806e9969d83788b5297a44228c15ab899a272904042b948bc5bd93
SSDEEP

98304:ZF2Vfe+gLUCd7gRkBokvNc8hYLbnkKy6H960sUUuht:ZFdW6jiHfs1Wt

Score

10^/10

xworm discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

cameras-happen.gl.at.ply.gg:23386

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001000000001ed07-4.dat	family_xworm
behavioral1/memory/116-17-0x0000000000CD0000-0x0000000000CE8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 2 IoCs

flow	pid	Process
38	2028	setup.exe
59	2028	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	ExcellentPc.exe

Executes dropped EXE 10 IoCs

pid	Process
116	Excellent.exe
1412	OperaGXSetup (1).exe
2028	setup.exe
3360	setup.exe
4212	setup.exe
3416	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
2096	assistant_installer.exe
4048	assistant_installer.exe
1272	setup.exe
3980	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
2028	setup.exe
3360	setup.exe
4212	setup.exe
1272	setup.exe
3980	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExcellentPc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	Excellent.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	setup.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 116	2216	ExcellentPc.exe	87
PID 2216 wrote to memory of 116	2216	ExcellentPc.exe	87
PID 2216 wrote to memory of 1412	2216	ExcellentPc.exe	88
PID 2216 wrote to memory of 1412	2216	ExcellentPc.exe	88
PID 2216 wrote to memory of 1412	2216	ExcellentPc.exe	88
PID 1412 wrote to memory of 2028	1412	OperaGXSetup (1).exe	90
PID 1412 wrote to memory of 2028	1412	OperaGXSetup (1).exe	90
PID 1412 wrote to memory of 2028	1412	OperaGXSetup (1).exe	90
PID 2028 wrote to memory of 3360	2028	setup.exe	93
PID 2028 wrote to memory of 3360	2028	setup.exe	93
PID 2028 wrote to memory of 3360	2028	setup.exe	93
PID 2028 wrote to memory of 4212	2028	setup.exe	95
PID 2028 wrote to memory of 4212	2028	setup.exe	95
PID 2028 wrote to memory of 4212	2028	setup.exe	95
PID 2028 wrote to memory of 3416	2028	setup.exe	103
PID 2028 wrote to memory of 3416	2028	setup.exe	103
PID 2028 wrote to memory of 3416	2028	setup.exe	103
PID 2028 wrote to memory of 2096	2028	setup.exe	104
PID 2028 wrote to memory of 2096	2028	setup.exe	104
PID 2028 wrote to memory of 2096	2028	setup.exe	104
PID 2096 wrote to memory of 4048	2096	assistant_installer.exe	105
PID 2096 wrote to memory of 4048	2096	assistant_installer.exe	105
PID 2096 wrote to memory of 4048	2096	assistant_installer.exe	105
PID 2028 wrote to memory of 1272	2028	setup.exe	118
PID 2028 wrote to memory of 1272	2028	setup.exe	118
PID 2028 wrote to memory of 1272	2028	setup.exe	118
PID 1272 wrote to memory of 3980	1272	setup.exe	119
PID 1272 wrote to memory of 3980	1272	setup.exe	119
PID 1272 wrote to memory of 3980	1272	setup.exe	119

C:\Users\Admin\AppData\Local\Temp\ExcellentPc.exe
"C:\Users\Admin\AppData\Local\Temp\ExcellentPc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\Excellent.exe
  "C:\Users\Admin\AppData\Local\Temp\Excellent.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe
  "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe --server-tracking-blob=MzdkM2I5YTZlZTlkZDJjYjljNDk2YjEwMDk1NDQ1NjZhZWJjMzNhYTRhNjRjYzA0YjY0OWRiMDc1YjM3YmQ3NTp7ImNvdW50cnkiOiJSVSIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9SVV9IVlJfOTM5Nl9XRUJfMzk4NSZlZGl0aW9uPXN0ZC0yJnV0bV9pZD1kMGQyZjJmNjkzNGM0Y2ZkOTY2N2Q4ZTEwNjMyM2VmMCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmdldCUyRm9wZXJhLWd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX1JVX0hWUl85Mzk2X1dFQl8zOTg1JTI2dXRtX2lkJTNEZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAlMjZlZGl0aW9uJTNEc3RkLTImdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZnZXQlMkZvcGVyYS1neCZ1dG1faWQ9ZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAmZGxfdG9rZW49NDA4MjU4NjMiLCJ0aW1lc3RhbXAiOiIxNzQwNjY0ODM5LjY1MDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMyLjAuMC4wIFlhQnJvd3Nlci8yNS4yLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX1JVX0hWUl85Mzk2X1dFQl8zOTg1IiwiaWQiOiJkMGQyZjJmNjkzNGM0Y2ZkOTY2N2Q4ZTEwNjMyM2VmMCIsImxhc3RwYWdlIjoib3BlcmEuY29tL2dldC9vcGVyYS1neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiJiZWFiZjE2NC05MzQ3LTRjOGYtYTA4Yy03M2M0Yzc0ZGExZTEifQ==
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=116.0.5366.148 --initial-client-data=0x32c,0x330,0x334,0x300,0x33c,0x748d30ac,0x748d30b8,0x748d30c4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x10a4f48,0x10a4f58,0x10a4f64
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=2028 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20250228153744" --session-guid=b0e5d247-1238-4649-9b40-663e198cd957 --server-tracking-blob=YTYwY2RmNTQ4ODAwNTNhYmY4ZjIxYjRmNzI1MmI2NDg4MjI5ZmVhYWM5ZWZiNjEyOWZmZDE2NGQyMzc1MzhhMTp7ImNvdW50cnkiOiJSVSIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9SVV9IVlJfOTM5Nl9XRUJfMzk4NSZlZGl0aW9uPXN0ZC0yJnV0bV9pZD1kMGQyZjJmNjkzNGM0Y2ZkOTY2N2Q4ZTEwNjMyM2VmMCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmdldCUyRm9wZXJhLWd4JTNGdXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX1JVX0hWUl85Mzk2X1dFQl8zOTg1JTI2dXRtX2lkJTNEZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAlMjZlZGl0aW9uJTNEc3RkLTImdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZnZXQlMkZvcGVyYS1neCZ1dG1faWQ9ZDBkMmYyZjY5MzRjNGNmZDk2NjdkOGUxMDYzMjNlZjAmZGxfdG9rZW49NDA4MjU4NjMiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3NDA2NjQ4MzkuNjUwNCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMzIuMC4wLjAgWWFCcm93c2VyLzI1LjIuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fUlVfSFZSXzkzOTZfV0VCXzM5ODUiLCJpZCI6ImQwZDJmMmY2OTM0YzRjZmQ5NjY3ZDhlMTA2MzIzZWYwIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vZ2V0L29wZXJhLWd4IiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImJlYWJmMTY0LTkzNDctNGM4Zi1hMDhjLTczYzRjNzRkYTFlMSJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=940A000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=116.0.5366.148 --initial-client-data=0x338,0x33c,0x340,0x304,0x344,0x71f430ac,0x71f430b8,0x71f430c4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202502281537441\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS485A4087\setup.exe

Filesize
7.3MB

MD5
ccba9deda7c10dd73610e4e941876488

SHA1
f297c723ea2e3a66036277bf947aa0fe2eb88107

SHA256
0541d2511b1983b854b1ea51466c48b9022e68bf244de91317b9df0ccf32e6d3

SHA512
79451a43e2e9ad323c99291e91ddf0fd2ef0392934e4204a1ef1e765c20a02ddb9396c179a9a3bd1cf6a42b00b7b2ba18747a0683603f3bab4ee356dc1d31145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Excellent.exe

Filesize
74KB

MD5
adea56183989cfa7f4024f91b50529e3

SHA1
1c8fbb32af7914d6c80b753e452313c07d9f5d94

SHA256
64817bd012bc473d52eb38eb9e32f1169f16d784bddcd7070be0ba2c64bb0137

SHA512
d0be77d5822d664a6cc2a73c2425cbb34c1c901d517d47734016be46403bf360f08c84d679d14f3fe92d96a37e293a714277e9aec440e3006dfba28fc66648e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (1).exe

Filesize
3.8MB

MD5
2935b63c6a377520c4ef0217a3d1a3ed

SHA1
e04efa1d2d6186e9a881895e4c2238c9844eea96

SHA256
7b966799aa2b2aa182016de05942391f1ce5877d151dc3a657424ccab9e7457e

SHA512
a9858a5d684167b8ce37469ba1f4d383b9d3a1cff6d2839e9c6a3fe0a793e48392b6fbb64854e97575ba430800accecd0f25a4528a665ad38fe31a632611b390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2502281537422032028.dll

Filesize
6.8MB

MD5
d9e515822bdbf7ecfe5dacb7b8b125a1

SHA1
fcfe8bb7087c258098d4fce427e17d6457b7523c

SHA256
3d0d66d26aaca32ec51a8785b4bfefd6eabe0c3d1f2f8def56607cb488d74811

SHA512
2b6b08aeef44543ffb277ae27626f4329d38cb581a9af2a084a3b137de098d10cb07090f843b0a1a8201d5a26915aa6db1a30cd71da4cf4cac73aee124f314bc

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
9c93bd5164db99cfb374bf93e80753b8

SHA1
dd34c307529c1f92040562bd11d4c490fe3068cd

SHA256
12e1513a4d7dd16b593b206249a936a8d58fece74b92d96282c26f6355020124

SHA512
cad135dd1b8c897297af0f68b05404f21fa928b9512f0f0b23b98f8b3a2e238fe4e78d580cec823cbdc86343014ff49c8a66e5b856fee89aa63b2df704be1dc4

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
44f5aad9da77eb193a464a990101e9c1

SHA1
579fd4153acc42e923e812c9eea30682e3ecc715

SHA256
a363b90ced22de782143c13a9a7a433da0179dd4eb7a5262173317bbd664e9fd

SHA512
49726b27640de2f79feb4b307c61589bc105b8bd6e8454a07d944c786077b12a3199f44b38348862025fdb6527fab6c05103a15d1f68d62a1e3857f28812791f

Download Submit
memory/116-70-0x00007FFEB2BE0000-0x00007FFEB36A1000-memory.dmp

Filesize
10.8MB

Download
memory/116-93-0x00007FFEB2BE0000-0x00007FFEB36A1000-memory.dmp

Filesize
10.8MB

Download
memory/116-17-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/116-14-0x00007FFEB2BE3000-0x00007FFEB2BE5000-memory.dmp

Filesize
8KB

Download
memory/116-132-0x00007FFEB2BE0000-0x00007FFEB36A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads