Overview
overview
8Static
static
3JaffaCakes...38.exe
windows10-2004-x64
7JaffaCakes...38.exe
windows11-21h2-x64
7$PLUGINSDI...ol.dll
windows10-2004-x64
3$PLUGINSDI...ol.dll
windows11-21h2-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows11-21h2-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows11-21h2-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows11-21h2-x64
3$PLUGINSDI...re.dll
windows10-2004-x64
3$PLUGINSDI...re.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows11-21h2-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows11-21h2-x64
3$PLUGINSDI...ip.dll
windows10-2004-x64
3$PLUGINSDI...ip.dll
windows11-21h2-x64
3$TEMP/msvcp100.dll
windows10-2004-x64
3$TEMP/msvcp100.dll
windows11-21h2-x64
3$TEMP/msvcr100.dll
windows10-2004-x64
3$TEMP/msvcr100.dll
windows11-21h2-x64
3$TEMP/op.exe
windows10-2004-x64
8$TEMP/op.exe
windows11-21h2-x64
7$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows11-21h2-x64
3$WINDIR/Sy...00.dll
windows10-2004-x64
3$WINDIR/Sy...00.dll
windows11-21h2-x64
3$WINDIR/Sy...00.dll
windows10-2004-x64
3$WINDIR/Sy...00.dll
windows11-21h2-x64
3Analysis
-
max time kernel
104s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:56
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe
Resource
win11-20250610-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win11-20250619-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BrowserInfo.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BrowserInfo.dll
Resource
win11-20250610-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win11-20250619-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win11-20250610-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/NSISpcre.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/NSISpcre.dll
Resource
win11-20250619-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250619-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win11-20250610-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/inetc.dll
Resource
win11-20250610-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20250619-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsUnzip.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsUnzip.dll
Resource
win11-20250610-en
Behavioral task
behavioral21
Sample
$TEMP/msvcp100.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral22
Sample
$TEMP/msvcp100.dll
Resource
win11-20250619-en
Behavioral task
behavioral23
Sample
$TEMP/msvcr100.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral24
Sample
$TEMP/msvcr100.dll
Resource
win11-20250619-en
Behavioral task
behavioral25
Sample
$TEMP/op.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral26
Sample
$TEMP/op.exe
Resource
win11-20250619-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/inetc.dll
Resource
win11-20250619-en
Behavioral task
behavioral29
Sample
$WINDIR/System32/msvcp100.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral30
Sample
$WINDIR/System32/msvcp100.dll
Resource
win11-20250610-en
Behavioral task
behavioral31
Sample
$WINDIR/System32/msvcr100.dll
Resource
win10v2004-20250610-en
Behavioral task
behavioral32
Sample
$WINDIR/System32/msvcr100.dll
Resource
win11-20250610-en
General
-
Target
$TEMP/op.exe
-
Size
140KB
-
MD5
914343b1c1b811097a1e3d7ccfae2de5
-
SHA1
b55395baafd8fd2e1e1fdbc9af0ac99d02d1dc5a
-
SHA256
11522bff74b3badb21250c85358252f450080ae87a94eb92760eed31160d5962
-
SHA512
81fc0152f9799dae089f696e63ec322d583a363276a383b4afffd19d385528e0e3221a966487d9a8d6b572e8cd24672a2f589ff23074e3b6d3b60d79d609ba31
-
SSDEEP
3072:jkszWOITsEL50jl7yVCOMaFLB+zzYTih+xs6HH6kr5LGErzn7NtSI:fzZZhOM4B+z0Tih+RH9NLG0rnh
Malware Config
Signatures
-
Downloads MZ/PE file 2 IoCs
flow pid Process 55 4940 setup.exe 10 5768 op.exe -
Executes dropped EXE 9 IoCs
pid Process 4964 opera.exe 4940 setup.exe 5936 setup.exe 1256 setup.exe 5288 setup.exe 2252 setup.exe 3128 Assistant_118.0.5461.41_Setup.exe_sfx.exe 2992 assistant_installer.exe 3280 assistant_installer.exe -
Loads dropped DLL 11 IoCs
pid Process 5768 op.exe 5768 op.exe 4940 setup.exe 5936 setup.exe 1256 setup.exe 5288 setup.exe 2252 setup.exe 2992 assistant_installer.exe 2992 assistant_installer.exe 3280 assistant_installer.exe 3280 assistant_installer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language op.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opera.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Assistant_118.0.5461.41_Setup.exe_sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe -
Modifies system certificate store 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 5768 wrote to memory of 4964 5768 op.exe 94 PID 5768 wrote to memory of 4964 5768 op.exe 94 PID 5768 wrote to memory of 4964 5768 op.exe 94 PID 4964 wrote to memory of 4940 4964 opera.exe 96 PID 4964 wrote to memory of 4940 4964 opera.exe 96 PID 4940 wrote to memory of 5936 4940 setup.exe 98 PID 4940 wrote to memory of 5936 4940 setup.exe 98 PID 4940 wrote to memory of 1256 4940 setup.exe 99 PID 4940 wrote to memory of 1256 4940 setup.exe 99 PID 4940 wrote to memory of 5288 4940 setup.exe 100 PID 4940 wrote to memory of 5288 4940 setup.exe 100 PID 5288 wrote to memory of 2252 5288 setup.exe 101 PID 5288 wrote to memory of 2252 5288 setup.exe 101 PID 4940 wrote to memory of 3128 4940 setup.exe 105 PID 4940 wrote to memory of 3128 4940 setup.exe 105 PID 4940 wrote to memory of 3128 4940 setup.exe 105 PID 4940 wrote to memory of 2992 4940 setup.exe 106 PID 4940 wrote to memory of 2992 4940 setup.exe 106 PID 4940 wrote to memory of 2992 4940 setup.exe 106 PID 2992 wrote to memory of 3280 2992 assistant_installer.exe 107 PID 2992 wrote to memory of 3280 2992 assistant_installer.exe 107 PID 2992 wrote to memory of 3280 2992 assistant_installer.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\Users\Admin\AppData\Local\Temp\opera.exe"C:\Users\Admin\AppData\Local\Temp\opera.exe" -gm2 /silent2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe -gm2 /silent --server-tracking-blob=MDBjNzg3MmIxZjY0MmZhNmJiYzFhMTM5YWU3Y2MzYmU4ODNkZjZjMWRhNzE1MjBkMWJkYzZjODJjMTUzZWUxNTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJ0aW1lc3RhbXAiOiIxNzUxNjUxODI4LjQyNTQiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6Ik5JX2NhbXBhaWduIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJhbHcifSwidXVpZCI6IjNhNWJkMzA2LWZlZTctNGI2NS1iY2I0LTk4YzZlMzMzZTYwNyJ93⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffbed70acc8,0x7ffbed70acd4,0x7ffbed70ace04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5936
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4940 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_20250704175710" --session-guid=d7576328-f098-4910-afc7-df27f531b217 --server-tracking-blob="ZjEyMGVhNGEzNTcwNWNmMDQ2M2VjODZiNDE5YzFmNzFlNGEyMWRmYjk2YTE4NzYzY2E5MzNlNjE0NjkxNGUzMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3NTE2NTE4MjguNDI1NCIsInVzZXJhZ2VudCI6Ik5TSVNfSW5ldGMgKE1vemlsbGEpIiwidXRtIjp7ImNhbXBhaWduIjoiTklfY2FtcGFpZ24iLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImFsdyJ9LCJ1dWlkIjoiM2E1YmQzMDYtZmVlNy00YjY1LWJjYjQtOThjNmUzMzNlNjA3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=24070000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:5288 -
C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x260,0x264,0x274,0x23c,0x278,0x7ffbec69acc8,0x7ffbec69acd4,0x7ffbec69ace05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xcc103c,0xcc1048,0xcc10545⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3280
-
-
-
-
Network
MITRE ATT&CK Enterprise v16
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD575e48cbe4fb10be793d947d415d1cd8a
SHA102bf3664f1f3dab5fff8138f272f27a1ffa9c69d
SHA256d2df970c30a798d2eaa1d45c8ca63c54e81b983f70198fac204e5c5e9032b0de
SHA5125ebaa34b9132e93713e13d4bebb629b2859d61307bafd981ea41b7fe04346e98d5c74d433eb872db528d846c4507aace117bcd019312b675bd0ba8b42d117360
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD5d02d918d559395e050ff11b1f82d3465
SHA120d8a0ccf10ba74d55bde504986ce13ab72c45b3
SHA25602f5a9c2708d5b4d37f8c1fb5bfb05453b19fe9fe782e9a8ffb5eb34cf3a3dc0
SHA512722f7c477c7049207e8360a0b3197546b823804a076bdf26fe939ff9ade9686daeafe2f99e514e13dca3ad5c41bae39a5377476e89bbd6cee3a5a3d56651b7e5
-
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
Filesize2.5MB
MD54125c9a1d68d6f095316d878dce498c3
SHA1d5a9de9d1d21dfbc6de97f2e7c34629f165f139a
SHA2561faa84af9c9ee61d4550dc8a279434c3f0c9ebea44e6af27c5743af7c59e9ec3
SHA5125dedc6658d786e572438a39a6aa2845881b0469620d2ffa1c228a2fed5b98aa25070bf9e263c25859519427371f7aff7c43705148e11c3f0b54832015813e1f9
-
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
Filesize2.1MB
MD54bf8672d6eecf868b0a0c2d683c35c96
SHA1226f1f9fc47cc31ac1d68645a096dce1b9af7282
SHA25618f66585e1a7ade0b7cbcfb85166b6ed88c07af404dc0cf799254d27bff35b30
SHA512d54c2a95452f8576e8ee3d8baa9e50f493ec8786942ecc531238c91269d77454d7e6834bc06a486b75dd0fca5714a501d7a28873a383570096915c7561507dce
-
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\dbgcore.dll
Filesize166KB
MD52cf4691a651e3afc585f5227865e7dab
SHA13e6508820092c2553b36c32c638b64255c7d3a56
SHA256fd4bbed8ee00d7f822358977dbdd217d9a9b6520c7c1a09da5ebf423e80ccbd6
SHA5124d56799803092847e1600e5fff1121014419240e19b87f1a24f23295983bcd1fd171e87405d2f9aa2e8a3045b9f0f94965779c752856f0653d2516dcb41915c2
-
C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\dbghelp.dll
Filesize1.7MB
MD55e88bb8a68114b6250413ea5b4bc3067
SHA19e595e9dfc5530afa875efa0f22f52bfc6eceb53
SHA256bc3e01917c3973b4c3f6c1bae281db643fdea6d7c806fb9c404d714ad34036db
SHA5122fb9ebbd204710f05a07dd9176deffc4898b1058b9e1462da6737520148955fe836de06105832700dc8d44759c61f7757a1907465a72b6b78a809de96a253da8
-
Filesize
7.2MB
MD55aa3b05f75e59cef0ad11c2a91a00c4f
SHA1ff061125a854ec3e3ec81e0bdfb6dfba9591ee88
SHA2563e6a2e38a7efdd97b9e1d11eaa8ae7dfc38d53246c067553f8e349708dd4c18d
SHA51292c9a97c08aac5e862946f54c429cf3e5341e09a0c26f91caab74d9e5598aecf35c93fafce56381c0c5d05ab5b34ec9808454a536dd19f20336ff0641d7298bf
-
Filesize
6.6MB
MD5d2607250e2382325859c6a3abe7fdbe1
SHA15f9fc893fe2fb45970980d501b47e0b5e206b3b4
SHA256f358970157c32b572f69215adb47d0b4d3ca2ef8c81eaea7d4b4a3a34bd6db5c
SHA512f47ae1737e140278d495810d49e9ac7d3735167683fb3455b161ca158536903d0266fcffc9979d7b8c610a53f5d07a9b554f56f97f76451c2a34834a9cd24be0
-
Filesize
58KB
MD534aafdcc9ba1a2acc6d6fe9ca347ac7b
SHA123a4f3ea483d8643d427b29ed92af8253c0d3e6b
SHA256baf9f333f6276ed10cd1c29c619d1e9143e9b751c5a043d8212567333d0aa9cd
SHA5121ded039235005fc6ea3bdbaac2e4d74892188e089d95ddca1486a1c83dba1b67eca72b3e1318adf3d8753a0f3fe805c6df46f9e6f1fef44bc1f469a93f6466f5
-
Filesize
2.5MB
MD532ab89ac4378f082af8c831586254701
SHA1e79bbdd9505eb7708e346ab0fa2dcc132dcd5788
SHA25624777a723a1fb79a51bf6a635d7bbca38bc25cbfdc9372892fca2af174356f96
SHA5123c7e0655c36f065bec390218b27063b29599921de82b656a646f94d3f2969852898a4e0b588eaf9ee5079d5be7933c03ac63bf44857b0d5df7780e6b4c076cd1
-
Filesize
40B
MD56f25bc28daf2fbf9644a6f5df874f89d
SHA1df74f805cdfe97d9c1efb38353edfbc576569eeb
SHA2563faaf0ba2a22bee2f5d0dbb67fbea4cd48573ab027145917c21aee906607089c
SHA512c42b06479cac848e2e36c2519c6def1feebbcdca0109498b5e194afa703e0619546547d235d3c0b014219428b61fe05b5e21acd52db3842fa692079a5e0e725a