Malware Analysis Report

2025-08-05 14:54

Sample ID 250704-wjh5faw1ds
Target JaffaCakes118_1c752cb2457cc6ae008107a07b440e38
SHA256 62626c0f30cbb661ed1a8293b886783febd64bafc163536ff3f16b9ab62ff3b9
Tags
discovery defense_evasion spyware stealer trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

62626c0f30cbb661ed1a8293b886783febd64bafc163536ff3f16b9ab62ff3b9

Threat Level: Likely malicious

The file JaffaCakes118_1c752cb2457cc6ae008107a07b440e38 was found to be: Likely malicious.

Malicious Activity Summary

discovery defense_evasion spyware stealer trojan

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 packs.partner.fms.services.alawar.com udp
US 8.8.8.8:53 ga.wrapper.services.alawar.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsj83A9.tmp\LangDLL.dll

MD5 410a586735f45164c86bda363ad8446f
SHA1 a68d18a8c72ffaa8f8d9ed9f76ea9b0ed397821b
SHA256 b15b1fc88d1b56088b2d3738d76772a91fa186a316a3e0a154358820d0fb9005
SHA512 d12083f67df132b2be57c202601a0cf82dba4c234910e780d2723aac14ae68407b824405b04737b55104bc97750550a3271a944d647661b067ce134075e6cc2a

C:\Users\Admin\AppData\Local\Temp\nsj83A9.tmp\System.dll

MD5 959ea64598b9a3e494c00e8fa793be7e
SHA1 40f284a3b92c2f04b1038def79579d4b3d066ee0
SHA256 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA512 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

C:\Users\Admin\AppData\Local\Temp\nsj83A9.tmp\NSISpcre.dll

MD5 414124231a0e8a71a820b2c39513c7d7
SHA1 8b08717c2c6305a327598f663b17cc5cd60eaefa
SHA256 1be9ee2ae3b05441f08987d4ffc4dd8219b020c4c44b6df023c3c259d1da305b
SHA512 eab202f56aafb1b4330621bbbdafafc55330ed35216e77c55e882d9057d11e4703eddb8815750ea7c80de7309b0bf12e5ef1a9eb7ddf7624b1b268170a50f2de

C:\Users\Admin\AppData\Local\Temp\nsj83A9.tmp\inetc.dll

MD5 34aafdcc9ba1a2acc6d6fe9ca347ac7b
SHA1 23a4f3ea483d8643d427b29ed92af8253c0d3e6b
SHA256 baf9f333f6276ed10cd1c29c619d1e9143e9b751c5a043d8212567333d0aa9cd
SHA512 1ded039235005fc6ea3bdbaac2e4d74892188e089d95ddca1486a1c83dba1b67eca72b3e1318adf3d8753a0f3fe805c6df46f9e6f1fef44bc1f469a93f6466f5

C:\Users\Admin\AppData\Local\Temp\nsj83A9.tmp\nsUnzip.dll

MD5 bde32fc5dcc9d98520c95fc23fa7bc92
SHA1 e81891aa3f6e500c33474c21ff324083cbb50fcd
SHA256 1fa8f2dfbe9fb83c0660e25e193e5aa09e1d4cd4af4f62e056b2930eb595c4c9
SHA512 99b8d5671fe0a6d6b3a660fd94cef91a69f20863bff2faaae686a673c15789d3d52dbc44c9699fa90f13f4af7d1bfb40c6449d73f608d9c6b5c1fffbf29383b3

memory/5548-34-0x0000000003E10000-0x0000000003E44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsj83A9.tmp\nsDialogs.dll

MD5 f7b92b78f1a00a872c8a38f40afa7d65
SHA1 872522498f69ad49270190c74cf3af28862057f2
SHA256 2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e
SHA512 3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Analysis: behavioral12

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

103s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6132 wrote to memory of 3784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6132 wrote to memory of 3784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6132 wrote to memory of 3784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 448

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcp100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1408 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1408 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcp100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcp100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 452

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

103s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1572 -ip 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 468

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3664 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3664 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 6068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 668 wrote to memory of 6068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 668 wrote to memory of 6068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6068 -ip 6068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250610-en

Max time kernel

104s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcp100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 2364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcp100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcp100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 604

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5500 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5500 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5500 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 488

Network

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

101s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcp100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3080 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3080 wrote to memory of 4772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcp100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcp100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 452

Network

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

39s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5508 wrote to memory of 6052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5508 wrote to memory of 6052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5508 wrote to memory of 6052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6052 -ip 6052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 460

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 5072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 5072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 5072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 612

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISpcre.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1816 -ip 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 600

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 4712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1468 wrote to memory of 4712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1468 wrote to memory of 4712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4712 -ip 4712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 548

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5656 wrote to memory of 5164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5656 wrote to memory of 5164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5656 wrote to memory of 5164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5164 -ip 5164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

101s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 1552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3160 wrote to memory of 1552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3160 wrote to memory of 1552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1552 -ip 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 448

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250610-en

Max time kernel

104s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opera.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5768 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe C:\Users\Admin\AppData\Local\Temp\opera.exe
PID 5768 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe C:\Users\Admin\AppData\Local\Temp\opera.exe
PID 5768 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe C:\Users\Admin\AppData\Local\Temp\opera.exe
PID 4964 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\opera.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 4964 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\opera.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 4940 wrote to memory of 5936 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 4940 wrote to memory of 5936 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 4940 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe
PID 4940 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe
PID 4940 wrote to memory of 5288 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 4940 wrote to memory of 5288 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 5288 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 5288 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe
PID 4940 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
PID 4940 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
PID 4940 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
PID 4940 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 4940 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 4940 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 2992 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 2992 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 2992 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"

C:\Users\Admin\AppData\Local\Temp\opera.exe

"C:\Users\Admin\AppData\Local\Temp\opera.exe" -gm2 /silent

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe -gm2 /silent --server-tracking-blob=MDBjNzg3MmIxZjY0MmZhNmJiYzFhMTM5YWU3Y2MzYmU4ODNkZjZjMWRhNzE1MjBkMWJkYzZjODJjMTUzZWUxNTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJ0aW1lc3RhbXAiOiIxNzUxNjUxODI4LjQyNTQiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6Ik5JX2NhbXBhaWduIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJhbHcifSwidXVpZCI6IjNhNWJkMzA2LWZlZTctNGI2NS1iY2I0LTk4YzZlMzMzZTYwNyJ9

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffbed70acc8,0x7ffbed70acd4,0x7ffbed70ace0

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4940 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_20250704175710" --session-guid=d7576328-f098-4910-afc7-df27f531b217 --server-tracking-blob="ZjEyMGVhNGEzNTcwNWNmMDQ2M2VjODZiNDE5YzFmNzFlNGEyMWRmYjk2YTE4NzYzY2E5MzNlNjE0NjkxNGUzMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3NTE2NTE4MjguNDI1NCIsInVzZXJhZ2VudCI6Ik5TSVNfSW5ldGMgKE1vemlsbGEpIiwidXRtIjp7ImNhbXBhaWduIjoiTklfY2FtcGFpZ24iLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImFsdyJ9LCJ1dWlkIjoiM2E1YmQzMDYtZmVlNy00YjY1LWJjYjQtOThjNmUzMzNlNjA3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2407000000000000

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x260,0x264,0x274,0x23c,0x278,0x7ffbec69acc8,0x7ffbec69acd4,0x7ffbec69ace0

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xcc103c,0xcc1048,0xcc1054

Network

Country Destination Domain Proto
US 8.8.8.8:53 ga.wrapper.services.alawar.com udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.opera.com udp
NL 82.145.216.19:443 autoupdate.opera.com tcp
NL 82.145.216.19:443 autoupdate.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 api.config.opr.gg udp
NL 82.145.216.15:443 features.opera-api2.com tcp
US 104.18.24.17:443 api.config.opr.gg tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.117:443 download.opera.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nssB21B.tmp\inetc.dll

MD5 34aafdcc9ba1a2acc6d6fe9ca347ac7b
SHA1 23a4f3ea483d8643d427b29ed92af8253c0d3e6b
SHA256 baf9f333f6276ed10cd1c29c619d1e9143e9b751c5a043d8212567333d0aa9cd
SHA512 1ded039235005fc6ea3bdbaac2e4d74892188e089d95ddca1486a1c83dba1b67eca72b3e1318adf3d8753a0f3fe805c6df46f9e6f1fef44bc1f469a93f6466f5

C:\Users\Admin\AppData\Local\Temp\opera.exe

MD5 32ab89ac4378f082af8c831586254701
SHA1 e79bbdd9505eb7708e346ab0fa2dcc132dcd5788
SHA256 24777a723a1fb79a51bf6a635d7bbca38bc25cbfdc9372892fca2af174356f96
SHA512 3c7e0655c36f065bec390218b27063b29599921de82b656a646f94d3f2969852898a4e0b588eaf9ee5079d5be7933c03ac63bf44857b0d5df7780e6b4c076cd1

C:\Users\Admin\AppData\Local\Temp\7zS463CC3F7\setup.exe

MD5 5aa3b05f75e59cef0ad11c2a91a00c4f
SHA1 ff061125a854ec3e3ec81e0bdfb6dfba9591ee88
SHA256 3e6a2e38a7efdd97b9e1d11eaa8ae7dfc38d53246c067553f8e349708dd4c18d
SHA512 92c9a97c08aac5e862946f54c429cf3e5341e09a0c26f91caab74d9e5598aecf35c93fafce56381c0c5d05ab5b34ec9808454a536dd19f20336ff0641d7298bf

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2507041757100874940.dll

MD5 d2607250e2382325859c6a3abe7fdbe1
SHA1 5f9fc893fe2fb45970980d501b47e0b5e206b3b4
SHA256 f358970157c32b572f69215adb47d0b4d3ca2ef8c81eaea7d4b4a3a34bd6db5c
SHA512 f47ae1737e140278d495810d49e9ac7d3735167683fb3455b161ca158536903d0266fcffc9979d7b8c610a53f5d07a9b554f56f97f76451c2a34834a9cd24be0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

MD5 75e48cbe4fb10be793d947d415d1cd8a
SHA1 02bf3664f1f3dab5fff8138f272f27a1ffa9c69d
SHA256 d2df970c30a798d2eaa1d45c8ca63c54e81b983f70198fac204e5c5e9032b0de
SHA512 5ebaa34b9132e93713e13d4bebb629b2859d61307bafd981ea41b7fe04346e98d5c74d433eb872db528d846c4507aace117bcd019312b675bd0ba8b42d117360

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

MD5 d02d918d559395e050ff11b1f82d3465
SHA1 20d8a0ccf10ba74d55bde504986ce13ab72c45b3
SHA256 02f5a9c2708d5b4d37f8c1fb5bfb05453b19fe9fe782e9a8ffb5eb34cf3a3dc0
SHA512 722f7c477c7049207e8360a0b3197546b823804a076bdf26fe939ff9ade9686daeafe2f99e514e13dca3ad5c41bae39a5377476e89bbd6cee3a5a3d56651b7e5

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 6f25bc28daf2fbf9644a6f5df874f89d
SHA1 df74f805cdfe97d9c1efb38353edfbc576569eeb
SHA256 3faaf0ba2a22bee2f5d0dbb67fbea4cd48573ab027145917c21aee906607089c
SHA512 c42b06479cac848e2e36c2519c6def1feebbcdca0109498b5e194afa703e0619546547d235d3c0b014219428b61fe05b5e21acd52db3842fa692079a5e0e725a

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe

MD5 4125c9a1d68d6f095316d878dce498c3
SHA1 d5a9de9d1d21dfbc6de97f2e7c34629f165f139a
SHA256 1faa84af9c9ee61d4550dc8a279434c3f0c9ebea44e6af27c5743af7c59e9ec3
SHA512 5dedc6658d786e572438a39a6aa2845881b0469620d2ffa1c228a2fed5b98aa25070bf9e263c25859519427371f7aff7c43705148e11c3f0b54832015813e1f9

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

MD5 4bf8672d6eecf868b0a0c2d683c35c96
SHA1 226f1f9fc47cc31ac1d68645a096dce1b9af7282
SHA256 18f66585e1a7ade0b7cbcfb85166b6ed88c07af404dc0cf799254d27bff35b30
SHA512 d54c2a95452f8576e8ee3d8baa9e50f493ec8786942ecc531238c91269d77454d7e6834bc06a486b75dd0fca5714a501d7a28873a383570096915c7561507dce

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\dbghelp.dll

MD5 5e88bb8a68114b6250413ea5b4bc3067
SHA1 9e595e9dfc5530afa875efa0f22f52bfc6eceb53
SHA256 bc3e01917c3973b4c3f6c1bae281db643fdea6d7c806fb9c404d714ad34036db
SHA512 2fb9ebbd204710f05a07dd9176deffc4898b1058b9e1462da6737520148955fe836de06105832700dc8d44759c61f7757a1907465a72b6b78a809de96a253da8

C:\Users\Admin\AppData\Local\Temp\.opera\78869187-278b-47ac-949a-59ae38fa9144 Opera Installer Temp\opera_package_202507041757101\assistant\dbgcore.dll

MD5 2cf4691a651e3afc585f5227865e7dab
SHA1 3e6508820092c2553b36c32c638b64255c7d3a56
SHA256 fd4bbed8ee00d7f822358977dbdd217d9a9b6520c7c1a09da5ebf423e80ccbd6
SHA512 4d56799803092847e1600e5fff1121014419240e19b87f1a24f23295983bcd1fd171e87405d2f9aa2e8a3045b9f0f94965779c752856f0653d2516dcb41915c2

Analysis: behavioral29

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250610-en

Max time kernel

103s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcp100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5144 wrote to memory of 5552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5144 wrote to memory of 5552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5144 wrote to memory of 5552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcp100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcp100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5552 -ip 5552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5420 wrote to memory of 4004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5420 wrote to memory of 4004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5420 wrote to memory of 4004 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4004 -ip 4004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 600

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

103s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2624 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 480

Network

Country Destination Domain Proto
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250610-en

Max time kernel

105s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2144 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2144 wrote to memory of 4584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 544

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

100s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opera.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe C:\Users\Admin\AppData\Local\Temp\opera.exe
PID 3688 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe C:\Users\Admin\AppData\Local\Temp\opera.exe
PID 3688 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe C:\Users\Admin\AppData\Local\Temp\opera.exe
PID 3384 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\opera.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 3384 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\opera.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 568 wrote to memory of 5580 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 568 wrote to memory of 5580 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 568 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\setup.exe
PID 568 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\setup.exe
PID 568 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 568 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 5016 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 5016 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe
PID 568 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
PID 568 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
PID 568 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe
PID 568 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 568 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 568 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 4956 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 4956 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe
PID 4956 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\op.exe"

C:\Users\Admin\AppData\Local\Temp\opera.exe

"C:\Users\Admin\AppData\Local\Temp\opera.exe" -gm2 /silent

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe -gm2 /silent --server-tracking-blob=M2I0MjE0Mzc0YTExNGIzYjllYzRhNTViMjAwMjY3NjY5ZTAxNWFmYTExNTNjZDAxYjI3ZDllOThiNTA0ZjIwZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJ0aW1lc3RhbXAiOiIxNzUxNjUxODI3Ljk2NjQiLCJ1c2VyYWdlbnQiOiJOU0lTX0luZXRjIChNb3ppbGxhKSIsInV0bSI6eyJjYW1wYWlnbiI6Ik5JX2NhbXBhaWduIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJhbHcifSwidXVpZCI6Ijg2ZjMyMmJkLTNjOTItNDRjYy05MDY2LWU4YjZjOTM3ZjVmYyJ9

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ffc195aacc8,0x7ffc195aacd4,0x7ffc195aace0

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=568 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_20250704175710" --session-guid=cfa7001f-ae18-48ff-81cb-4dde25e7a0c0 --server-tracking-blob="ZTU1NGMwNmRjZDk4YWE3MDI5NDc5ODJhZmE0N2IxYzZjNTBkNzg5MmEzMjM2MWExZmEyMGZkYzQ5YWU2MjMzNjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYiZ1dG1fc291cmNlPWFsdyZ1dG1fY2FtcGFpZ249TklfY2FtcGFpZ24iLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3NTE2NTE4MjcuOTY2NCIsInVzZXJhZ2VudCI6Ik5TSVNfSW5ldGMgKE1vemlsbGEpIiwidXRtIjp7ImNhbXBhaWduIjoiTklfY2FtcGFpZ24iLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImFsdyJ9LCJ1dWlkIjoiODZmMzIyYmQtM2M5Mi00NGNjLTkwNjYtZThiNmM5MzdmNWZjIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8808000000000000

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=120.0.5543.38 --initial-client-data=0x290,0x294,0x298,0x260,0x29c,0x7ffc1880acc8,0x7ffc1880acd4,0x7ffc1880ace0

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\Assistant_118.0.5461.41_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=118.0.5461.41 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7c103c,0x7c1048,0x7c1054

Network

Country Destination Domain Proto
US 8.8.8.8:53 ga.wrapper.services.alawar.com udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.opera.com tcp
NL 82.145.216.19:443 autoupdate.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.59:443 features.opera-api2.com tcp
US 104.18.24.17:443 api.config.opr.gg tcp
GB 142.250.180.3:80 c.pki.goog tcp
NL 82.145.216.48:443 download.opera.com tcp
US 104.18.10.89:443 download5.operacdn.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsz7928.tmp\inetc.dll

MD5 34aafdcc9ba1a2acc6d6fe9ca347ac7b
SHA1 23a4f3ea483d8643d427b29ed92af8253c0d3e6b
SHA256 baf9f333f6276ed10cd1c29c619d1e9143e9b751c5a043d8212567333d0aa9cd
SHA512 1ded039235005fc6ea3bdbaac2e4d74892188e089d95ddca1486a1c83dba1b67eca72b3e1318adf3d8753a0f3fe805c6df46f9e6f1fef44bc1f469a93f6466f5

C:\Users\Admin\AppData\Local\Temp\opera.exe

MD5 b629471987c90230fdd101fbc3f9dec1
SHA1 1d7fc085e9f6b83cb804548e9a48664bc1262335
SHA256 2c370e57cb836125d6fe0c7d1475c0a056d514489e37ca276d277dad5ca5a3f6
SHA512 3d87098bce72dc1f88e6a376f3dfaa6ad4a954c5a4f34768e8f089e0399230a039f0fed261635e60c6274956f0727d8e704a7fb9c5be95baf5d3d01e1e14609a

C:\Users\Admin\AppData\Local\Temp\7zS83DA1FB7\setup.exe

MD5 5aa3b05f75e59cef0ad11c2a91a00c4f
SHA1 ff061125a854ec3e3ec81e0bdfb6dfba9591ee88
SHA256 3e6a2e38a7efdd97b9e1d11eaa8ae7dfc38d53246c067553f8e349708dd4c18d
SHA512 92c9a97c08aac5e862946f54c429cf3e5341e09a0c26f91caab74d9e5598aecf35c93fafce56381c0c5d05ab5b34ec9808454a536dd19f20336ff0641d7298bf

C:\Users\Admin\AppData\Local\Temp\Opera_installer_250704175709370568.dll

MD5 d2607250e2382325859c6a3abe7fdbe1
SHA1 5f9fc893fe2fb45970980d501b47e0b5e206b3b4
SHA256 f358970157c32b572f69215adb47d0b4d3ca2ef8c81eaea7d4b4a3a34bd6db5c
SHA512 f47ae1737e140278d495810d49e9ac7d3735167683fb3455b161ca158536903d0266fcffc9979d7b8c610a53f5d07a9b554f56f97f76451c2a34834a9cd24be0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

MD5 75e48cbe4fb10be793d947d415d1cd8a
SHA1 02bf3664f1f3dab5fff8138f272f27a1ffa9c69d
SHA256 d2df970c30a798d2eaa1d45c8ca63c54e81b983f70198fac204e5c5e9032b0de
SHA512 5ebaa34b9132e93713e13d4bebb629b2859d61307bafd981ea41b7fe04346e98d5c74d433eb872db528d846c4507aace117bcd019312b675bd0ba8b42d117360

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

MD5 35fad44494a9bbd7429437c79732b35d
SHA1 52946bb60a15c7200bf29eab2f4422467175d8ec
SHA256 003f4e3358c551e6c5511530470b56ab6566c1d20315319979b8f1561b754a7d
SHA512 d40d6896c8304d5e9dd795d713504e91ea6d332011a324078e807acb0c600f3affbf15845c250a6dbe8a0f9f6fc52545a2d7c2434ee0ec4f74a49a89dd9a7a2b

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 04d440a03ff86007d964ac831847d0dd
SHA1 9db68af0bfd5d3000decc940676c77413afcfe98
SHA256 4f915fe6af633287480caedac56c6d9520e72bc1d4e384dc1d2ec457e523c712
SHA512 6c987564641d4b27062edd099b3f8443f69327d7030d4e215a5e9887cd800031f46e18e643914ab5d8ad2c1757d92d096b951b27cb62cbf06f1f925776519c46

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\additional_file0.tmp

MD5 4125c9a1d68d6f095316d878dce498c3
SHA1 d5a9de9d1d21dfbc6de97f2e7c34629f165f139a
SHA256 1faa84af9c9ee61d4550dc8a279434c3f0c9ebea44e6af27c5743af7c59e9ec3
SHA512 5dedc6658d786e572438a39a6aa2845881b0469620d2ffa1c228a2fed5b98aa25070bf9e263c25859519427371f7aff7c43705148e11c3f0b54832015813e1f9

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\assistant_installer.exe

MD5 4bf8672d6eecf868b0a0c2d683c35c96
SHA1 226f1f9fc47cc31ac1d68645a096dce1b9af7282
SHA256 18f66585e1a7ade0b7cbcfb85166b6ed88c07af404dc0cf799254d27bff35b30
SHA512 d54c2a95452f8576e8ee3d8baa9e50f493ec8786942ecc531238c91269d77454d7e6834bc06a486b75dd0fca5714a501d7a28873a383570096915c7561507dce

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\dbghelp.dll

MD5 5e88bb8a68114b6250413ea5b4bc3067
SHA1 9e595e9dfc5530afa875efa0f22f52bfc6eceb53
SHA256 bc3e01917c3973b4c3f6c1bae281db643fdea6d7c806fb9c404d714ad34036db
SHA512 2fb9ebbd204710f05a07dd9176deffc4898b1058b9e1462da6737520148955fe836de06105832700dc8d44759c61f7757a1907465a72b6b78a809de96a253da8

C:\Users\Admin\AppData\Local\Temp\.opera\998ee02f-5e6d-4198-afbd-bcb98d17ec21 Opera Installer Temp\opera_package_202507041757101\assistant\dbgcore.dll

MD5 2cf4691a651e3afc585f5227865e7dab
SHA1 3e6508820092c2553b36c32c638b64255c7d3a56
SHA256 fd4bbed8ee00d7f822358977dbdd217d9a9b6520c7c1a09da5ebf423e80ccbd6
SHA512 4d56799803092847e1600e5fff1121014419240e19b87f1a24f23295983bcd1fd171e87405d2f9aa2e8a3045b9f0f94965779c752856f0653d2516dcb41915c2

Analysis: behavioral27

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 6056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 6056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 6056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6056 -ip 6056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250610-en

Max time kernel

103s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrowserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2824 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrowserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrowserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1288 -ip 1288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 616

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

100s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrowserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5216 wrote to memory of 5236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5216 wrote to memory of 5236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5216 wrote to memory of 5236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrowserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BrowserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5236 -ip 5236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 528

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

40s

Max time network

43s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 3124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 3124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 3124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3124 -ip 3124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 460

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

104s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5552 wrote to memory of 3768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5552 wrote to memory of 3768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5552 wrote to memory of 3768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUnzip.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3768 -ip 3768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 468

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250610-en

Max time kernel

106s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 5820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3240 wrote to memory of 5820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3240 wrote to memory of 5820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5820 -ip 5820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250610-en

Max time kernel

100s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c752cb2457cc6ae008107a07b440e38.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 packs.partner.fms.services.alawar.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy81E4.tmp\LangDLL.dll

MD5 410a586735f45164c86bda363ad8446f
SHA1 a68d18a8c72ffaa8f8d9ed9f76ea9b0ed397821b
SHA256 b15b1fc88d1b56088b2d3738d76772a91fa186a316a3e0a154358820d0fb9005
SHA512 d12083f67df132b2be57c202601a0cf82dba4c234910e780d2723aac14ae68407b824405b04737b55104bc97750550a3271a944d647661b067ce134075e6cc2a

C:\Users\Admin\AppData\Local\Temp\nsy81E4.tmp\System.dll

MD5 959ea64598b9a3e494c00e8fa793be7e
SHA1 40f284a3b92c2f04b1038def79579d4b3d066ee0
SHA256 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA512 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

C:\Users\Admin\AppData\Local\Temp\nsy81E4.tmp\NSISpcre.dll

MD5 414124231a0e8a71a820b2c39513c7d7
SHA1 8b08717c2c6305a327598f663b17cc5cd60eaefa
SHA256 1be9ee2ae3b05441f08987d4ffc4dd8219b020c4c44b6df023c3c259d1da305b
SHA512 eab202f56aafb1b4330621bbbdafafc55330ed35216e77c55e882d9057d11e4703eddb8815750ea7c80de7309b0bf12e5ef1a9eb7ddf7624b1b268170a50f2de

C:\Users\Admin\AppData\Local\Temp\nsy81E4.tmp\inetc.dll

MD5 34aafdcc9ba1a2acc6d6fe9ca347ac7b
SHA1 23a4f3ea483d8643d427b29ed92af8253c0d3e6b
SHA256 baf9f333f6276ed10cd1c29c619d1e9143e9b751c5a043d8212567333d0aa9cd
SHA512 1ded039235005fc6ea3bdbaac2e4d74892188e089d95ddca1486a1c83dba1b67eca72b3e1318adf3d8753a0f3fe805c6df46f9e6f1fef44bc1f469a93f6466f5

C:\Users\Admin\AppData\Local\Temp\nsy81E4.tmp\nsUnzip.dll

MD5 bde32fc5dcc9d98520c95fc23fa7bc92
SHA1 e81891aa3f6e500c33474c21ff324083cbb50fcd
SHA256 1fa8f2dfbe9fb83c0660e25e193e5aa09e1d4cd4af4f62e056b2930eb595c4c9
SHA512 99b8d5671fe0a6d6b3a660fd94cef91a69f20863bff2faaae686a673c15789d3d52dbc44c9699fa90f13f4af7d1bfb40c6449d73f608d9c6b5c1fffbf29383b3

memory/2080-34-0x0000000003740000-0x0000000003774000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy81E4.tmp\nsDialogs.dll

MD5 f7b92b78f1a00a872c8a38f40afa7d65
SHA1 872522498f69ad49270190c74cf3af28862057f2
SHA256 2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e
SHA512 3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Analysis: behavioral8

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

99s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3248 wrote to memory of 452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3248 wrote to memory of 452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3248 wrote to memory of 452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 452 -ip 452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 448

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win10v2004-20250610-en

Max time kernel

92s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 5040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 600

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-07-04 17:56

Reported

2025-07-04 17:59

Platform

win11-20250619-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 448

Network

Files

N/A