Edit tour

Windows Analysis Report
OperaGXSetup.exe

Overview

General Information

Sample name:	OperaGXSetup.exe
Analysis ID:	1365765
MD5:	46431992aa566007949fc4acbc058856
SHA1:	533e0cef48e51095f1460fd52cc542923d23d29d
SHA256:	846f5e52aa6b4f11a29cab1f505463938938c3c5ad8d753fe70a148200c8c446
Tags:	exemarsstealer
Infos:

Detection

Mars Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mars stealer

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

PE file has a writeable .text section

PE file has nameless sections

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

OperaGXSetup.exe (PID: 2828 cmdline: C:\Users\user\Desktop\OperaGXSetup.exe MD5: 46431992AA566007949FC4ACBC058856)

WerFault.exe (PID: 2892 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 2108 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Mars Stealer

{
  "C2 url": "www.msk-post.com/server/init.php"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
OperaGXSetup.exe	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2001200370.000000000043C000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Vidar_114258d5	unknown	unknown	0x13bd0:$a2: wallet.dat 0x14b08:$b1: CC\%s_%s.txt 0x14680:$b2: History\%s_%s.txt 0x14540:$b3: Autofill\%s_%s.txt
00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_ArkeiStealer_84c7086a	unknown	unknown	0x4520:$a: 01 89 55 F4 8B 45 F4 3B 45 10 73 31 8B 4D 08 03 4D F4 0F BE 19 8B
Process Memory Space: OperaGXSetup.exe PID: 2828	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: OperaGXSetup.exe PID: 2828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OperaGXSetup.exe PID: 2828	Windows_Trojan_Vidar_114258d5	unknown	unknown	0x11880b:$a2: wallet.dat 0x1193bb:$b1: CC\%s_%s.txt 0x1190dc:$b2: History\%s_%s.txt 0x1190ee:$b2: History\%s_%s.txt 0x118f50:$b3: Autofill\%s_%s.txt
decrypted.memstr	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	Windows_Trojan_Vidar_114258d5	unknown	unknown	0x15b2:$a2: wallet.dat 0x3c5b:$b1: CC\%s_%s.txt 0x3db7:$b2: History\%s_%s.txt 0x3bdb:$b3: Autofill\%s_%s.txt
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.OperaGXSetup.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.OperaGXSetup.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.OperaGXSetup.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.OperaGXSetup.exe.400000.0.unpack	Windows_Trojan_ArkeiStealer_84c7086a	unknown	unknown	0x4920:$a: 01 89 55 F4 8B 45 F4 3B 45 10 73 31 8B 4D 08 03 4D F4 0F BE 19 8B

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OperaGXSetup.exe

Avira: detected

Found malware configuration

Source: OperaGXSetup.exe

Malware Configuration Extractor: Mars Stealer {"C2 url": "www.msk-post.com/server/init.php"}

Multi AV Scanner detection for submitted file

Source: OperaGXSetup.exe

ReversingLabs: Detection: 62%

Machine Learning detection for sample

Source: OperaGXSetup.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetTickCount
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Sleep
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateMutexA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetLastError
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: 21/04/2022 20:00:00
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: http://
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Default
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu %hu:%hu:%hu
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: open
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\sqlite3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\freebl3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\mozglue.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\msvcp140.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\softokn3.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\vcruntime140.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: .zip
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Tag:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: IP: IP?
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Country: Country?
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Working Path:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Local Time:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: TimeZone:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Display Language:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Keyboard Languages:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Is Laptop:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Processor:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Installed RAM:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: OS:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Bit)
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Videocard:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Display Resolution:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PC name:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: User name:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Domain name:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MachineID:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GUID:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Installed Software:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: system.txt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Grabber\%s.zip
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Wallets\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Ethereum
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Ethereum\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: keystore
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Electrum
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Electrum\wallets\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ElectrumLTC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Electrum-LTC\wallets\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Exodus
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Exodus\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: exodus.conf.json
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: window-state.json
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Exodus\exodus.wallet\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: passphrase.json
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: seed.seco
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: info.seco
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ElectronCash
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \ElectronCash\wallets\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: default_wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MultiDoge
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \MultiDoge\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: multidoge.wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: JAXX
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \jaxx\Local Storage\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: file__0.localstorage
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Atomic
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \atomic\Local Storage\leveldb\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: 000003.log
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CURRENT
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: LOCK
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MANIFEST-000001
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: 0000*
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Binance
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Binance\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: app-store.json
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Coinomi
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Coinomi\Coinomi\wallets\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: *.wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: *.config
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: wallet.dat
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sscanf
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: memset
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: memcpy
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: user32.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: netapi32.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: vaultcli.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: dbghelp.dll
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: WriteFile
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ReadFile
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SetEndOfFile
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: LocalFree
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetTempPathA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: FindClose
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetCurrentDirectoryA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: lstrcmpW
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SetCurrentDirectoryA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateFileMappingA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MapViewOfFile
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: UnmapViewOfFile
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: FileTimeToSystemTime
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetFileInformationByHandle
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetVersionExA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateFileW
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateFileMappingW
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateThread
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HttpQueryInfoA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: InternetSetOptionA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetDC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetSystemMetrics
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetWindowDC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetCurrentHwProfileA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: RegGetValueA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SelectObject
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BitBlt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: StretchBlt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetObjectW
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetDIBits
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SaveDC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateDIBSection
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: DeleteDC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: RestoreDC
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: DsRoleGetPrimaryDomainInformation
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VaultOpenVault
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VaultCloseVault
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VaultEnumerateItems
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VaultGetItemWin8
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VaultGetItemWin7
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: VaultFree
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: StrStrA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GdipFree
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SymMatchString
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HEAD
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: POST
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: file
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="file"; filename="
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Content-Type: application/octet-stream
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Content-Transfer-Encoding: binary
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SOFT:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PROF: ?
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PROF:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: HOST:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: USER:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PASS:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PATH
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PATH=
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Cookies\%s_%s.txt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: TRUE
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: FALSE
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Autofill\%s_%s.txt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CC\%s_%s.txt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Card number:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Name on card:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Expiration date:
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: History\%s_%s.txt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT url FROM urls
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Downloads\%s_%s.txt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT target_path, tab_url from downloads
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Login Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Cookies
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Web Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: History
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: logins.json
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: usernameField
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: guid
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Local State
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ..\profiles.ini
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Chrome
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Google\Chrome\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ChromeBeta
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Google\Chrome Beta\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ChromeCanary
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Google\Chrome SxS\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Chromium
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Chromium\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Edge_Chromium
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Microsoft\Edge\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Kometa
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Kometa\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Amigo
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Amigo\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Torch
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Torch\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Orbitum
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Orbitum\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Comodo
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Comodo\Dragon\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Nichrome
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Nichrome\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Maxthon5
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Maxthon5\Users
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Sputnik
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Sputnik\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Epic Privacy Browser\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Vivaldi
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Vivaldi\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CocCoc
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \CocCoc\Browser\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Uran
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \uCozMedia\Uran\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \QIP Surf\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Cent
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \CentBrowser\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Elements
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Elements Browser\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: TorBro
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \TorBro\Profile
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: CryptoTab
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \CryptoTab Browser\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Brave
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \BraveSoftware\Brave-Browser\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Opera
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Opera Software\Opera Stable\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: OperaGX
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Opera Software\Opera GX Stable\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: OperaNeon
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Opera Software\Opera Neon\User Data
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Firefox
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Mozilla\Firefox\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: SlimBrowser
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \FlashPeak\SlimBrowser\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: PaleMoon
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Moonchild Productions\Pale Moon\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Waterfox
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Waterfox\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Cyberfox
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \8pecxstudios\Cyberfox\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BlackHawk
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \NETGATE Technologies\BlackHawk\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: IceCat
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Mozilla\icecat\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: KMeleon
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \K-Meleon\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Thunderbird
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: \Thunderbird\Profiles\
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: passwords.txt
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: TronLink
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nkbihfbeogaeaoehlefnkodbefgpgknn
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MetaMask
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: fhbohimaelbohpjbbldcngcnapndodjp
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Binance Chain Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ffnbelfdoeiohenkjibnmadjiehjhajb
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Yoroi
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: jbdaocneiiinmjbjlgalhcelgbejmnid
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Nifty Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Math Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: hnfanknocfeofbddgcijnmhnfnkdnaad
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Coinbase Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Guarda
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: blnieiiffboillknjnepogjhkgnoapac
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: EQUAL Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: cjelfplplebdjjenllpjcblmjkfcffne
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Jaxx Liberty
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BitApp Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: kncchdigobghenbbaddojjnnaogfppfj
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: iWallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: amkmjjmmflddogmhpjloimipbofnfjih
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Wombat
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MEW CX
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nanjmdknhkinifnkgdcggcfnhdaammmj
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: GuildWallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nkddgncdjgjfcddamfgcmfnlhccnimig
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Saturn Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: fnjhmkhhmkbjkkabndcnnogagogbneec
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Ronin Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: cphhlgmgameodnhkjdmkpanlelnlohao
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: NeoLine
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nhnkbkgjikgcigadomkphalanndcapjk
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Clover Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: kpfopkelmapcoipemfendmdcghnegimn
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Liquality Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: aiifbnbfobpmeekipheeijimdpnlpgpp
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Terra Station
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: dmkamcknogkgcdfhhbddcghachkejeap
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Keplr
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: fhmfendgdocmcbmfikdcogofphimnkno
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Sollet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: cnmamaachppnkjgnildpdmkaakejnhae
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Auro Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Polymesh Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: flpiciilemghbmfalicajoolhkkenfel
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ICONex
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nknhiehlklippafakaeklbeglecifhad
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Nabox Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: hcflpincpppdclinealmandijcmnkbgn
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Temple
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: mnfifefkajgofkcjkemidiaecocnkjeh
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: TezBox
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: dkdedlpgdmmkkfjabffeganieamfklkm
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Cyano Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Byone
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: OneKey
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: cihmoadaighcejopammfbmddcmdekcje
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: LeafWallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: lodccjjbdhfakaekdiahmedfbieldgik
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: DAppPlay
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ijmpgkjfkbfhoebgogflfebnmejmfbml
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: BitClip
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Steem Keychain
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: onofpnbbkehpmmoabgpcpmigafmmnjhl
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Nash Extension
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: bcopgchhojmggmffilplmbdicgaihlkp
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Hycon Lite Client
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: klnaejjgbibmhlephnhpmaofohgkpgkd
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ZilPay
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: aeachknmefphepccionboohckonoeemg
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Coin98 Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Phantom
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: hifafgmccdpekplomjjkcfgodnhcellj
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Crypto.com
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: dngmlblcodfobpdpecaadgfbcggfjfnm
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Maiar DeFi Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ppdadbejkmjnefldpcdjhnkpbjkikoip
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Oasis
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: hpbgcgmiemanfelegbndmhieiigkackl
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MonstaWallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: fcckkdbjnoikooededlapcalpionmalo
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: MOBOX
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: jccapkebeeiajkkdemacblkjhhhboiek
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Crust Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: mgffkfbidihjpoaomajlbgchddlicgpn
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Pali Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: nphplpgoakhhjchkkhmiggakijnkhfnd
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: TON Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: ldinpeekobnhjjdofggfgjlcehhmanlj
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Hiro Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: pocmplpaccanhmnllbbkpgfliimjljgo
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Slope Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: bhhhlbepdkbapadjdnnojkbgioiodbic
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Solflare Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: pgiaagfkgcbnmiiolekcfmljdagdhlcm
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Stargazer Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: cgeeodpfagjceefieflmdfphplkenlfk
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: EVER Wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: gjkdbeaiifkpoencioahhcilildpjhgh
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: partisia-wallet
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: bgjogpoidejdemgoochpnkmdjpocgkha
Source: 0.2.OperaGXSetup.exe.400000.0.unpack	String decryptor: Ecto Wallet

Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00408E30 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00408E30
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00405450 memset,CryptStringToBinaryA,CryptStringToBinaryA,	0_2_00405450
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_004090C0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_004090C0
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00408AB0 CryptUnprotectData,	0_2_00408AB0
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00408D90 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00408D90

Source: OperaGXSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 91.228.225.55:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: OperaGXSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,KiUserExceptionDispatcher,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_0040A150
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,PathMatchSpecA,FindNextFileA,FindClose,	0_2_00407620
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00401280
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00401090
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	0_2_0040B570
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B110
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_0040B3A0

Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\Google\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.msk-post.com/server/init.php

Source: global traffic	HTTP traffic detected: GET /server/init.php HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: www.msk-post.com
Source: global traffic	HTTP traffic detected: GET /request HTTP/1.1Cache-Control: no-cacheHost: www.msk-post.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /request/ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveHost: www.msk-post.com
Source: global traffic	HTTP traffic detected: GET /server/init.php HTTP/1.1Host: www.msk-post.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /request HTTP/1.1Host: www.msk-post.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /request/ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveHost: www.msk-post.com

Source: Joe Sandbox View

ASN Name: BANKASTANA-ASKZ BANKASTANA-ASKZ

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_00406040 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00406040

Source: global traffic	HTTP traffic detected: GET /server/init.php HTTP/1.1Connection: Keep-AliveCache-Control: no-cacheHost: www.msk-post.com
Source: global traffic	HTTP traffic detected: GET /request HTTP/1.1Cache-Control: no-cacheHost: www.msk-post.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /request/ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveHost: www.msk-post.com
Source: global traffic	HTTP traffic detected: GET /server/init.php HTTP/1.1Host: www.msk-post.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /request HTTP/1.1Host: www.msk-post.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /request/ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveHost: www.msk-post.com

Source: unknown

DNS traffic detected: queries for: www.msk-post.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 21 Dec 2023 18:54:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Language: ru

Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://counter.yadro.ru/hit?r
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moscow-post.com
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moscow-post.ru
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moscow-post.su
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/BreadcrumbList
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/ListItem
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.000000000064D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.antiddos.biz
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.moscow-post.com
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.moscow-post.ru
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.moscow-post.su
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.moscow-post.su/
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/export/moscow-post.rss
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/request
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/request/
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/request/?
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/request/E
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/request/ID)
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/request9
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/requestl
Source: OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/requestz
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/server/init.php
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/server/init.phpT
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msk-post.com/server/init.phps
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.gravitec.net/sites/www-moscow-post-su/client.js
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://top-fwz1.mail.ru/counter?id=3090817;js=na
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://top-fwz1.mail.ru/counter?id=3090817;t=479;l=1
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://top-fwz1.mail.ru/js/code.js
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://top.mail.ru/jump?from=3090817
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/b
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/economics/game_of_giveaways_or_where_avdolyan_goes33964/
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/economics/pretend_to_be_beggars_deripaska_wants_to_leave_thousands_of_peopl
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/economics/pumping_to_ipo_eurotrans_assets_smack_of_revaluation34022/
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/in_world/sovereignty_and_faith_in_the_russian_people34058/
Source: OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/politics/new_lanit_in_the_tikhonov_case34059/
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/request
Source: OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/request#
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/request/
Source: OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/requestID
Source: OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/requestID)
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/server/init.php
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msk-post.com/server/init.phpcaq

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 91.228.225.55:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_ArkeiStealer_84c7086a Author: unknown
Source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_ArkeiStealer_84c7086a Author: unknown
Source: Process Memory Space: OperaGXSetup.exe PID: 2828, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: decrypted.memstr, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown

PE file has a writeable .text section

Source: OperaGXSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

PE file has nameless sections

Source: OperaGXSetup.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0041B020	0_2_0041B020
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00410F00	0_2_00410F00
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0041A790	0_2_0041A790
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0041A190	0_2_0041A190
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0041A5A0	0_2_0041A5A0
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_004107B0	0_2_004107B0

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: String function: 004054F0 appears 577 times

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 2108

Source: OperaGXSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_ArkeiStealer_84c7086a reference_sample = 708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.ArkeiStealer, fingerprint = f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d, id = 84c7086a-abc3-4b97-b325-46a078b90a95, last_modified = 2022-04-12
Source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_ArkeiStealer_84c7086a reference_sample = 708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.ArkeiStealer, fingerprint = f1d701463b0001de8996b30d2e36ddecb93fe4ca2a1a26fc4fcdaeb0aa3a3d6d, id = 84c7086a-abc3-4b97-b325-46a078b90a95, last_modified = 2022-04-12
Source: Process Memory Space: OperaGXSetup.exe PID: 2828, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: decrypted.memstr, type: MEMORYSTR	Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/6@1/1

Source: C:\Users\user\Desktop\OperaGXSetup.exe

File created: C:\Users\user\Desktop\WL6PZU3W

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2828

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3cb2e43f-3dc4-46fd-9296-f08bace92ce6

Jump to behavior

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OperaGXSetup.exe

ReversingLabs: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\OperaGXSetup.exe C:\Users\user\Desktop\OperaGXSetup.exe
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 2108

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: OperaGXSetup.exe

Static file information: File size 12010240 > 1048576

Source: OperaGXSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_00415FC0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00415FC0

Source: OperaGXSetup.exe

Static PE information: section name:

Source: initial sample

Static PE information: section name: .text entropy: 7.5580978142593525

Source: C:\Users\user\Desktop\OperaGXSetup.exe

0_2_00415FC0

Source: C:\Users\user\Desktop\OperaGXSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\OperaGXSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_00408370

0_2_00408370

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_0-8424

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-7151

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_00408370

0_2_00408370

Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040A150 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,KiUserExceptionDispatcher,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_0040A150
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00407620 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,PathMatchSpecA,FindNextFileA,FindClose,	0_2_00407620
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00401280
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00401090
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040B570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	0_2_0040B570
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040B110 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B110
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0040B3A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_0040B3A0

Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\Google\	Jump to behavior
Source: C:\Users\user\Desktop\OperaGXSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates\	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000690000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.000000000064D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\OperaGXSetup.exe	API call chain: ExitProcess graph end node			graph_0-7142
Source: C:\Users\user\Desktop\OperaGXSetup.exe	API call chain: ExitProcess graph end node			graph_0-7077

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_004054F0 VirtualProtect ?,00000004,00000100,00000000

0_2_004054F0

Source: C:\Users\user\Desktop\OperaGXSetup.exe

0_2_00415FC0

Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0043C04C mov eax, dword ptr fs:[00000030h]	0_2_0043C04C
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00415E60 mov eax, dword ptr fs:[00000030h]	0_2_00415E60
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_00401000 mov eax, dword ptr fs:[00000030h]	0_2_00401000
Source: C:\Users\user\Desktop\OperaGXSetup.exe	Code function: 0_2_0043C0B2 mov eax, dword ptr fs:[00000030h]	0_2_0043C0B2

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_00406040 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00406040

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Memory protected: page guard

Jump to behavior

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree,

0_2_0040CF60

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_0040CE40 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_0040CE40

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_0040CE00 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_0040CE00

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_0040CEA0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_0040CEA0

Source: C:\Users\user\Desktop\OperaGXSetup.exe

Code function: 0_2_004084E0 GetVersionExA,LoadLibraryA,WideCharToMultiByte,lstrlen,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,FreeLibrary,

0_2_004084E0

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: OperaGXSetup.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2001200370.000000000043C000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OperaGXSetup.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file__0.localstorage
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\OperaGXSetup.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Jump to behavior

Source: Yara match	File source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OperaGXSetup.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: OperaGXSetup.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2001200370.000000000043C000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.OperaGXSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OperaGXSetup.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	21 Native API	Path Interception	1 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	141 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Traffic Duplication	14 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	113 System Information Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
OperaGXSetup.exe	62%	ReversingLabs	Win32.Trojan.MarsStealer
OperaGXSetup.exe	100%	Avira	TR/Crypt.XPACK.Gen
OperaGXSetup.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.msk-post.com/request/?	0%	Avira URL Cloud	safe
http://www.msk-post.com/request/E	0%	Avira URL Cloud	safe
http://counter.yadro.ru/hit?r	0%	Avira URL Cloud	safe
https://www.msk-post.com/requestID	0%	Avira URL Cloud	safe
https://www.msk-post.com/server/init.phpcaq	0%	Avira URL Cloud	safe
https://www.msk-post.com/server/init.php	0%	Avira URL Cloud	safe
http://www.msk-post.com/server/init.phps	0%	Avira URL Cloud	safe
https://www.msk-post.com/economics/pretend_to_be_beggars_deripaska_wants_to_leave_thousands_of_peopl	0%	Avira URL Cloud	safe
http://www.moscow-post.su	0%	Avira URL Cloud	safe
https://www.msk-post.com/	0%	Avira URL Cloud	safe
http://www.moscow-post.su/	0%	Avira URL Cloud	safe
https://www.msk-post.com/economics/game_of_giveaways_or_where_avdolyan_goes33964/	0%	Avira URL Cloud	safe
https://www.msk-post.com/economics/pumping_to_ipo_eurotrans_assets_smack_of_revaluation34022/	0%	Avira URL Cloud	safe
http://www.msk-post.com/request	0%	Avira URL Cloud	safe
https://www.msk-post.com/requestID)	0%	Avira URL Cloud	safe
http://www.msk-post.com/	0%	Avira URL Cloud	safe
http://www.msk-post.com/request/ID)	0%	Avira URL Cloud	safe
https://www.msk-post.com/request/	0%	Avira URL Cloud	safe
www.msk-post.com/server/init.php	0%	Avira URL Cloud	safe
https://www.msk-post.com/in_world/sovereignty_and_faith_in_the_russian_people34058/	0%	Avira URL Cloud	safe
http://www.msk-post.com/request/	0%	Avira URL Cloud	safe
https://www.msk-post.com/request#	0%	Avira URL Cloud	safe
https://www.msk-post.com/b	0%	Avira URL Cloud	safe
http://www.msk-post.com/requestl	0%	Avira URL Cloud	safe
https://www.msk-post.com/politics/new_lanit_in_the_tikhonov_case34059/	0%	Avira URL Cloud	safe
http://www.msk-post.com/server/init.php	0%	Avira URL Cloud	safe
http://www.antiddos.biz	0%	Avira URL Cloud	safe
https://www.msk-post.com/request	0%	Avira URL Cloud	safe
http://www.msk-post.com/server/init.phpT	0%	Avira URL Cloud	safe
http://moscow-post.su	0%	Avira URL Cloud	safe
http://www.msk-post.com/request9	0%	Avira URL Cloud	safe
http://www.msk-post.com/requestz	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.msk-post.com	91.228.225.55	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.msk-post.com/request	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/server/init.php	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/request/	false	Avira URL Cloud: safe	unknown
http://www.msk-post.com/request/	false	Avira URL Cloud: safe	unknown
www.msk-post.com/server/init.php	true	Avira URL Cloud: safe	low
http://www.msk-post.com/server/init.php	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/request	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://moscow-post.ru	OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schema.org/BreadcrumbList	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msk-post.com/request/?	OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/server/init.phpcaq	OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.moscow-post.su/	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msk-post.com/request/E	OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/economics/pretend_to_be_beggars_deripaska_wants_to_leave_thousands_of_peopl	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/requestID	OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://top-fwz1.mail.ru/js/code.js	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msk-post.com/economics/pumping_to_ipo_eurotrans_assets_smack_of_revaluation34022/	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://counter.yadro.ru/hit?r	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/	OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://top-fwz1.mail.ru/counter?id=3090817;t=479;l=1	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msk-post.com/economics/game_of_giveaways_or_where_avdolyan_goes33964/	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/requestID)	OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.moscow-post.su	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.gravitec.net/sites/www-moscow-post-su/client.js	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msk-post.com/server/init.phps	OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msk-post.com/	OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msk-post.com/request/ID)	OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/in_world/sovereignty_and_faith_in_the_russian_people34058/	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msk-post.com/requestl	OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schema.org/ListItem	OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msk-post.com/politics/new_lanit_in_the_tikhonov_case34059/	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/api.js	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://top-fwz1.mail.ru/counter?id=3090817;js=na	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://top.mail.ru/jump?from=3090817	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msk-post.com/request#	OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msk-post.com/b	OperaGXSetup.exe, 00000000.00000002.2096888528.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.antiddos.biz	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.000000000064D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.moscow-post.ru	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msk-post.com/server/init.phpT	OperaGXSetup.exe, 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://moscow-post.com	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://moscow-post.su	OperaGXSetup.exe, 00000000.00000002.2099946017.00000000092F5000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msk-post.com/request9	OperaGXSetup.exe, 00000000.00000003.2057539385.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.moscow-post.com	OperaGXSetup.exe, 00000000.00000003.2057539385.000000000069F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msk-post.com/requestz	OperaGXSetup.exe, 00000000.00000003.2040545976.00000000006AA000.00000004.00000020.00020000.00000000.sdmp, OperaGXSetup.exe, 00000000.00000002.2096888528.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.228.225.55	www.msk-post.com	Russian Federation		39763	BANKASTANA-ASKZ	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1365765
Start date and time:	2023-12-21 19:53:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OperaGXSetup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 64
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: OperaGXSetup.exe

Simulations

Behavior and APIs

Time	Type	Description
19:53:54	API Interceptor	1x Sleep call for process: OperaGXSetup.exe modified
19:54:03	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.228.225.55	RobloxCheatInjector.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	www.msk-post.com/request/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.msk-post.com	NMM_Community_Edition-4-0-71-3-1587501167.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	91.228.225.55
	AnyDesk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	91.228.225.55
	RobloxCheatInjector.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	91.228.225.55

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BANKASTANA-ASKZ	NMM_Community_Edition-4-0-71-3-1587501167.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	91.228.225.55
	AnyDesk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	91.228.225.55
	RobloxCheatInjector.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	91.228.225.55
	http://www.zeenek.site/	Get hash	malicious	Unknown	Browse	91.228.224.146
	https://preview.grandoil37.ru/assets/images/bp/	Get hash	malicious	Unknown	Browse	91.228.224.146
	GOfLDnnkfr.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	91.228.224.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Babuk, Djvu	Browse	91.228.225.55
	file.exe	Get hash	malicious	PrivateLoader	Browse	91.228.225.55
	file.exe	Get hash	malicious	Amadey	Browse	91.228.225.55
	Iwjvxg.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	91.228.225.55
	RFQ20231220_Lista_projekt#U00f3w_komercyjnych_2024.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	91.228.225.55
	OYSVIdqcxa.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	91.228.225.55
	TUC.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	91.228.225.55
	GuestsListLasVegas_05.msi	Get hash	malicious	Bazar Loader, Qbot	Browse	91.228.225.55
	2OcriJkWk6.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	91.228.225.55
	PO54623.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse	91.228.225.55
	buildz.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	91.228.225.55
	build2.exe	Get hash	malicious	Vidar	Browse	91.228.225.55
	newrock.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	91.228.225.55
	gustiest.msi	Get hash	malicious	Unknown	Browse	91.228.225.55
	lPUOqVqw1D.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	91.228.225.55
	UPDATE.JS	Get hash	malicious	SocGholish	Browse	91.228.225.55
	OE9ZntaKqM.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	91.228.225.55
	Z0m3hA5H5V.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	91.228.225.55
	Console.exe	Get hash	malicious	Unknown	Browse	91.228.225.55
	Console.exe	Get hash	malicious	Unknown	Browse	91.228.225.55

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OperaGXSetup.exe_82691ba76431485db1fd9a98ff162bea1ce379e_bd6eeb5d_af97da17-0a28-4c60-aeaa-0305e8f09c3f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.181973450494778
Encrypted:	false
SSDEEP:	192:6MNXncBU0BU/gjICB9FZZremvzuiFwZ24IO8u:dcBPBU/gjIwHvzuiFwY4IO8u
MD5:	0DC16DE053756BAED09435176997BD23
SHA1:	10BD2AB9E0962914F79F94CCD9C01933277ACAFA
SHA-256:	721BECFF9EB4DAC5F81CEAA7CE92DC9C2F050CDD99A89445DCF1A5277EF1A3AD
SHA-512:	E563E595930B12C7673B5E6F560E0657FADF4062DE18B7FD888E3C7C23046925D8CC515743BE40A8AC6A491ED7E39D240BD7E028866C455D7D953A2BAE4747E1
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.7.6.5.8.4.4.0.1.3.7.3.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.7.6.5.8.4.4.0.8.4.0.4.4.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.9.7.d.a.1.7.-.0.a.2.8.-.4.c.6.0.-.a.e.a.a.-.0.3.0.5.e.8.f.0.9.c.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.8.1.e.f.b.0.-.9.0.a.3.-.4.c.7.4.-.a.e.2.7.-.f.4.7.b.3.b.6.9.1.f.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.p.e.r.a.G.X.S.e.t.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.0.c.-.0.0.0.1.-.0.0.1.4.-.7.0.d.c.-.5.a.0.b.3.f.3.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.4.9.e.5.e.a.1.5.f.c.3.0.7.3.4.d.9.c.2.b.e.0.3.b.7.f.6.5.b.c.9.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.3.e.0.c.e.f.4.8.e.5.1.0.9.5.f.1.4.6.0.f.d.5.2.c.c.5.4.2.9.2.3.d.2.3.d.2.9.d.!.O.p.e.r.a.G.X.S.e.t.u.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B38.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 21 18:54:00 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	149694
Entropy (8bit):	1.8496430986178545
Encrypted:	false
SSDEEP:	384:hp4UiYj5c9+L3RgYgzEpjgQEiPTVl67j75fw/qjbTsCILPxzLP3fDy79R:B3j5m+zRgbbQEi7C7j7xwhCOZX3bu
MD5:	69D5A91BDAE0C87A86E1A8A67882B998
SHA1:	8517B9262D94B8FB8CEDFB43A8A3064BF5331EA1
SHA-256:	A3A6A5703C242E2CB943D661286DA406CA92C0AA778A0E519C0F876BC50113A8
SHA-512:	4ADABCBFA9FC2186ED5FA8D5374C4F0C0BA65AE729AF581EB7C7278FE3E2C74E634AA9A139B0DC3454E167D9BB22DCC9DDF4C501C0DB15F6CC2508EEF218F905
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........e.........................#..........4....Y..........T.......8...........T............U..............$,..........................................................................................eJ..............GenuineIntel............T..............e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CC0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8464
Entropy (8bit):	3.698816461825982
Encrypted:	false
SSDEEP:	192:R6l7wVeJAE6ci6YEITSUoegmf+eprW89bBksf00Lm:R6lXJD6p6YE8SUoegmf+8BXfM
MD5:	F03CBBE10F4F5A840CB91217DF93F6C6
SHA1:	077FE9762DC0AD5B3BECE346991470B3333B886A
SHA-256:	1816EF0F4E66871D51F051C01A7CE9DDE25837311FD02CC939178B24FCF66DBB
SHA-512:	E9351C8268C0DDA02F45664CE56C570D9193B1011F858A7F00B7C77C3679CAAA9992FB34370F389902CE783E97FE93DC789BC44C7B17046BE2F33F28C6B92F38
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D1E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.489690159407907
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg77aI9vMWpW8VYoPYm8M4JkgLJFg+q8vbL4/kHxgWd:uIjfII7Bl7VJSJaKw/+gWd
MD5:	7488BA84B0FAD6C192E2556F54921DDF
SHA1:	26CC7EB78E4F906A5788E893AF0CB064ADA96D71
SHA-256:	7A0074373C7291EE58D3BB04A3E1F30E25A7CADEB3F4EAE7B079F8B7BF7DB726
SHA-512:	B392E7725987790F5070EF4267CA818ADEE236D7956810A59D1BFC41FE6FBF58472B2FE2AD50E6437ABC3C7C7AB09B4D5712AAF3AABA0FA34EEC9DD5CD500786
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="114356" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Desktop\WL6PZU3W

Download File

Process:	C:\Users\user\Desktop\OperaGXSetup.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421495562762901
Encrypted:	false
SSDEEP:	6144:+Svfpi6ceLP/9skLmb0OTfWSPHaJG8nAgeMZMMhA2fX4WABlEnNv0uhiTw:dvloTfW+EZMM6DFyt03w
MD5:	695B8CFD9342CC0C5050E469089CC133
SHA1:	1389CF9DEB8F4F762F7596C397C4EC38F5ACF6CF
SHA-256:	BEDA6929D6D88715B62E7E48E81234959214CD320A6B3603A03D4B9D68CB2C49
SHA-512:	1D18046F3DE60A5C135655CEA8806C83E46CBCF7632AB30729432E4F9FDE76E53460050C6098B78B5AFD6ABA6B3C665819215C71DF749FC01AF4D1D999337E15
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.(..?4.................................................................................................................................................................................................................................................................................................................................................;........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.2042574955558428
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OperaGXSetup.exe
File size:	12'010'240 bytes
MD5:	46431992aa566007949fc4acbc058856
SHA1:	533e0cef48e51095f1460fd52cc542923d23d29d
SHA256:	846f5e52aa6b4f11a29cab1f505463938938c3c5ad8d753fe70a148200c8c446
SHA512:	02b1bb111b9db1af37d7f06a36e5f59aac0e9f6a36878db0148f36b7c68ac93f0d136755a8b0a084a510adf2b9eff4cd72b2ab20849a0ea333920557808a2a52
SSDEEP:	3072:3+fKfLxPq+l/AGDF+FUN9TgPC543HaHJSp8Bb8EGF9N7:OfKfI+l4GDCACS4Kz8EGF9N
TLSH:	29C6D096BCC755FEF6E5387C28BD3B1A53BEF51D6244EB221F092882884614D6331C6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................M.......................\|.......N.....Rich....................PE..L...B;8b...................................

File Icon


Icon Hash:	4165375b9a9a9445

Static PE Info

General

Entrypoint:	0x43c0b2
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62383B42 [Mon Mar 21 08:45:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4e06c011d59529bff8e1f1c88254b928

Entrypoint Preview

Instruction
push ebp
sub ebp, 01h
jne 00007F8B74DA708Dh
pop ebp
mov eax, dword ptr fs:[00000030h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+14h]
mov edi, dword ptr [eax+10h]
call 00007F8B74DA7095h
pop esi
lea edx, dword ptr [edi+00001000h]
lea ecx, dword ptr [edx+0001C800h]
lea ebx, dword ptr [esi+00000273h]
lea ebp, dword ptr [ebx+20h]
push edx
push ecx
push ebx
push ebp
call 00007F8B74DA6FA9h
add esp, 10h
lea eax, dword ptr [edi+00008430h]
jmp eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26508	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d000	0x2670	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x39000	0x23e4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e000	0x10	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d000	0x1c800	False	0.6995014391447368	data	7.5580978142593525	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1e000	0x9000	0x8600	False	0.675897854477612	data	6.0428202984727335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x27000	0x12000	0x200	False	0.091796875	data	0.6582824138522845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x39000	0x251e	0x2600	False	0.7749794407894737	data	6.693331597993307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x3c000	0x360	0x400	False	0.2666015625	data	3.863396740762502	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d000	0x2670	0x2800	False	0.3177734375	data	4.9773045366572255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d0b4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.3274896265560166
RT_GROUP_ICON	0x3f65c	0x14	data			1.15

Imports

DLL	Import
msvcrt.dll	_mbsstr, memset, _mbsnbcpy

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 41
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2023 19:53:55.758780003 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.039422989 CET	80	49704	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.039571047 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.039871931 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.318692923 CET	80	49704	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.318849087 CET	80	49704	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.318911076 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.330240965 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.330279112 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.330351114 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.345343113 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.345360041 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.930449963 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.930551052 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.999330997 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:56.999349117 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.999664068 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:56.999727011 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:57.002580881 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:57.044739008 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:57.500899076 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:57.500961065 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:57.500971079 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:57.501009941 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:57.501118898 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:57.501128912 CET	443	49705	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:57.501152039 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:57.501178026 CET	49705	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:57.748289108 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.027592897 CET	80	49704	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:58.027647972 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.028633118 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.028659105 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:58.028723001 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.029048920 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.029062033 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:58.600673914 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:58.600745916 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.601350069 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.601357937 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:58.601452112 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:58.601457119 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:59.168921947 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:59.168977976 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.168983936 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:59.169034004 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.170629978 CET	49706	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.170644999 CET	443	49706	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:59.177722931 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.456969976 CET	80	49704	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:59.457058907 CET	49704	80	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.457822084 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.457850933 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:53:59.457916021 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.458409071 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:53:59.458421946 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.021574020 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.021661043 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:54:00.022313118 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:54:00.022319078 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.022653103 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:54:00.022658110 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.867043972 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.867068052 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.867082119 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.867129087 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:54:00.867155075 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:54:00.867161989 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.867173910 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:00.867218018 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:54:00.868575096 CET	49707	443	192.168.2.5	91.228.225.55
Dec 21, 2023 19:54:00.868585110 CET	443	49707	91.228.225.55	192.168.2.5
Dec 21, 2023 19:54:05.397964954 CET	49704	80	192.168.2.5	91.228.225.55

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2023 19:53:55.556422949 CET	55856	53	192.168.2.5	1.1.1.1
Dec 21, 2023 19:53:55.750579119 CET	53	55856	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2023 19:53:55.556422949 CET	192.168.2.5	1.1.1.1	0x1741	Standard query (0)	www.msk-post.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 21, 2023 19:53:55.750579119 CET	1.1.1.1	192.168.2.5	0x1741	No error (0)	www.msk-post.com		91.228.225.55	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.msk-post.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	91.228.225.55	80	2828	C:\Users\user\Desktop\OperaGXSetup.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2023 19:53:56.039871931 CET	106	OUT	GET /server/init.php HTTP/1.1 Host: www.msk-post.com Connection: Keep-Alive Cache-Control: no-cache
Dec 21, 2023 19:53:56.318849087 CET	424	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 (Ubuntu) Date: Thu, 21 Dec 2023 18:53:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://www.msk-post.com:443/server/init.php Data Raw: 62 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: b2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0
Dec 21, 2023 19:53:57.748289108 CET	74	OUT	GET /request HTTP/1.1 Host: www.msk-post.com Cache-Control: no-cache
Dec 21, 2023 19:53:58.027592897 CET	416	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 (Ubuntu) Date: Thu, 21 Dec 2023 18:53:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://www.msk-post.com:443/request Data Raw: 62 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: b2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0
Dec 21, 2023 19:53:59.177722931 CET	99	OUT	GET /request/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Host: www.msk-post.com
Dec 21, 2023 19:53:59.456969976 CET	417	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 (Ubuntu) Date: Thu, 21 Dec 2023 18:53:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://www.msk-post.com:443/request/ Data Raw: 62 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: b2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	91.228.225.55	443	2828	C:\Users\user\Desktop\OperaGXSetup.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-21 18:53:56 UTC	106	OUT	GET /server/init.php HTTP/1.1 Connection: Keep-Alive Cache-Control: no-cache Host: www.msk-post.com
2023-12-21 18:53:57 UTC	233	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 21 Dec 2023 18:53:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close Content-Language: ru Strict-Transport-Security: max-age=31536000;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	91.228.225.55	443	2828	C:\Users\user\Desktop\OperaGXSetup.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-21 18:53:58 UTC	98	OUT	GET /request HTTP/1.1 Cache-Control: no-cache Host: www.msk-post.com Connection: Keep-Alive
2023-12-21 18:53:59 UTC	284	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 (Ubuntu) Date: Thu, 21 Dec 2023 18:53:59 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Location: http://www.msk-post.com/request/ Strict-Transport-Security: max-age=31536000;
2023-12-21 18:53:59 UTC	334	IN	Data Raw: 31 34 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 73 6b 2d 70 6f 73 74 2e 63 6f 6d 2f 72 65 71 75 65 73 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e Data Ascii: 142<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.msk-post.com/request/">here</a>.</p><hr><address>Apache/2.4.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	91.228.225.55	443	2828	C:\Users\user\Desktop\OperaGXSetup.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-21 18:54:00 UTC	99	OUT	GET /request/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Host: www.msk-post.com
2023-12-21 18:54:00 UTC	203	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 21 Dec 2023 18:54:00 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Language: ru
2023-12-21 18:54:00 UTC	16181	IN	Data Raw: 31 66 35 30 0d 0a 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 65 72 69 66 79 2d 76 31 22 20 63 6f 6e 74 65 6e 74 3d 22 64 6d 4d 4d 46 79 4d 6f 2f 35 6f 46 38 51 65 4c 53 52 44 4a 68 4a 4b 62 52 4a Data Ascii: 1f50<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="verify-v1" content="dmMMFyMo/5oF8QeLSRDJhJKbRJ
2023-12-21 18:54:00 UTC	97	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 09 09 09 09 24 28 27 2e 6d 72 67 2d 74 61 67 27 29 2e 72 65 6d 6f 76 65 28 29 3b 0a 0d 0a 32 62 0d 0a 09 09 09 7d 29 0a 09 09 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: (function(){$('.mrg-tag').remove();2b})</script></div></body></html>0

Statistics

Click to jump to process

Memory Usage

• OperaGXSetup.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• OperaGXSetup.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	19:53:53
Start date:	21/12/2023
Path:	C:\Users\user\Desktop\OperaGXSetup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OperaGXSetup.exe
Imagebase:	0x400000
File size:	12'010'240 bytes
MD5 hash:	46431992AA566007949FC4ACBC058856
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000000.2001200370.000000000043C000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000002.2096888528.000000000062D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_ArkeiStealer_84c7086a, Description: unknown, Source: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:53:59
Start date:	21/12/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 2108
Imagebase:	0xbe0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	25.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.2%
Total number of Nodes:	93
Total number of Limit Nodes:	7

Executed Functions

Function 0040A150 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 400
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0040A169
FindFirstFileA.KERNEL32(?,?), ref: 0040A180
StrCmpCA.SHLWAPI(?,0041E018), ref: 0040A1A6
StrCmpCA.SHLWAPI(?,0041E01C), ref: 0040A1BC
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040A607
FindClose.KERNEL32(000000FF), ref: 0040A61C

Strings

Network, xrefs: 0040A203, 0040A2AD
0d, xrefs: 0040A1FC, 0040A296
%s\%s\%s\%s, xrefs: 0040A213
"A, xrefs: 0040A466
d, xrefs: 0040A499
%s\%s, xrefs: 0040A1D6
"A, xrefs: 0040A5BA, 0040A57B, 0040A357, 0040A2E7, 0040A263, 0040A266, 0040A2EA, 0040A35A, 0040A57E, 0040A5BD
%s\*, xrefs: 0040A15D

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: d$"A$"A$%s\%s$%s\%s\%s\%s$%s\*$0d$Network
API String ID: 180737720-3110365446
Opcode ID: b80050c418d72438fe762d673266659a9bd9fe6c3067ae38539c72c42dce6736
Instruction ID: f4cafc41ab40138cd4fbc227c14a196c862bb1f9b48700fdcd8654f58694f78e
Opcode Fuzzy Hash: b80050c418d72438fe762d673266659a9bd9fe6c3067ae38539c72c42dce6736
Instruction Fuzzy Hash: 3EE14FB2604209ABCB14DF94DC85EEB73BDBF8C304F44469DB609A3140E635EA95CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00415FC0 Relevance: 22.6, APIs: 15, Instructions: 110
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,0063F180), ref: 00416012
GetProcAddress.KERNEL32(75900000,00640720), ref: 0041602A
GetProcAddress.KERNEL32(75900000,006335D8), ref: 00416042
GetProcAddress.KERNEL32(75900000,0063F0C0), ref: 0041605B
GetProcAddress.KERNEL32(75900000,0063F228), ref: 00416073
GetProcAddress.KERNEL32(75900000,0063F150), ref: 0041608B
GetProcAddress.KERNEL32(75900000,0063F198), ref: 004160A4
GetProcAddress.KERNEL32(75900000,0063F090), ref: 004160BC
GetProcAddress.KERNEL32(75900000,006337F8), ref: 004160D4
GetProcAddress.KERNEL32(75900000,006335F8), ref: 004160ED
GetProcAddress.KERNEL32(75900000,006338F8), ref: 00416105
LoadLibraryA.KERNEL32(0063F120,?,00408451), ref: 00416117
LoadLibraryA.KERNEL32(0063F258,?,00408451), ref: 00416128
GetProcAddress.KERNEL32(75070000,0063F240), ref: 0041614A
GetProcAddress.KERNEL32(74E50000,00633898), ref: 0041616B

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 922699835c9b2e5024314b0b71e79ea161ded01a8737b0c1b03e5e1ade28402e
Instruction ID: 54980406dc0ce136c651422eb4da692bfaec81cf59bdf565fd0951130199d928
Opcode Fuzzy Hash: 922699835c9b2e5024314b0b71e79ea161ded01a8737b0c1b03e5e1ade28402e
Instruction Fuzzy Hash: EB4196B5B29600DFD374DF79ED8996637F9AB8C30138046B9A505C3220DA359542CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00406040 Relevance: 12.1, APIs: 8, Instructions: 82
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040605A
RtlAllocateHeap.NTDLL(00000000), ref: 00406061
InternetOpenA.WININET(0041E022,00000000,00000000,00000000,00000000), ref: 0040607A
InternetSetOptionA.WININET(?,00000002,000927C0,00000004), ref: 0040609C
InternetOpenUrlA.WININET(?,000927C0,00000000,00000000,04000100,00000000), ref: 004060B8
InternetReadFile.WININET(?,?,00000400,00000000), ref: 004060E8
InternetCloseHandle.WININET(?), ref: 0040615C
InternetCloseHandle.WININET(?), ref: 00406169

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileOptionProcessRead
String ID:
API String ID: 3776486462-0
Opcode ID: 19a9df82f57a0ea9c1387bd5b25f2d44615fa661691986f7400c75a67912551f
Instruction ID: 8d503f160446ef152f8c9b7338639e7a00d779203a7a8d645a75d35a06f95880
Opcode Fuzzy Hash: 19a9df82f57a0ea9c1387bd5b25f2d44615fa661691986f7400c75a67912551f
Instruction Fuzzy Hash: C1310AB0A45218ABDB20CF94DC45BDDB7B4AB48704F5080E9F709B7281CAB46AC58F6C

Uniqueness

Uniqueness Score: -1.00%

Function 00408370 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00408376
Sleep.KERNEL32(00003E80), ref: 00408384
GetTickCount.KERNEL32 ref: 0040838A

Strings

., xrefs: 00408396

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID: .
API String ID: 4250438611-3974621797
Opcode ID: 6c09905486d8f6d1841faa18bdaf0d99efe38b5148644911e42111b3237a1eca
Instruction ID: 1f2baedc4bd2afaa35d6e179f254ec78c4b3a313614d70235f5c5ca6dc0fa011
Opcode Fuzzy Hash: 6c09905486d8f6d1841faa18bdaf0d99efe38b5148644911e42111b3237a1eca
Instruction Fuzzy Hash: F2E08670E08208EFD710AFF4ED0C06CBB74FBC4701F9001BADC01A2280EA7549419756

Uniqueness

Uniqueness Score: -1.00%

Function 00408E30 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00408E54
LocalAlloc.KERNEL32(00000040,00000000), ref: 00408E73
LocalFree.KERNEL32(?), ref: 00408E9F

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: ae75150e4149a954d09fbe1fe6583a56905ce33bedf148e8959e930e8673e7d2
Instruction ID: 97c9f880238bfed5047f986f3d59fdf99d547596ab4fc482aa5cc0b782b5c4d1
Opcode Fuzzy Hash: ae75150e4149a954d09fbe1fe6583a56905ce33bedf148e8959e930e8673e7d2
Instruction Fuzzy Hash: 9511CCB4A00209DFCB04DFA4D985AAEB7B5FF88300F104569F915A7390DB74AD51CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 004054F0 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 00405500
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00405573

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: AllocLocalProtectVirtual
String ID:
API String ID: 4134893223-0
Opcode ID: e4152bd5c01bcaf836995c8b0eba030d084e174f961742ab5cfe079318ddcd74
Instruction ID: a6a295fd004515110d7aebf80b6c73dcfd10a89e25a4ea783c0ef0c71e045128
Opcode Fuzzy Hash: e4152bd5c01bcaf836995c8b0eba030d084e174f961742ab5cfe079318ddcd74
Instruction Fuzzy Hash: 5B1151B4A04248EFCF04CF98D891BAEBBB5FF49304F108099E915A7341C735AA51CF45

Uniqueness

Uniqueness Score: -1.00%

Function 004161A0 Relevance: 294.9, APIs: 150, Strings: 18, Instructions: 904
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00640D38), ref: 004161BD
GetProcAddress.KERNEL32(75900000,00640DC8), ref: 004161D5
GetProcAddress.KERNEL32(75900000,00633498), ref: 004161EE
GetProcAddress.KERNEL32(75900000,00640FD8), ref: 00416206
GetProcAddress.KERNEL32(75900000,00640EE8), ref: 0041621E
GetProcAddress.KERNEL32(75900000,00641038), ref: 00416237
GetProcAddress.KERNEL32(75900000,00640E88), ref: 0041624F
GetProcAddress.KERNEL32(75900000,00641068), ref: 00416267
GetProcAddress.KERNEL32(75900000,00640FC0), ref: 00416280
GetProcAddress.KERNEL32(75900000,00640F90), ref: 00416298
GetProcAddress.KERNEL32(75900000,00640ED0), ref: 004162B0
GetProcAddress.KERNEL32(75900000,00640F30), ref: 004162C9
GetProcAddress.KERNEL32(75900000,00641050), ref: 004162E1
GetProcAddress.KERNEL32(75900000,00633218), ref: 004162F9
GetProcAddress.KERNEL32(75900000,00640E40), ref: 00416312
GetProcAddress.KERNEL32(75900000,006331D8), ref: 0041632A
GetProcAddress.KERNEL32(75900000,006386D8), ref: 00416342
GetProcAddress.KERNEL32(75900000,00640F00), ref: 0041635B
GetProcAddress.KERNEL32(75900000,006334F8), ref: 00416373
GetProcAddress.KERNEL32(75900000,00641080), ref: 0041638B
GetProcAddress.KERNEL32(75900000,006331F8), ref: 004163A4
GetProcAddress.KERNEL32(75900000,006410B0), ref: 004163BC
GetProcAddress.KERNEL32(75900000,00640E10), ref: 004163D4
GetProcAddress.KERNEL32(75900000,00640FF0), ref: 004163ED
GetProcAddress.KERNEL32(75900000,00640F18), ref: 00416405
GetProcAddress.KERNEL32(75900000,00633238), ref: 0041641D
GetProcAddress.KERNEL32(75900000,00641008), ref: 00416436
GetProcAddress.KERNEL32(75900000,006410C8), ref: 0041644E
GetProcAddress.KERNEL32(75900000,00641020), ref: 00416466
GetProcAddress.KERNEL32(75900000,00633178), ref: 0041647F
GetProcAddress.KERNEL32(75900000,00640FA8), ref: 00416497
GetProcAddress.KERNEL32(75900000,006410E0), ref: 004164AF
GetProcAddress.KERNEL32(75900000,00640DF8), ref: 004164C8
GetProcAddress.KERNEL32(75900000,00640E28), ref: 004164E0
GetProcAddress.KERNEL32(75900000,00640E58), ref: 004164F8
GetProcAddress.KERNEL32(75900000,00633278), ref: 00416511
GetProcAddress.KERNEL32(75900000,00633198), ref: 00416529
GetProcAddress.KERNEL32(75900000,00640E70), ref: 00416541
GetProcAddress.KERNEL32(75900000,00640EA0), ref: 0041655A
GetProcAddress.KERNEL32(75900000,00633378), ref: 00416572
GetProcAddress.KERNEL32(75900000,00638700), ref: 0041658A
GetProcAddress.KERNEL32(75900000,00640F60), ref: 004165A3
GetProcAddress.KERNEL32(75900000,00640EB8), ref: 004165BB
GetProcAddress.KERNEL32(75900000,006334D8), ref: 004165D3
GetProcAddress.KERNEL32(75900000,00633258), ref: 004165EC
GetProcAddress.KERNEL32(75900000,00633518), ref: 00416604
GetProcAddress.KERNEL32(75900000,00640F48), ref: 0041661C
GetProcAddress.KERNEL32(75900000,006332B8), ref: 00416635
GetProcAddress.KERNEL32(75900000,00640F78), ref: 0041664D
GetProcAddress.KERNEL32(75900000,006332F8), ref: 00416665
GetProcAddress.KERNEL32(75900000,006332D8), ref: 0041667E
GetProcAddress.KERNEL32(75900000,006411A0), ref: 00416696
GetProcAddress.KERNEL32(75900000,00633318), ref: 004166AE
GetProcAddress.KERNEL32(75900000,00633338), ref: 004166C7
GetProcAddress.KERNEL32(75900000,00641158), ref: 004166DF
GetProcAddress.KERNEL32(75900000,00641110), ref: 004166F7
GetProcAddress.KERNEL32(75900000,VirtualAlloc), ref: 0041670E
GetProcAddress.KERNEL32(75900000,VirtualFree), ref: 00416725
GetProcAddress.KERNEL32(75900000,HeapFree), ref: 0041673B
GetProcAddress.KERNEL32(75900000,LocalFileTimeToFileTime), ref: 00416752
GetProcAddress.KERNEL32(75900000,CreateDirectoryA), ref: 00416769
GetProcAddress.KERNEL32(75900000,SetFileTime), ref: 0041677F
LoadLibraryA.KERNEL32(00640B70,?,00408496), ref: 00416791
LoadLibraryA.KERNEL32(00640D68,?,00408496), ref: 004167A3
LoadLibraryA.KERNEL32(00640D50,?,00408496), ref: 004167B4
LoadLibraryA.KERNEL32(00640BE8,?,00408496), ref: 004167C6
LoadLibraryA.KERNEL32(00640D98,?,00408496), ref: 004167D8
LoadLibraryA.KERNEL32(00640C00,?,00408496), ref: 004167E9
LoadLibraryA.KERNEL32(00640C90,?,00408496), ref: 004167FB
LoadLibraryA.KERNEL32(00640C18,?,00408496), ref: 0041680D
LoadLibraryA.KERNEL32(00640C30,?,00408496), ref: 0041681E
LoadLibraryA.KERNEL32(00640C60,?,00408496), ref: 00416830
LoadLibraryA.KERNEL32(00640C78,?,00408496), ref: 00416842
LoadLibraryA.KERNEL32(00640DB0,?,00408496), ref: 00416853
LoadLibraryA.KERNEL32(00640DE0,?,00408496), ref: 00416865
GetProcAddress.KERNEL32(76E80000,00640790), ref: 00416886
GetProcAddress.KERNEL32(76E80000,00640870), ref: 0041689F
GetProcAddress.KERNEL32(76E80000,006406F0), ref: 004168B7
GetProcAddress.KERNEL32(6F080000,00641260), ref: 004168DC
GetProcAddress.KERNEL32(6F080000,006333B8), ref: 004168F5
GetProcAddress.KERNEL32(6F080000,006333F8), ref: 0041690D
GetProcAddress.KERNEL32(6F080000,00633418), ref: 00416925
GetProcAddress.KERNEL32(6F080000,00641128), ref: 0041693E
GetProcAddress.KERNEL32(6F080000,00633438), ref: 00416956
GetProcAddress.KERNEL32(6F080000,00633478), ref: 0041696E
GetProcAddress.KERNEL32(6F080000,00641700), ref: 00416987
GetProcAddress.KERNEL32(6F080000,006417C0), ref: 0041699F
GetProcAddress.KERNEL32(6F080000,00641900), ref: 004169B7
GetProcAddress.KERNEL32(75A50000,00641140), ref: 004169DD
GetProcAddress.KERNEL32(75A50000,006411B8), ref: 004169F5
GetProcAddress.KERNEL32(75A50000,00641920), ref: 00416A0D
GetProcAddress.KERNEL32(75A50000,006417A0), ref: 00416A26
GetProcAddress.KERNEL32(75A50000,00641170), ref: 00416A3E
GetProcAddress.KERNEL32(75A50000,00640700), ref: 00416A56
GetProcAddress.KERNEL32(75A50000,006417E0), ref: 00416A6F
GetProcAddress.KERNEL32(75A50000,00641840), ref: 00416A87
GetProcAddress.KERNEL32(75A50000,00641188), ref: 00416A9F
GetProcAddress.KERNEL32(75A50000,00641278), ref: 00416AB8
GetProcAddress.KERNEL32(75A50000,006411D0), ref: 00416AD0
GetProcAddress.KERNEL32(75070000,00641200), ref: 00416AF5
GetProcAddress.KERNEL32(75070000,00641940), ref: 00416B0E
GetProcAddress.KERNEL32(75070000,006412A8), ref: 00416B26
GetProcAddress.KERNEL32(75070000,006419C0), ref: 00416B3E
GetProcAddress.KERNEL32(75070000,006410F8), ref: 00416B57
GetProcAddress.KERNEL32(75070000,006411E8), ref: 00416B6F
GetProcAddress.KERNEL32(75FD0000,00641248), ref: 00416B94
GetProcAddress.KERNEL32(75FD0000,00641218), ref: 00416BAD
GetProcAddress.KERNEL32(75FD0000,00641820), ref: 00416BC5
GetProcAddress.KERNEL32(75FD0000,006419E0), ref: 00416BDD
GetProcAddress.KERNEL32(75FD0000,00641230), ref: 00416BF6
GetProcAddress.KERNEL32(75FD0000,00640760), ref: 00416C0E
GetProcAddress.KERNEL32(75FD0000,00641290), ref: 00416C26
GetProcAddress.KERNEL32(75FD0000,00641B20), ref: 00416C3F
GetProcAddress.KERNEL32(75FD0000,00641C70), ref: 00416C57
GetProcAddress.KERNEL32(75FD0000,00641CB8), ref: 00416C6F
GetProcAddress.KERNEL32(75FD0000,00640770), ref: 00416C88
GetProcAddress.KERNEL32(75FD0000,006418C0), ref: 00416CA0
GetProcAddress.KERNEL32(75FD0000,00641B38), ref: 00416CB8
GetProcAddress.KERNEL32(75FD0000,00641C28), ref: 00416CD1
GetProcAddress.KERNEL32(6E260000,00637590), ref: 00416CF2
GetProcAddress.KERNEL32(74DF0000,00641AA0), ref: 00416D13
GetProcAddress.KERNEL32(74E50000,00641800), ref: 00416D35
GetProcAddress.KERNEL32(750F0000,00638728), ref: 00416D5A
GetProcAddress.KERNEL32(750F0000,00641860), ref: 00416D72
GetProcAddress.KERNEL32(750F0000,00638890), ref: 00416D8B
GetProcAddress.KERNEL32(750F0000,00641960), ref: 00416DA3
GetProcAddress.KERNEL32(750F0000,006389A8), ref: 00416DBB
GetProcAddress.KERNEL32(750F0000,00641B50), ref: 00416DD4
GetProcAddress.KERNEL32(6E350000,00641B68), ref: 00416DF9
GetProcAddress.KERNEL32(6E350000,00641DC0), ref: 00416E11
GetProcAddress.KERNEL32(6E350000,00641880), ref: 00416E2A
GetProcAddress.KERNEL32(6E350000,00641A40), ref: 00416E42
GetProcAddress.KERNEL32(6E350000,00641A00), ref: 00416E5A
GetProcAddress.KERNEL32(6E350000,00641BF8), ref: 00416E73
GetProcAddress.KERNEL32(74E00000,00641B80), ref: 00416E94
GetProcAddress.KERNEL32(74E00000,00640780), ref: 00416EAC
GetProcAddress.KERNEL32(74E00000,00641B98), ref: 00416EC5
GetProcAddress.KERNEL32(75320000,00641A20), ref: 00416EE6
GetProcAddress.KERNEL32(75320000,00641DD8), ref: 00416EFE
GetProcAddress.KERNEL32(734B0000,006389D0), ref: 00416F24
GetProcAddress.KERNEL32(734B0000,00641740), ref: 00416F3C
GetProcAddress.KERNEL32(734B0000,00638778), ref: 00416F54
GetProcAddress.KERNEL32(734B0000,00641D00), ref: 00416F6D
GetProcAddress.KERNEL32(734B0000,00641C88), ref: 00416F85
GetProcAddress.KERNEL32(734B0000,00641A60), ref: 00416F9D
GetProcAddress.KERNEL32(734B0000,00641980), ref: 00416FB6
GetProcAddress.KERNEL32(734B0000,00641BB0), ref: 00416FCE
GetProcAddress.KERNEL32(763B0000,00641A80), ref: 00416FEF
GetProcAddress.KERNEL32(763B0000,006418A0), ref: 00417008
GetProcAddress.KERNEL32(6C970000,00641CA0), ref: 00417029

Strings

82c, xrefs: 00416410
x2c, xrefs: 00416503
84c, xrefs: 00416949
LocalFileTimeToFileTime, xrefs: 00416746
CreateDirectoryA, xrefs: 0041675D
83c, xrefs: 004166B9
SetFileTime, xrefs: 00416774
VirtualFree, xrefs: 00416719
HeapFree, xrefs: 00416730
x3c, xrefs: 00416565
Pd, xrefs: 004167AE
VirtualAlloc, xrefs: 00416702
8d, xrefs: 004161B0
x1c, xrefs: 00416471
X2c, xrefs: 004165DE
d, xrefs: 0041685E
x4c, xrefs: 00416961
hd, xrefs: 0041679C

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: 8d$82c$83c$84c$CreateDirectoryA$HeapFree$LocalFileTimeToFileTime$Pd$SetFileTime$VirtualAlloc$VirtualFree$X2c$hd$x1c$x2c$x3c$x4c$d
API String ID: 2238633743-1126843516
Opcode ID: 4127c667293775df54f1876db350caf547b38a27927ca02979437e70ee66dd5d
Instruction ID: 8eb7e19c8164c72cbab9789c7c48a41f6c0e623cd22c48f7556cd33e4d69ab79
Opcode Fuzzy Hash: 4127c667293775df54f1876db350caf547b38a27927ca02979437e70ee66dd5d
Instruction Fuzzy Hash: 389263B5B29500DFC374DFB9ED899663BB9BB8D30139086B9A505C3260DB34A543CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 43.8, APIs: 29, Instructions: 284
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004096D5
lstrcat.KERNEL32(?,0041E020), ref: 004096E7

Part of subcall function 00415570: GetSystemTime.KERNEL32(?,?,00000104), ref: 00415591

lstrcat.KERNEL32(?,00000000), ref: 004096FF
CopyFileA.KERNEL32(00000000,?,00000001), ref: 00409712
wsprintfA.USER32 ref: 0040973F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040978F
RtlAllocateHeap.NTDLL(00000000), ref: 00409796
StrCmpCA.SHLWAPI(?,00424380), ref: 00409842
lstrcat.KERNEL32(?,00640A90), ref: 00409869
lstrcat.KERNEL32(?,006409F0), ref: 0040988E
StrCmpCA.SHLWAPI(?,00424380), ref: 004098A0
lstrcat.KERNEL32(?,00640A90), ref: 004098C8
lstrcat.KERNEL32(?,006409F0), ref: 004098EE

Part of subcall function 00408B50: memset.MSVCRT ref: 00408BA2
Part of subcall function 00408B50: LocalAlloc.KERNEL32(00000040,?), ref: 00408BF1
Part of subcall function 00408B50: lstrcat.KERNEL32(?,00000000), ref: 00408C57

lstrcat.KERNEL32(?,00424380), ref: 0040991E
lstrcat.KERNEL32(?,?), ref: 00409932
lstrcat.KERNEL32(?,00426174), ref: 00409944
lstrcat.KERNEL32(?,?), ref: 00409958
lstrcat.KERNEL32(?,00426174), ref: 0040996A
lstrcat.KERNEL32(?,?), ref: 0040997E
lstrcat.KERNEL32(?,00426174), ref: 00409990
lstrcat.KERNEL32(?,?), ref: 004099A4
lstrcat.KERNEL32(?,00426174), ref: 004099B6
lstrcat.KERNEL32(?,?), ref: 004099CA
lstrcat.KERNEL32(?,00426174), ref: 004099DC
lstrcat.KERNEL32(?,?), ref: 004099F0
lstrcat.KERNEL32(?,00426174), ref: 00409A02
lstrcat.KERNEL32(?,00000000), ref: 00409A40
lstrcat.KERNEL32(?,00424364), ref: 00409A52
lstrlen.KERNEL32(?), ref: 00409A64

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocAllocateCopyCurrentDirectoryFileLocalProcessSystemTimelstrlenmemsetwsprintf
String ID:
API String ID: 2555937191-0
Opcode ID: bcd514cc07ecb503b092afc25f2111243135de20ddd005a522cc2abbd368e5dd
Instruction ID: c9c0fff2e26855e94337002c080598ee7becec32f2d50180de6dffc0731b29d1
Opcode Fuzzy Hash: bcd514cc07ecb503b092afc25f2111243135de20ddd005a522cc2abbd368e5dd
Instruction Fuzzy Hash: 58B193B5B54208ABDB20DBA4EC89FEA7778BF4C700F404599F70997251CA34AE42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 172
networksleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(0041E022,00000000,00000000,00000000,00000000), ref: 00405DED
StrCmpCA.SHLWAPI(00000000,https://), ref: 00405E13
InternetSetOptionA.WININET(00000000,00000006,000927C0,00000004), ref: 00405E4D
InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 00405E73
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 00405E98
HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,04C00100,00000000), ref: 00405ED3
HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,04400100,00000000), ref: 00405EFA
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405F47
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00405F63
StrCmpCA.SHLWAPI(?,200), ref: 00405F79
Sleep.KERNEL32(00007530), ref: 00405F94
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405FBC
lstrcat.KERNEL32(?,00000000), ref: 00405FF8
InternetCloseHandle.WININET(00000000), ref: 00406004
InternetCloseHandle.WININET(00000000), ref: 00406011
InternetCloseHandle.WININET(00000000), ref: 0040601E

Part of subcall function 00405450: memset.MSVCRT ref: 00405472
Part of subcall function 00405450: CryptStringToBinaryA.CRYPT32(?,00000000,00000000), ref: 0040549E
Part of subcall function 00405450: CryptStringToBinaryA.CRYPT32(?,00000000,00000000,00000000), ref: 004054C6

Strings

https://, xrefs: 00405E0A
200, xrefs: 00405F6D

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Internet$Http$CloseHandleOpenRequest$BinaryConnectCryptString$FileInfoOptionQueryReadSendSleeplstrcatmemset
String ID: 200$https://
API String ID: 3903783505-2276523601
Opcode ID: 9bb6e36c99e6dba4b56d41e06422811138e1edd4c7623ece8c1e2051483216f7
Instruction ID: 679deb676c31b5dce34f6f14a56416fa0ac509e591f155cc90e94875074440ba
Opcode Fuzzy Hash: 9bb6e36c99e6dba4b56d41e06422811138e1edd4c7623ece8c1e2051483216f7
Instruction Fuzzy Hash: A0613070B44218AFEB24DF50CC45FDE77B5AB44705F1440A9F209BA1C0C7BA6A95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C830 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 522
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,000F423F,?,00408084,?,00000000,00000000,00000000,004279E8,?,?,?,?,?,?,?), ref: 0040C83A
RtlAllocateHeap.NTDLL(00000000,?,00408084), ref: 0040C841

Part of subcall function 0040C520: lstrcat.KERNEL32(?,00000000), ref: 0040C564
Part of subcall function 0040C520: lstrcat.KERNEL32(?,?), ref: 0040C589
Part of subcall function 0040C520: lstrcat.KERNEL32(?,00642000), ref: 0040C59D

Part of subcall function 0040C640: lstrcat.KERNEL32(?,00000000), ref: 0040C684
Part of subcall function 0040C640: lstrcat.KERNEL32(?,?), ref: 0040C6A9
Part of subcall function 0040C640: lstrcat.KERNEL32(?,00642000), ref: 0040C6BD

Part of subcall function 0040C750: lstrcat.KERNEL32(?,?), ref: 0040C797
Part of subcall function 0040C750: lstrcat.KERNEL32(?,?), ref: 0040C7AB
Part of subcall function 0040C750: lstrcat.KERNEL32(?,00641FB8), ref: 0040C7BF

Part of subcall function 004084E0: GetVersionExA.KERNEL32(00000094,?,00000094), ref: 0040850D
Part of subcall function 004084E0: LoadLibraryA.KERNEL32(00640C18), ref: 0040857A

lstrlen.KERNEL32(0F410020), ref: 0040CD7B

Part of subcall function 00408A70: FreeLibrary.KERNEL32(00000000,?,0040CDA9,00427B38,00000004), ref: 00408A79

Part of subcall function 00408A90: FreeLibrary.KERNEL32(00000000,?,0040CDAE,00427B38,00000004), ref: 00408A99

Strings

pwc, xrefs: 0040CCD2
` d, xrefs: 0040CD5A
H d, xrefs: 0040CCA7
Pd, xrefs: 0040CA7C
d, xrefs: 0040C92F
@d, xrefs: 0040CA57
`d, xrefs: 0040C99E
`uc, xrefs: 0040CBAA
pd, xrefs: 0040CAEB
p#d, xrefs: 0040CBC9
0 d, xrefs: 0040CC5D

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Library$FreeHeap$AllocateLoadProcessVersionlstrlen
String ID: d$0 d$@d$H d$Pd$`d$` d$`uc$pd$p#d$pwc
API String ID: 527828796-1920102721
Opcode ID: e0b4947359724775d63140cb724910108cf02311603280ca08f7071459a7ff8f
Instruction ID: e0eea822365041bfd06ad8d356c145274640c3880f1686880aa2f22a1feb7c7a
Opcode Fuzzy Hash: e0b4947359724775d63140cb724910108cf02311603280ca08f7071459a7ff8f
Instruction Fuzzy Hash: A612D6B6304105BFCB14EF9DEC81D9B77AEAB8C304B44861CBA0CD7251E635E951CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407E90 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 208
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00415570: GetSystemTime.KERNEL32(?,?,00000104), ref: 00415591

lstrcat.KERNEL32(?,00000000), ref: 00407F08
lstrcat.KERNEL32(?,006408A0), ref: 00407F1C
lstrcat.KERNEL32(?,00640880), ref: 00407F2F
lstrcat.KERNEL32(?,www.msk-post.com), ref: 00407F43
lstrcat.KERNEL32(?,/request), ref: 00407F55

Part of subcall function 00405DC0: InternetOpenA.WININET(0041E022,00000000,00000000,00000000,00000000), ref: 00405DED
Part of subcall function 00405DC0: StrCmpCA.SHLWAPI(00000000,https://), ref: 00405E13
Part of subcall function 00405DC0: InternetSetOptionA.WININET(00000000,00000006,000927C0,00000004), ref: 00405E4D
Part of subcall function 00405DC0: InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 00405E73
Part of subcall function 00405DC0: HttpOpenRequestA.WININET(00000000,?,?,00000000,00000000,00000000,04C00100,00000000), ref: 00405ED3
Part of subcall function 00405DC0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00405F47
Part of subcall function 00405DC0: HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00405F63
Part of subcall function 00405DC0: StrCmpCA.SHLWAPI(?,200), ref: 00405F79

lstrcat.KERNEL32(?,00000000), ref: 00407F86

Part of subcall function 00407B00: lstrcat.KERNEL32(?,?), ref: 00407B74

Part of subcall function 00406040: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040605A
Part of subcall function 00406040: RtlAllocateHeap.NTDLL(00000000), ref: 00406061
Part of subcall function 00406040: InternetOpenA.WININET(0041E022,00000000,00000000,00000000,00000000), ref: 0040607A
Part of subcall function 00406040: InternetSetOptionA.WININET(?,00000002,000927C0,00000004), ref: 0040609C
Part of subcall function 00406040: InternetOpenUrlA.WININET(?,000927C0,00000000,00000000,04000100,00000000), ref: 004060B8
Part of subcall function 00406040: InternetReadFile.WININET(?,?,00000400,00000000), ref: 004060E8
Part of subcall function 00406040: InternetCloseHandle.WININET(?), ref: 0040615C
Part of subcall function 00406040: InternetCloseHandle.WININET(?), ref: 00406169

Part of subcall function 00406D50: GetProcessHeap.KERNEL32(00000000,?), ref: 00406D8B
Part of subcall function 00406D50: RtlAllocateHeap.NTDLL(00000000), ref: 00406D92

Part of subcall function 0040C830: GetProcessHeap.KERNEL32(00000000,000F423F,?,00408084,?,00000000,00000000,00000000,004279E8,?,?,?,?,?,?,?), ref: 0040C83A
Part of subcall function 0040C830: RtlAllocateHeap.NTDLL(00000000,?,00408084), ref: 0040C841

Part of subcall function 00406EC0: GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406ECB
Part of subcall function 00406EC0: RtlAllocateHeap.NTDLL(00000000), ref: 00406ED2
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00640840), ref: 00406EE5
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00640860), ref: 00406EF6
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00424360), ref: 00406F05
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00640710), ref: 00406F16
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00424364), ref: 00406F25
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00633598), ref: 00406F36
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00424360), ref: 00406F45
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,0063F0F0), ref: 00406F56
Part of subcall function 00406EC0: GetCurrentProcessId.KERNEL32 ref: 00406F5C
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00000000), ref: 00406F70
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00424360), ref: 00406F7F
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,0063F108), ref: 00406F8F
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00000000), ref: 00406F9F
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00424364), ref: 00406FAE
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,0063F360), ref: 00406FBF
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00000000), ref: 00406FCF
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00424360), ref: 00406FDE
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00633658), ref: 00406FEF
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00000000), ref: 00406FFF
Part of subcall function 00406EC0: lstrcat.KERNEL32(?,00424364), ref: 0040700E

lstrcat.KERNEL32(?,00000000), ref: 00408126
SetCurrentDirectoryA.KERNEL32(00641F28,?,?,?,?,?,00001388), ref: 00408132
lstrlen.KERNEL32(?,?,?,?,?,?,00001388), ref: 0040813F

Strings

www.msk-post.com, xrefs: 00407F3B, 00407F6E, 0040810E
/server/init.php, xrefs: 00407F67, 00408108
/request, xrefs: 00407F49

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Internet$Heap$Process$AllocateOpen$Http$CloseCurrentHandleOptionRequest$ConnectDirectoryFileInfoQueryReadSendSystemTimelstrlen
String ID: /request$/server/init.php$www.msk-post.com
API String ID: 1704516257-3656026252
Opcode ID: 5bd319db14882d83ed6a233838c20bb0bf7b2cbccf6f640c5a3534b8f7c6ffa3
Instruction ID: 3923c68d49566366047f4cb172509d9ece2a4026cdf374faa94ab56f1b15c792
Opcode Fuzzy Hash: 5bd319db14882d83ed6a233838c20bb0bf7b2cbccf6f640c5a3534b8f7c6ffa3
Instruction Fuzzy Hash: 2881BBB1E0C7189BD720EBA4DC42DDA73B8EB48744F4045DAF60DA3151DA78BA85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00408CA0 Relevance: 9.1, APIs: 6, Instructions: 77
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00408FD0,00000000,?), ref: 00408CC7
GetFileSizeEx.KERNEL32(000000FF,00408FD0,?,00408FD0,00000000,?), ref: 00408CEC
LocalAlloc.KERNEL32(00000040,?,?,00408FD0), ref: 00408D0C
ReadFile.KERNEL32(000000FF,?,000000FF,?,00000000,?,00408FD0), ref: 00408D35
LocalFree.KERNEL32(?), ref: 00408D6B
CloseHandle.KERNEL32(000000FF,?,00408FD0,00000000,?), ref: 00408D75

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 35652f40537f9422ffbcaa718799926fc1efe604a662dc720b90ab7eb5a9b7f7
Instruction ID: 43a6cb6f2bd18409adca513c70d3a8205c013a48d9af5ab5e9c8944a3751275d
Opcode Fuzzy Hash: 35652f40537f9422ffbcaa718799926fc1efe604a662dc720b90ab7eb5a9b7f7
Instruction Fuzzy Hash: E931E978A00208EFDB14CF94C885FAEB7B5BF48310F108269E915AB3D0DB78AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

new[].LIBCMTD ref: 0041D3BB
codecvt.LIBCPMTD ref: 0041D423

Part of subcall function 0041B6E0: new[].LIBCMTD ref: 0041B7B4

new[].LIBCMTD ref: 0041D43A

Strings

iy@, xrefs: 0041D3EA, 0041D3ED

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: new[]$codecvt
String ID: iy@
API String ID: 1685477457-812034706
Opcode ID: f782b7c591e8816ee1cd2e697ed8366adac292104e869370d7becc1d7ea8ebe5
Instruction ID: dd169eef3b9a7bde6b154550b10b6fecda094ae9b689366f732bc00e34824b1c
Opcode Fuzzy Hash: f782b7c591e8816ee1cd2e697ed8366adac292104e869370d7becc1d7ea8ebe5
Instruction Fuzzy Hash: 1221F9B4E04209EFDB04DF99D945BEEB7B4BF48304F10846AE815A7381D7786A81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,004071A9), ref: 0040CDBD
RtlAllocateHeap.NTDLL(00000000,?,004071A9), ref: 0040CDC4
GetComputerNameA.KERNEL32(004071A9,00000104), ref: 0040CDDC

Strings

(aB, xrefs: 0040CDE6

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID: (aB
API String ID: 1664310425-757838864
Opcode ID: 8a5eba42db218dad72567e0e93fb518acdd2add4e3c70a7cb854c270979866f4
Instruction ID: bf06a9cf245591e35f813372dec64ee410a3f49e7377ab1399346fba8584c7d6
Opcode Fuzzy Hash: 8a5eba42db218dad72567e0e93fb518acdd2add4e3c70a7cb854c270979866f4
Instruction Fuzzy Hash: 32E01274B05208EBCB50EBE4DC49A9D7BB8AF04301F5041B6A905E3280D6749A459755

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8A0 Relevance: 6.2, APIs: 4, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 0041B914

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: fe2290d7a92f8f2356a0a8a192d0d0cce95a642e1ebd005e3fc4da80837a5c73
Instruction ID: 38882d6d445430547a04ca30abb35772a34f6d5575e6278d71e43dd76cd6c95d
Opcode Fuzzy Hash: fe2290d7a92f8f2356a0a8a192d0d0cce95a642e1ebd005e3fc4da80837a5c73
Instruction Fuzzy Hash: D661FFB4A0020ADFDB14CF54C944BAEBBB1FF44315F208259E9556B381C379EE82DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00408FB0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 00408CA0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00408FD0,00000000,?), ref: 00408CC7
Part of subcall function 00408CA0: GetFileSizeEx.KERNEL32(000000FF,00408FD0,?,00408FD0,00000000,?), ref: 00408CEC
Part of subcall function 00408CA0: LocalAlloc.KERNEL32(00000040,?,?,00408FD0), ref: 00408D0C
Part of subcall function 00408CA0: ReadFile.KERNEL32(000000FF,?,000000FF,?,00000000,?,00408FD0), ref: 00408D35
Part of subcall function 00408CA0: LocalFree.KERNEL32(?), ref: 00408D6B
Part of subcall function 00408CA0: CloseHandle.KERNEL32(000000FF,?,00408FD0,00000000,?), ref: 00408D75

Part of subcall function 004157C0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 004157E2

StrStrA.SHLWAPI(00000000,00641D48), ref: 00409003

Part of subcall function 00408D90: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00409046,00000000,00000000), ref: 00408DBF
Part of subcall function 00408D90: LocalAlloc.KERNEL32(00000040,?,?,00409046,?,?), ref: 00408DD1
Part of subcall function 00408D90: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00409046,00000000,00000000), ref: 00408DFA
Part of subcall function 00408D90: LocalFree.KERNEL32(?,?,?,00409046,?,?), ref: 00408E0F

Part of subcall function 00408E30: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00408E54
Part of subcall function 00408E30: LocalAlloc.KERNEL32(00000040,00000000), ref: 00408E73
Part of subcall function 00408E30: LocalFree.KERNEL32(?), ref: 00408E9F

Strings

, xrefs: 00409088
DPAPI, xrefs: 00409058

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotect
String ID: $DPAPI
API String ID: 2403763606-1819349886
Opcode ID: 06409c0cb693fe82c50069c37aa1b870aaffceba4f765b00f9312af5454c6984
Instruction ID: bd0ab7ce8706d04c74c87ff698db27a980c885e2b2b5274e7d28004fe5de3f68
Opcode Fuzzy Hash: 06409c0cb693fe82c50069c37aa1b870aaffceba4f765b00f9312af5454c6984
Instruction Fuzzy Hash: BA315472E00109EBCF04DBD9DD45AEFB7B8AF48304F44452AE514B7241E7399945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401050 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000), ref: 0040106A
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401071
ExitProcess.KERNEL32 ref: 00401082

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 2f2f6448f1df7d539b6e3c6b54b464e8aca519d369cb53da8d444ecd59e4e74c
Instruction ID: e2a76f80ea3eb91f444398b27a42454653ee06ed4a01878baf1112f757854ca5
Opcode Fuzzy Hash: 2f2f6448f1df7d539b6e3c6b54b464e8aca519d369cb53da8d444ecd59e4e74c
Instruction Fuzzy Hash: 8EE08670649308FBE7209F90DC0AB5D7B78DB04702F504055FA08A72D0C6B45A408658

Uniqueness

Uniqueness Score: -1.00%

Function 0040C520 Relevance: 3.8, APIs: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154C0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000,00000004,?,00401241,?,0000001A,?,00000104), ref: 004154E4

lstrcat.KERNEL32(?,00000000), ref: 0040C564
lstrcat.KERNEL32(?,?), ref: 0040C589
lstrcat.KERNEL32(?,00642000), ref: 0040C59D

Part of subcall function 00415830: GetFileAttributesA.KERNEL32(?,?,?,0040C5AF,?), ref: 0041583A

Part of subcall function 00408FB0: StrStrA.SHLWAPI(00000000,00641D48), ref: 00409003

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$AttributesFileFolderPath
String ID:
API String ID: 4178457443-0
Opcode ID: f13d2c4ee6798f8473bc86e3cee523bb72dbb16d8a8e6f85dd197734427d5c41
Instruction ID: 93ffafb7bcee43dc01a48b0a72393c8c9d3f321ed0ef6302a1a4be8f8439a2f5
Opcode Fuzzy Hash: f13d2c4ee6798f8473bc86e3cee523bb72dbb16d8a8e6f85dd197734427d5c41
Instruction Fuzzy Hash: A43140B691010CABCB14DFD0DC85EDF737CAB58304F44469EF619A3141EA74AB89CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406D50 Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 00406D8B
RtlAllocateHeap.NTDLL(00000000), ref: 00406D92

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: e7b9e66eb09baa68e60bc7c00af0f1febd6e4e87c505d9d7c7d141680fb33c7f
Instruction ID: 12a5c5a528a3b664befe30bbc6c9e0bb4d0b573179cff21b71645941a3c3e32e
Opcode Fuzzy Hash: e7b9e66eb09baa68e60bc7c00af0f1febd6e4e87c505d9d7c7d141680fb33c7f
Instruction Fuzzy Hash: E8112EB5E04208EBDB15DF94DC85EEEB7B8EB8C300F50819AF50993350D634AA81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00408400 Relevance: 3.0, APIs: 2, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0040840D
GetLastError.KERNEL32 ref: 00408413

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 25044f59edcb9d7c51bb9c9642b947a328581904cb010a729d63e1a018f08f8c
Instruction ID: 74d95d21ab6ca868e3189d218aa541c470b10a154f08ac70ad56c32397da9081
Opcode Fuzzy Hash: 25044f59edcb9d7c51bb9c9642b947a328581904cb010a729d63e1a018f08f8c
Instruction Fuzzy Hash: 46D0C93035C3059BE27017A5ED46B263698A704701F900471FA09D52D1DA64AC42861D

Uniqueness

Uniqueness Score: -1.00%

Function 00415320 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0041D182,?,0041521D,0041D182,00000009,?,0041D182,00000009), ref: 00415329
RtlAllocateHeap.NTDLL(00000000,?,0041521D), ref: 00415330

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 1dfeaac1f871586b16badceaf8a9ab81b54ad5fd1f02c7b0465d2ea11571827a
Instruction ID: b0a40eeb6b18060db6d5a8bab38dd71b1a39c1824372b67338d3958593814577
Opcode Fuzzy Hash: 1dfeaac1f871586b16badceaf8a9ab81b54ad5fd1f02c7b0465d2ea11571827a
Instruction Fuzzy Hash: AFC09B75255308EBDA105BD8FC0DDB5777CEF48701F408451B60DC7151CA74A4054765

Uniqueness

Uniqueness Score: -1.00%

Function 00408430 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6615ec5350fa1574e8d5a6aabed2ced65994467411603908d19a89f3482233
Instruction ID: 106b7eb49ce1f79887e661d2b1309b1d5024e2c053f011220697e3f193c18dca
Opcode Fuzzy Hash: fe6615ec5350fa1574e8d5a6aabed2ced65994467411603908d19a89f3482233
Instruction Fuzzy Hash: 5811A2319052428BC7207BAA5A45A7B36A49F91319F48007FB5847A3E3FE7CDC41862E

Uniqueness

Uniqueness Score: -1.00%

Function 004154C0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000,00000004,?,00401241,?,0000001A,?,00000104), ref: 004154E4

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: c00269ac1c9320ddb0786add27427139699aeca6a6aea1064bc8da0645ebd830
Instruction ID: 0686c6b575fbc4c5f770f28ec79b82b371577c49263f6f2823890fdc4aae0019
Opcode Fuzzy Hash: c00269ac1c9320ddb0786add27427139699aeca6a6aea1064bc8da0645ebd830
Instruction Fuzzy Hash: D3E01270384708B7FA109A99DC47FE73758ABC1B55F50801AFB094F1C1C5B5F58157A9

Uniqueness

Uniqueness Score: -1.00%

Function 00415830 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040C5AF,?), ref: 0041583A

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a3b3cf20f65ae63635a850a0e47546eb926f1150c27cc77f3892f99edd6886bc
Instruction ID: dd602c9d1bc022186ea1703581878b4551b1ddae5f295a5d62943b2910dc0360
Opcode Fuzzy Hash: a3b3cf20f65ae63635a850a0e47546eb926f1150c27cc77f3892f99edd6886bc
Instruction Fuzzy Hash: 2EE08630D1470CEBCB10EFA4C4586DDBB74EB41322F104299D81557380D7745AE68B45

Uniqueness

Uniqueness Score: -1.00%

Function 004157C0 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-00000001), ref: 004157E2

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 45910e2c88dadaba42223e1f026bde3fe4e3ecfae9a658a199681f750d6411e4
Instruction ID: 330da728918c19813fa16a4802d68721c2d1e924a2ce6c163323b57813af7c4f
Opcode Fuzzy Hash: 45910e2c88dadaba42223e1f026bde3fe4e3ecfae9a658a199681f750d6411e4
Instruction Fuzzy Hash: 6101F634905208EFCB04EF98C585BEDBBB1EF44308F24809AE9156B380D3786E94DF59

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004084E0 Relevance: 56.3, APIs: 29, Strings: 3, Instructions: 277libraryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094,?,00000094), ref: 0040850D
LoadLibraryA.KERNEL32(00640C18), ref: 0040857A

Strings

`d, xrefs: 004086A4
Pd, xrefs: 00408773, 00408838
d, xrefs: 00408701, 004087AF

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: LibraryLoadVersion
String ID: Pd$`d$d
API String ID: 3209957514-2860892737
Opcode ID: 6b2602232431dd091abff144e650373e77e2666ef99f830984b10699fed7e2d2
Instruction ID: 67f81b4d40c1b3044521e4ea7d4e169c43d11e1686ae453db14e0d2b3c2e6bd3
Opcode Fuzzy Hash: 6b2602232431dd091abff144e650373e77e2666ef99f830984b10699fed7e2d2
Instruction Fuzzy Hash: 1EC163B1705218EFDB64DF60DC49FAA7778AB48704F504599F209A72D0CB74AA82CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00407620 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 215filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040763D
FindFirstFileA.KERNEL32(?,?), ref: 00407654
lstrcat.KERNEL32(?,?), ref: 0040767C
StrCmpCA.SHLWAPI(?,0041E018), ref: 0040769C
StrCmpCA.SHLWAPI(?,0041E01C), ref: 004076B2
FindNextFileA.KERNEL32(000000FF,?), ref: 004078F1
FindClose.KERNEL32(000000FF), ref: 00407906

Strings

%s\%s, xrefs: 004076CC, 00407723, 0040774B
%s\%s\%s, xrefs: 00407771
%s\*, xrefs: 00407631

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-1426491737
Opcode ID: 8b7904cc8cf995a0fc4c5936f81c1d93a305e874ecb7e092cb2c9386b41175f6
Instruction ID: d5e68599ec9b7dd1ef4d076bf8cfbde1809a0062783df1c4ac300db6ace638d5
Opcode Fuzzy Hash: 8b7904cc8cf995a0fc4c5936f81c1d93a305e874ecb7e092cb2c9386b41175f6
Instruction Fuzzy Hash: 8581B776E04218EFCB20DFA4DC44DEA77B8AF48341F4486EDF50A96180E774AA85CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00401280 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00401299
FindFirstFileA.KERNEL32(?,?), ref: 004012B0
StrCmpCA.SHLWAPI(?,0041E018), ref: 004012D6
StrCmpCA.SHLWAPI(?,0041E01C), ref: 004012EC
FindNextFileA.KERNEL32(000000FF,?), ref: 0040144B
FindClose.KERNEL32(000000FF), ref: 00401460

Strings

%s\%s, xrefs: 00401306, 00401357
%s\*, xrefs: 0040128D

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\*
API String ID: 180737720-2848263008
Opcode ID: b71b3b9c2fbc3f1fb74e1b40fdcf3ce34b16c268fbf7763e2dc6476078265598
Instruction ID: 17c527e940408ba04402eb3d12d80cfbf3f4072e6357ea9421dd19e910970668
Opcode Fuzzy Hash: b71b3b9c2fbc3f1fb74e1b40fdcf3ce34b16c268fbf7763e2dc6476078265598
Instruction Fuzzy Hash: 97519776A04218ABCB20DFA0DC88EEA777CBF48705F4045D9F609A2150EB75EB85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3A0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 121fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040B3B9
FindFirstFileA.KERNEL32(?,?), ref: 0040B3D0
StrCmpCA.SHLWAPI(?,0041E018), ref: 0040B3F6
StrCmpCA.SHLWAPI(?,0041E01C), ref: 0040B40C
FindNextFileA.KERNEL32(000000FF,?), ref: 0040B550
FindClose.KERNEL32(000000FF), ref: 0040B565

Strings

%s\*, xrefs: 0040B3AD

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*
API String ID: 180737720-766152087
Opcode ID: 564e9bcb1d2be1ca8924144d2eb44db9fefd9ddf79c10aa8958a935747ad8e5c
Instruction ID: ba497863ba9781f06dcd61d997bcf794528373ee1f4e3f006446a13c2d80ed42
Opcode Fuzzy Hash: 564e9bcb1d2be1ca8924144d2eb44db9fefd9ddf79c10aa8958a935747ad8e5c
Instruction Fuzzy Hash: 604186B651421CABCB20DFA0DC88EEA7778AF4C705F40499AF60992150EB74EB85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 213fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040B129
FindFirstFileA.KERNEL32(?,?), ref: 0040B140
StrCmpCA.SHLWAPI(?,0041E018), ref: 0040B166
StrCmpCA.SHLWAPI(?,0041E01C), ref: 0040B17C
FindNextFileA.KERNEL32(000000FF,?), ref: 0040B37A
FindClose.KERNEL32(000000FF), ref: 0040B38F

Strings

%s\%s, xrefs: 0040B196
"A, xrefs: 0040B346, 0040B30F, 0040B2A8, 0040B1E1, 0040B1E4, 0040B2AB, 0040B312, 0040B349
%s\*, xrefs: 0040B11D
"A, xrefs: 0040B249

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: "A$"A$%s\%s$%s\*
API String ID: 180737720-4024006144
Opcode ID: b7d911bdea610c96cfcf1b063eacbc389e8d51fe43459d6f334c648f73aa171c
Instruction ID: 0537ff777c1b16e17f28cbbb8bd09bf60b9c5a5b567f07de14c5f370be79953b
Opcode Fuzzy Hash: b7d911bdea610c96cfcf1b063eacbc389e8d51fe43459d6f334c648f73aa171c
Instruction Fuzzy Hash: EC8121B2600109ABCB14DF94DC85EEB73BDEF8C700F448599B909A7250D734EA95CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B570 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 183fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040B589
FindFirstFileA.KERNEL32(?,?), ref: 0040B5A0
StrCmpCA.SHLWAPI(?,0041E018), ref: 0040B5C6
StrCmpCA.SHLWAPI(?,0041E01C), ref: 0040B5DC
FindNextFileA.KERNEL32(000000FF,?), ref: 0040B7C8
FindClose.KERNEL32(000000FF), ref: 0040B7DD

Strings

%s\*.*, xrefs: 0040B57D
p3d, xrefs: 0040B617, 0040B65A, 0040B69E

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*$p3d
API String ID: 180737720-2572557314
Opcode ID: f6172c6f93bf437cc6a456cc15e7c78c834e2f2fa3ae7553edb0ec5622e3056c
Instruction ID: 0c5b57f6ca0e89b648b9c2f215933e6beb05ec9c0554900d92c2b201160839ad
Opcode Fuzzy Hash: f6172c6f93bf437cc6a456cc15e7c78c834e2f2fa3ae7553edb0ec5622e3056c
Instruction Fuzzy Hash: 036165B2904118ABCB24EFA4DC85EDB737CAB88304F4445D9F61993140EB75EA85CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401090 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(?), ref: 0040109D
wsprintfA.USER32 ref: 004010B7
FindFirstFileA.KERNEL32(?,?), ref: 004010CE
StrCmpCA.SHLWAPI(?,0041E018), ref: 004010F4
StrCmpCA.SHLWAPI(?,0041E01C), ref: 0040110A
FindNextFileA.KERNEL32(000000FF,?), ref: 004011D3
FindClose.KERNEL32(000000FF), ref: 004011E8

Strings

%s\%s, xrefs: 004010AB

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNextwsprintf
String ID: %s\%s
API String ID: 2809309208-4073750446
Opcode ID: cd1b645a7ce9019228b37189c7b9a998ab11b5b73c629beef763cb6a9b7b3cab
Instruction ID: 94bb1ce43c05b88fbbbe044d600c5004858b5ef4346eaec15469cfff31cebcf0
Opcode Fuzzy Hash: cd1b645a7ce9019228b37189c7b9a998ab11b5b73c629beef763cb6a9b7b3cab
Instruction Fuzzy Hash: 2C3165B561421CABCB24DFA0DC88EEA777CAF48705F40859AF609A2150DB74AA85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF60 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000001F4), ref: 0040CF70
RtlAllocateHeap.NTDLL(00000000), ref: 0040CF77
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040CF98
LocalAlloc.KERNEL32(00000040,?), ref: 0040CFB0
GetKeyboardLayoutList.USER32(?,00000000), ref: 0040CFC4
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0040D019
wsprintfA.USER32 ref: 0040D042
wsprintfA.USER32 ref: 0040D060
memset.NTDLL ref: 0040D086
LocalFree.KERNEL32(00000000), ref: 0040D09B

Strings

%s / %s, xrefs: 0040D036

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: HeapKeyboardLayoutListLocalwsprintf$AllocAllocateFreeInfoLocaleProcessmemset
String ID: %s / %s
API String ID: 1833916909-2910687431
Opcode ID: d0427959ed9cdc98d4626f36b64afacc399243ef615fe91ec365a089fb3d05f9
Instruction ID: 2227278bc08be1326965964837ca61b0a9bdb6d77ed2c5d60e555248cda74ba9
Opcode Fuzzy Hash: d0427959ed9cdc98d4626f36b64afacc399243ef615fe91ec365a089fb3d05f9
Instruction Fuzzy Hash: B7316BB0A4421CDFDB60CB64CC8DBE9B7B5AB44305F5042E5E509A6291CB746E81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004090C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90stringencryptionCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0040AD4D,00000001,?,00001FA0,00000000,00000000,?,00001FA0), ref: 0040910B
CryptStringToBinaryA.CRYPT32(0040AD4D,00000000), ref: 00409116
lstrcat.KERNEL32(?,0041E022), ref: 004091D9
lstrcat.KERNEL32(?,0041E022), ref: 004091ED
lstrcat.KERNEL32("A,0041E022), ref: 0040920E

Strings

"A, xrefs: 00409207, 0040920D

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlen
String ID: "A
API String ID: 189259977-1838006985
Opcode ID: a38b9a01ecf1e28ae9513eb1c0902231c5b1d162e15d2e31672c8f8bec630086
Instruction ID: c38add5056afc5b69151d44f026debcc24e778767e88e9930c808c21dab334d2
Opcode Fuzzy Hash: a38b9a01ecf1e28ae9513eb1c0902231c5b1d162e15d2e31672c8f8bec630086
Instruction Fuzzy Hash: 7C416074A0421E9BDB20CF90DC89BEEB7B8BB48304F5045BAE509A7281C7745E85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00406F9A), ref: 0040CE4D
RtlAllocateHeap.NTDLL(00000000), ref: 0040CE54
GetLocalTime.KERNEL32(?,?,?,?,?,00406F9A), ref: 0040CE61
wsprintfA.USER32 ref: 0040CE8E

Strings

%d/%d/%d %d:%d:%d, xrefs: 0040CE85

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID: %d/%d/%d %d:%d:%d
API String ID: 377395780-1073349071
Opcode ID: 8e3c8461f43e9fc37eb95725edbaa4cb19ea77f2e536d38f60eeee69752cd959
Instruction ID: 64412eecdfd3b7c8abc34b5be196dfeefa3dd9205ff439fe9cf8759ea2430f32
Opcode Fuzzy Hash: 8e3c8461f43e9fc37eb95725edbaa4cb19ea77f2e536d38f60eeee69752cd959
Instruction Fuzzy Hash: 25F090B6A04118BBCB20DFE9DD049BFB7BCEF0CB02F40059AFA45A2180E6385640C775

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040CEB0
RtlAllocateHeap.NTDLL(00000000), ref: 0040CEB7
GetTimeZoneInformation.KERNEL32(?), ref: 0040CECA
wsprintfA.USER32 ref: 0040CF04

Strings

UTC%d, xrefs: 0040CEF8

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: UTC%d
API String ID: 3317088062-2723047788
Opcode ID: dc5bb9a7679d6e4315c98f8b03b11f42f06f8d872ea9c03fbdf5864bffb6dab1
Instruction ID: 9921714870e8fc64bbe7d1a9da3834f9577dd8da6693cca753ada89f472b263a
Opcode Fuzzy Hash: dc5bb9a7679d6e4315c98f8b03b11f42f06f8d872ea9c03fbdf5864bffb6dab1
Instruction Fuzzy Hash: D6F06270A08318DBDB209B60DC49BA5777AEB44301F0002E5EA09A32D1D7745E45CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00405450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405472
CryptStringToBinaryA.CRYPT32(?,00000000,00000000), ref: 0040549E
CryptStringToBinaryA.CRYPT32(?,00000000,00000000,00000000), ref: 004054C6

Strings

UNK, xrefs: 004054DA

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: BinaryCryptString$memset
String ID: UNK
API String ID: 1505698593-448974810
Opcode ID: d73c9663e45b2355a78448b83ac543adfda1c4db4625969ca71dc25fd8672f6b
Instruction ID: d358e8765424a1ac149e2585869abb6d173eecaa4fcb11bd6df096d6d18c0c1f
Opcode Fuzzy Hash: d73c9663e45b2355a78448b83ac543adfda1c4db4625969ca71dc25fd8672f6b
Instruction Fuzzy Hash: 2901B9F2A40208B7D710EB94CC46FDA336CBB44705F500155B709AB1C1DAF8EA848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00408D90 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00409046,00000000,00000000), ref: 00408DBF
LocalAlloc.KERNEL32(00000040,?,?,00409046,?,?), ref: 00408DD1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00409046,00000000,00000000), ref: 00408DFA
LocalFree.KERNEL32(?,?,?,00409046,?,?), ref: 00408E0F

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: ffc0d4cd1c42ba5d101fdc421fe0c941d35c6c1967d56d71fe4c83a0568b2840
Instruction ID: c9e8ff4f33d8c4bb646b102b03be7e700ea5c1bbf17f30fd4e5536ccb0845a45
Opcode Fuzzy Hash: ffc0d4cd1c42ba5d101fdc421fe0c941d35c6c1967d56d71fe4c83a0568b2840
Instruction Fuzzy Hash: 48119074245208EFEB10CF64CC95FAA77B5EB89710F208069F9159B3D0CBB5A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE00 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,004071D9), ref: 0040CE0D
RtlAllocateHeap.NTDLL(00000000,?,004071D9), ref: 0040CE14
GetUserNameA.ADVAPI32(?,00000104), ref: 0040CE2C

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: 506a65bbd6feb9fcaba13327a9a1576322b9845d55f791d04a21e99e88771e4d
Instruction ID: 6fe56344e83e9d47807c2233a6a4f7254b388369c07bbda35f6da300730b4f65
Opcode Fuzzy Hash: 506a65bbd6feb9fcaba13327a9a1576322b9845d55f791d04a21e99e88771e4d
Instruction Fuzzy Hash: 82E086B4A45208FBCB10DFE4DC49A9CBBB8EB08301F400095FA08D3240D67056458B50

Uniqueness

Uniqueness Score: -1.00%

Function 0041A790 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

K, xrefs: 0041A7AA

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: dae5ba50be3c3c9ee8a16c44b0bdf00f65f3f1d89f0a67d367ab1ec435eadd8d
Instruction ID: 7f164e6aedfa18502b3e18c69e286aa907d0971df880bf79d14c75687fca51a8
Opcode Fuzzy Hash: dae5ba50be3c3c9ee8a16c44b0bdf00f65f3f1d89f0a67d367ab1ec435eadd8d
Instruction Fuzzy Hash: 20324B71600249AFCB04CF98C895EEE7B75FF88300F088568F9199F282D675E768CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A190 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

K, xrefs: 0041A1AA

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: f7fda5c21919957eed4afc150e44e2e3bbff529e3f1527ef4cd54c9effc95176
Instruction ID: a4b951cda427b3b4279cf46067f854664b040a6a827d9e02e33e392da6c2223e
Opcode Fuzzy Hash: f7fda5c21919957eed4afc150e44e2e3bbff529e3f1527ef4cd54c9effc95176
Instruction Fuzzy Hash: 96E14B31A00249AFCB04CF98C895EEE7B75EF88310F08C568F9199F281D675E768CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00408AB0 Relevance: 1.6, APIs: 1, Instructions: 60encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00415320: GetProcessHeap.KERNEL32(00000008,0041D182,?,0041521D,0041D182,00000009,?,0041D182,00000009), ref: 00415329
Part of subcall function 00415320: RtlAllocateHeap.NTDLL(00000000,?,0041521D), ref: 00415330

CryptUnprotectData.CRYPT32(00000003,00000000,00000000,00000000,00000000,00000000,?), ref: 00408B03

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCryptDataProcessUnprotect
String ID:
API String ID: 976466151-0
Opcode ID: d5a6f5ac193c96381ce9ba48371faceb397b23e3c14679d462fcd48d0a74fa6b
Instruction ID: b6e6bd72c58c5a94bde39ec5527d43961122a6a7a6cd869957d6b653f8adebb9
Opcode Fuzzy Hash: d5a6f5ac193c96381ce9ba48371faceb397b23e3c14679d462fcd48d0a74fa6b
Instruction Fuzzy Hash: 75111FB5E00109EFCF00DFD9D981AEFBBB5AF48304F50815AE915AB341D638AA41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5A0 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

K, xrefs: 0041A5BA

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 62473e297bb5ec01075fe4acbb71b04f966505f4938570131b8b15e906ca59eb
Instruction ID: c5772c323a1c83001666a7efc2b69fb8fb9ae89694c9be265d6ad22ef18bdc1e
Opcode Fuzzy Hash: 62473e297bb5ec01075fe4acbb71b04f966505f4938570131b8b15e906ca59eb
Instruction Fuzzy Hash: D5714A35510249BFCB04CF98C895FEE7B75EF88300F0885A8F9199B281D275D768CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004107B0 Relevance: .6, Instructions: 615COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f6454d8f21035472cd0166228bbaeee94c83bee8fe98e772fe3beeea159754
Instruction ID: 0436d809b1fdcc12678d7e2aebee40f62b8976726c474466a77e5640367edc9e
Opcode Fuzzy Hash: 49f6454d8f21035472cd0166228bbaeee94c83bee8fe98e772fe3beeea159754
Instruction Fuzzy Hash: B86283B4E0520ACFCB08CF98D5909EEFBB1FF89314B24815AD815A7355D734A992CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041B020 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b2ac6daaaf8efe47999263862d2614643f4f519a2830677550a5ebceffa03b
Instruction ID: f82a7e41094112ae5ea25c1ff6280ed636b04f6c8aedcc8cafc791a025dae8dc
Opcode Fuzzy Hash: 42b2ac6daaaf8efe47999263862d2614643f4f519a2830677550a5ebceffa03b
Instruction Fuzzy Hash: 1C51F830514189AFCB44CF29D890AA93BA2FF89395F14C16AFE698F245D334E791DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00410F00 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8998eb1597ae878527a98e431acb9d23a034760ddab643fb47d5d7a019106b3f
Instruction ID: cdd364028090b232151e3178658768490541128d7431bcdb6fd60dc8fa915c9c
Opcode Fuzzy Hash: 8998eb1597ae878527a98e431acb9d23a034760ddab643fb47d5d7a019106b3f
Instruction Fuzzy Hash: 29511A30514189AFCB44CF29D890AA93BA2FF89355F54C12AFD298F259C335E791DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00415E60 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Uniqueness

Uniqueness Score: -1.00%

Function 0043C0B2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906fcaa74242ed5fddd8acc2c60bb9815f767357ab31a45f12828494068121cf
Instruction ID: 1226eeba3657af6f1000414a36279a25d95b641c8c1c2d5df832d3336d4e802f
Opcode Fuzzy Hash: 906fcaa74242ed5fddd8acc2c60bb9815f767357ab31a45f12828494068121cf
Instruction Fuzzy Hash: 2CC08C3A111384CFC219EF28D684D01B3F8FB08720F024092E8105B722C638FC008A54

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: e062db63554d41186879899b2a29d86d0d446b4106035f511935d59846ebc158
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: FEB092606124C04BEB2283248419B0276E1A740B06F8984E0A04582D92C66C8A84A104

Uniqueness

Uniqueness Score: -1.00%

Function 0043C04C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5867ba9a160f594e610dc532126f8ef2ecd91235c5eea0740721df5042c71059
Instruction ID: 2e299ba77ea79a3d7c3a913186f9219b7709f65f7e0a67e88f42b773649ad750
Opcode Fuzzy Hash: 5867ba9a160f594e610dc532126f8ef2ecd91235c5eea0740721df5042c71059
Instruction Fuzzy Hash: 67C09279221680CFC30ADF08C184E00B7F0FF08B20F1644E1E800AB722C238FC00CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00405800 Relevance: 114.1, APIs: 56, Strings: 9, Instructions: 371stringnetworkmemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00800000,?,00000200,?,000001F4,?,00000000,00001388), ref: 0040584A
RtlAllocateHeap.NTDLL(00000000), ref: 00405851
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405878
InternetSetOptionA.WININET(?,00000002,000927C0,00000004), ref: 0040589A
StrCmpCA.SHLWAPI(?,https://), ref: 004058BD
lstrcat.KERNEL32(?,00000000), ref: 004058F0
lstrcat.KERNEL32(?,0042433C), ref: 00405902
lstrcat.KERNEL32(?,------), ref: 00405914
lstrcat.KERNEL32(?,?), ref: 00405928
lstrcat.KERNEL32(?,00424348), ref: 0040593A
lstrcat.KERNEL32(?,0042433C), ref: 0040594C
lstrcat.KERNEL32(?,0063BB18), ref: 00405960
lstrcat.KERNEL32(?,?), ref: 00405974
InternetConnectA.WININET(?,?,000001BB,00000000,00000000,00000003,00000000,00000000), ref: 0040599D
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 004059C2
HttpOpenRequestA.WININET(00000000,00640940,?,00641BC8,00000000,00000000,00C00100,00000000), ref: 00405A07
HttpOpenRequestA.WININET(00000000,00640940,?,00641BC8,00000000,00000000,00400100,00000000), ref: 00405A39
lstrcat.KERNEL32(?,------), ref: 00405A5E
lstrcat.KERNEL32(?,?), ref: 00405A72
lstrcat.KERNEL32(?,0042433C), ref: 00405A84
lstrcat.KERNEL32(?,00637620), ref: 00405A98
lstrcat.KERNEL32(?,00640910), ref: 00405AAB
lstrcat.KERNEL32(?,"), ref: 00405ABD
lstrcat.KERNEL32(?,?), ref: 00405ACE
lstrcat.KERNEL32(?,0042433C), ref: 00405AE0
lstrcat.KERNEL32(?,------), ref: 00405AF2
lstrcat.KERNEL32(?,?), ref: 00405B06
lstrcat.KERNEL32(?,0042433C), ref: 00405B18
lstrcat.KERNEL32(?,0063B8D8), ref: 00405B2C
lstrcat.KERNEL32(?,?), ref: 00405B3D
lstrcat.KERNEL32(?,"), ref: 00405B4F
lstrcat.KERNEL32(?,006376E0), ref: 00405B62
lstrcat.KERNEL32(?,0042433C), ref: 00405B74
lstrcat.KERNEL32(?,00637380), ref: 00405B87
lstrcat.KERNEL32(?,), ref: 00405B99
lstrlen.KERNEL32(?), ref: 00405BA6
lstrlen.KERNEL32(?), ref: 00405BB8
GetProcessHeap.KERNEL32(00000000,?), ref: 00405BCF
RtlAllocateHeap.NTDLL(00000000), ref: 00405BD6
lstrlen.KERNEL32(?), ref: 00405BE9
memcpy.NTDLL(?,?,00000000), ref: 00405BFE
lstrlen.KERNEL32(?,?,?), ref: 00405C13
memcpy.NTDLL(?), ref: 00405C20
lstrlen.KERNEL32(?), ref: 00405C2D
lstrlen.KERNEL32(?,?,00000000), ref: 00405C42
memcpy.NTDLL(?), ref: 00405C52
lstrlen.KERNEL32(?,?,?), ref: 00405C91
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00405CA6
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00405CC5
StrCmpCA.SHLWAPI(?,200), ref: 00405CDB
Sleep.KERNEL32(00007530), ref: 00405CEC
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405D3D
lstrcat.KERNEL32(?,00000000), ref: 00405D79
InternetCloseHandle.WININET(?), ref: 00405D88
InternetCloseHandle.WININET(?), ref: 00405D95
InternetCloseHandle.WININET(00000000), ref: 00405DA2

Strings

@d, xrefs: 004059FA, 00405A2B
https://, xrefs: 004058B4
vc, xrefs: 00405A8A
", xrefs: 00405AB1
200, xrefs: 00405CCF
", xrefs: 00405B43
------, xrefs: 00405908, 00405A52, 00405AE6
vc, xrefs: 00405B55
, xrefs: 00405B8D

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Internet$lstrlen$HeapHttp$CloseHandleOpenRequestmemcpy$AllocateConnectProcess$FileInfoOptionQueryReadSendSleep
String ID: $ vc$"$"$------$200$@d$https://$vc
API String ID: 3074752877-2587574090
Opcode ID: 113b627ee6e03ac6119e37f4b3757042d86990ee41e4c7059f913e73d7df682a
Instruction ID: 6ed794e90a24f6a4e7b1d2eff6ab54ec412d63b4dda1b1f0075311639a3691ff
Opcode Fuzzy Hash: 113b627ee6e03ac6119e37f4b3757042d86990ee41e4c7059f913e73d7df682a
Instruction Fuzzy Hash: BBF195B6B55218AFDB20DFA0DC49FEA7778EF88700F404595F609A7180CB749A86CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00406EC0 Relevance: 114.1, APIs: 64, Strings: 1, Instructions: 315stringmemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00406ECB
RtlAllocateHeap.NTDLL(00000000), ref: 00406ED2
lstrcat.KERNEL32(?,00640840), ref: 00406EE5
lstrcat.KERNEL32(?,00640860), ref: 00406EF6
lstrcat.KERNEL32(?,00424360), ref: 00406F05
lstrcat.KERNEL32(?,00640710), ref: 00406F16
lstrcat.KERNEL32(?,00424364), ref: 00406F25
lstrcat.KERNEL32(?,00633598), ref: 00406F36
lstrcat.KERNEL32(?,00424360), ref: 00406F45
lstrcat.KERNEL32(?,0063F0F0), ref: 00406F56
GetCurrentProcessId.KERNEL32 ref: 00406F5C

Part of subcall function 00415610: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415624
Part of subcall function 00415610: GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00415645
Part of subcall function 00415610: CloseHandle.KERNEL32(00000000), ref: 0041564F

lstrcat.KERNEL32(?,00000000), ref: 00406F70
lstrcat.KERNEL32(?,00424360), ref: 00406F7F
lstrcat.KERNEL32(?,0063F108), ref: 00406F8F

Part of subcall function 0040CE40: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00406F9A), ref: 0040CE4D
Part of subcall function 0040CE40: RtlAllocateHeap.NTDLL(00000000), ref: 0040CE54
Part of subcall function 0040CE40: GetLocalTime.KERNEL32(?,?,?,?,?,00406F9A), ref: 0040CE61
Part of subcall function 0040CE40: wsprintfA.USER32 ref: 0040CE8E

lstrcat.KERNEL32(?,00000000), ref: 00406F9F
lstrcat.KERNEL32(?,00424364), ref: 00406FAE
lstrcat.KERNEL32(?,0063F360), ref: 00406FBF

Part of subcall function 0040CEA0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040CEB0
Part of subcall function 0040CEA0: RtlAllocateHeap.NTDLL(00000000), ref: 0040CEB7
Part of subcall function 0040CEA0: GetTimeZoneInformation.KERNEL32(?), ref: 0040CECA

lstrcat.KERNEL32(?,00000000), ref: 00406FCF
lstrcat.KERNEL32(?,00424360), ref: 00406FDE
lstrcat.KERNEL32(?,00633658), ref: 00406FEF

Part of subcall function 0040CF20: GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 0040CF32

lstrcat.KERNEL32(?,00000000), ref: 00406FFF
lstrcat.KERNEL32(?,00424364), ref: 0040700E
lstrcat.KERNEL32(?,00633698), ref: 0040701E

Part of subcall function 0040CF60: GetProcessHeap.KERNEL32(00000000,000001F4), ref: 0040CF70
Part of subcall function 0040CF60: RtlAllocateHeap.NTDLL(00000000), ref: 0040CF77
Part of subcall function 0040CF60: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040CF98
Part of subcall function 0040CF60: LocalAlloc.KERNEL32(00000040,?), ref: 0040CFB0
Part of subcall function 0040CF60: GetKeyboardLayoutList.USER32(?,00000000), ref: 0040CFC4
Part of subcall function 0040CF60: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0040D019
Part of subcall function 0040CF60: wsprintfA.USER32 ref: 0040D042
Part of subcall function 0040CF60: wsprintfA.USER32 ref: 0040D060
Part of subcall function 0040CF60: memset.NTDLL ref: 0040D086
Part of subcall function 0040CF60: LocalFree.KERNEL32(00000000), ref: 0040D09B

lstrcat.KERNEL32(?,00000000), ref: 0040702E
lstrcat.KERNEL32(?,00424360), ref: 0040703D
lstrcat.KERNEL32(?,0063F318), ref: 0040704E

Part of subcall function 0040D0B0: GetSystemPowerStatus.KERNEL32(?), ref: 0040D0BA

lstrcat.KERNEL32(?,00000000), ref: 0040705E
lstrcat.KERNEL32(?,00424364), ref: 0040706D
lstrcat.KERNEL32(?,0063F2D0), ref: 0040707E

Part of subcall function 0040D0E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D0F4
Part of subcall function 0040D0E0: RtlAllocateHeap.NTDLL(00000000), ref: 0040D0FB
Part of subcall function 0040D0E0: RegQueryValueExA.ADVAPI32(00407089,00644230,00000000,00000000,?,000000FF), ref: 0040D13C

lstrcat.KERNEL32(?,00000000), ref: 0040708E
lstrcat.KERNEL32(?,00424364), ref: 0040709D
lstrcat.KERNEL32(?,0063F420), ref: 004070AD

Part of subcall function 0040D160: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D16D
Part of subcall function 0040D160: RtlAllocateHeap.NTDLL(00000000), ref: 0040D174
Part of subcall function 0040D160: memset.NTDLL ref: 0040D185
Part of subcall function 0040D160: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 0040D196
Part of subcall function 0040D160: __aulldiv.LIBCMT ref: 0040D1B0
Part of subcall function 0040D160: wsprintfA.USER32 ref: 0040D1DC

lstrcat.KERNEL32(?,00000000), ref: 004070BD
lstrcat.KERNEL32(?,00424364), ref: 004070CC
lstrcat.KERNEL32(?,006407F0), ref: 004070DD

Part of subcall function 0040D1F0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D204
Part of subcall function 0040D1F0: RtlAllocateHeap.NTDLL(00000000), ref: 0040D20B
Part of subcall function 0040D1F0: RegQueryValueExA.ADVAPI32(p@,00643598,00000000,00000000,?,000000FF), ref: 0040D24C

lstrcat.KERNEL32(?,00000000), ref: 004070ED
lstrcat.KERNEL32(?,006408B0), ref: 004070FE

Part of subcall function 0040D270: GetCurrentProcess.KERNEL32(00000000), ref: 0040D27F
Part of subcall function 0040D270: IsWow64Process.KERNEL32(00000000), ref: 0040D286

lstrcat.KERNEL32(?,00000000), ref: 0040710E
lstrcat.KERNEL32(?,006408C0), ref: 0040711F
lstrcat.KERNEL32(?,00424364), ref: 0040712E
lstrcat.KERNEL32(?,0063F2E8), ref: 0040713F
lstrcat.KERNEL32(?,00000000), ref: 0040714F
lstrcat.KERNEL32(?,00424364), ref: 0040715E
lstrcat.KERNEL32(?,006336B8), ref: 0040716F

Part of subcall function 0040D2E0: wsprintfA.USER32 ref: 0040D33C

lstrcat.KERNEL32(?,00000000), ref: 0040717F
lstrcat.KERNEL32(?,00424360), ref: 0040718E
lstrcat.KERNEL32(?,0063F468), ref: 0040719E

Part of subcall function 0040CDB0: GetProcessHeap.KERNEL32(00000000,00000104,?,004071A9), ref: 0040CDBD
Part of subcall function 0040CDB0: RtlAllocateHeap.NTDLL(00000000,?,004071A9), ref: 0040CDC4
Part of subcall function 0040CDB0: GetComputerNameA.KERNEL32(004071A9,00000104), ref: 0040CDDC

lstrcat.KERNEL32(?,00000000), ref: 004071AE
lstrcat.KERNEL32(?,00424364), ref: 004071BD
lstrcat.KERNEL32(?,0063F438), ref: 004071CE

Part of subcall function 0040CE00: GetProcessHeap.KERNEL32(00000000,00000104,?,004071D9), ref: 0040CE0D
Part of subcall function 0040CE00: RtlAllocateHeap.NTDLL(00000000,?,004071D9), ref: 0040CE14
Part of subcall function 0040CE00: GetUserNameA.ADVAPI32(?,00000104), ref: 0040CE2C

lstrcat.KERNEL32(?,00000000), ref: 004071DE
lstrcat.KERNEL32(?,00424364), ref: 004071ED
lstrcat.KERNEL32(?,0063F3F0), ref: 004071FE
lstrcat.KERNEL32(?,00000000), ref: 0040720E
lstrcat.KERNEL32(?,00424364), ref: 0040721D
lstrcat.KERNEL32(?,0063F390), ref: 0040722D

Part of subcall function 0040D3A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D3B4
Part of subcall function 0040D3A0: RtlAllocateHeap.NTDLL(00000000), ref: 0040D3BB
Part of subcall function 0040D3A0: RegQueryValueExA.ADVAPI32(8r@,006435E0,00000000,00000000,?,000000FF), ref: 0040D3FC

lstrcat.KERNEL32(?,00000000), ref: 0040723D
lstrcat.KERNEL32(?,00424364), ref: 0040724C
lstrcat.KERNEL32(?,006407D0), ref: 0040725D

Part of subcall function 0040D420: GetCurrentHwProfileA.ADVAPI32(?), ref: 0040D42D
Part of subcall function 0040D420: GetProcessHeap.KERNEL32(00000000,00000064), ref: 0040D43B
Part of subcall function 0040D420: RtlAllocateHeap.NTDLL(00000000), ref: 0040D442
Part of subcall function 0040D420: memset.NTDLL ref: 0040D459
Part of subcall function 0040D420: lstrcat.KERNEL32(?,?), ref: 0040D46A

lstrcat.KERNEL32(?,00000000), ref: 0040726D
lstrcat.KERNEL32(?,00424360), ref: 0040727C
lstrcat.KERNEL32(?,006336F8), ref: 0040728D
lstrcat.KERNEL32(?,00424364), ref: 0040729C
lstrlen.KERNEL32(?), ref: 004072B2

Strings

X6c, xrefs: 00406FE4

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$Process$Allocate$wsprintf$Name$CurrentLocalQueryValuememset$KeyboardLayoutListLocaleStatusTimeUser$AllocCloseComputerDefaultFileFreeGlobalHandleInfoInformationMemoryModuleOpenPowerProfileSystemWow64Zone__aulldivlstrlen
String ID: X6c
API String ID: 3777045333-3226011533
Opcode ID: d056a4fb4418d07eeff6567305658b31b61f657eb03f8c5323b2427102bef44e
Instruction ID: 799162b5724b0684594d7b6f8ac6d92cba00f705dd90d135de347622cd7fcab7
Opcode Fuzzy Hash: d056a4fb4418d07eeff6567305658b31b61f657eb03f8c5323b2427102bef44e
Instruction Fuzzy Hash: 4DC11EB6B15108FBD710DBF4ED48D6E77B9AF8C701760896AF60993251CA349E02DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA90 Relevance: 66.7, APIs: 33, Strings: 5, Instructions: 236stringfileCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00638A20), ref: 0040AAE5
lstrcat.KERNEL32(?,0041E020), ref: 0040AAF7
lstrcat.KERNEL32(?,00641D78), ref: 0040AB0B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040AB61
GetFileSize.KERNEL32(00000000,00000000), ref: 0040AB70
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040AB89
new[].LIBCMTD ref: 0040AB99
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040ABC8
StrStrA.SHLWAPI(?,00641DA8), ref: 0040ABD9
lstrlen.KERNEL32(00641DA8), ref: 0040ABF9
StrStrA.SHLWAPI(00000000,006420A8), ref: 0040AC1D
lstrcat.KERNEL32(0F410020,00640A60), ref: 0040AC43
lstrcat.KERNEL32(0F410020,?), ref: 0040AC54
lstrcat.KERNEL32(0F410020,00424364), ref: 0040AC66
lstrcat.KERNEL32(0F410020,00640A00), ref: 0040AC79
lstrcat.KERNEL32(0F410020,00000020), ref: 0040AC89
lstrcat.KERNEL32(0F410020,00424364), ref: 0040AC9B
lstrcat.KERNEL32(0F410020,006409E0), ref: 0040ACAE
lstrcat.KERNEL32(0F410020,00000000), ref: 0040ACC2
lstrcat.KERNEL32(0F410020,00424364), ref: 0040ACD3
StrStrA.SHLWAPI(?,006415E0), ref: 0040ACEA
lstrlen.KERNEL32(006415E0), ref: 0040ACF8
StrStrA.SHLWAPI(00000000,006413E0), ref: 0040AD16
lstrcat.KERNEL32(0F410020,00640AB0), ref: 0040AD3B

Part of subcall function 004090C0: lstrlen.KERNEL32(0040AD4D,00000001,?,00001FA0,00000000,00000000,?,00001FA0), ref: 0040910B
Part of subcall function 004090C0: CryptStringToBinaryA.CRYPT32(0040AD4D,00000000), ref: 00409116

lstrcat.KERNEL32(0F410020,00000000), ref: 0040AD58
lstrcat.KERNEL32(0F410020,00424364), ref: 0040AD69
StrStrA.SHLWAPI(?,006413E0), ref: 0040AD80
lstrlen.KERNEL32(006413E0), ref: 0040AD8E
StrStrA.SHLWAPI(00000000,00640930), ref: 0040ADAC
lstrcat.KERNEL32(0F410020,00640950), ref: 0040ADD1

Part of subcall function 004090C0: lstrcat.KERNEL32(?,0041E022), ref: 004091D9
Part of subcall function 004090C0: lstrcat.KERNEL32(?,0041E022), ref: 004091ED
Part of subcall function 004090C0: lstrcat.KERNEL32("A,0041E022), ref: 0040920E

lstrcat.KERNEL32(0F410020,00000000), ref: 0040ADEE
lstrcat.KERNEL32(0F410020,00424360), ref: 0040ADFF
CloseHandle.KERNEL32(00000000), ref: 0040AE1D

Strings

`d, xrefs: 0040AC35
Pd, xrefs: 0040ADC4
d, xrefs: 0040ACA1
0d, xrefs: 0040AD9E
, xrefs: 0040AABF

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrlen$Pointer$BinaryCloseCryptHandleReadSizeStringnew[]
String ID: $0d$Pd$`d$d
API String ID: 917227051-4153419412
Opcode ID: 7e1e4994916346ded9bf90c1639b143c56dc9a30e80d2a29fa0a3ccdbaf18ffa
Instruction ID: dd2c5aeee35215207885327e4fb8af10db7a871fb235fbd13f47400a5dedaca3
Opcode Fuzzy Hash: 7e1e4994916346ded9bf90c1639b143c56dc9a30e80d2a29fa0a3ccdbaf18ffa
Instruction Fuzzy Hash: 14A130B5B15218DFDB24DB64DC49FDAB7B8FB4C304F4085A9F60993251CA34A982CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004093E0 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 189stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,?,0040A25C,006387F0,?,?,00000000,00000000), ref: 004093F9
lstrcat.KERNEL32(?,0041E020), ref: 0040940B

Part of subcall function 00415570: GetSystemTime.KERNEL32(?,?,00000104), ref: 00415591

lstrcat.KERNEL32(?,00000000), ref: 00409423

Part of subcall function 00408B50: memset.MSVCRT ref: 00408BA2
Part of subcall function 00408B50: LocalAlloc.KERNEL32(00000040,?), ref: 00408BF1
Part of subcall function 00408B50: lstrcat.KERNEL32(?,00000000), ref: 00408C57

lstrcat.KERNEL32(?,00000000), ref: 00409521
lstrlen.KERNEL32(?), ref: 0040952E
lstrlen.KERNEL32(?), ref: 00409549
lstrcat.KERNEL32(0F410020,00640A60), ref: 00409577
lstrcat.KERNEL32(0F410020,?), ref: 00409587
lstrcat.KERNEL32(0F410020,00424364), ref: 00409599
lstrcat.KERNEL32(0F410020,00640A00), ref: 004095AC
lstrcat.KERNEL32(0F410020,?), ref: 004095BD
lstrcat.KERNEL32(0F410020,00424364), ref: 004095CE
lstrcat.KERNEL32(0F410020,006409E0), ref: 004095E2
lstrcat.KERNEL32(0F410020,?), ref: 004095F6
lstrcat.KERNEL32(0F410020,00424364), ref: 00409608
lstrcat.KERNEL32(0F410020,00640AB0), ref: 0040961B
lstrcat.KERNEL32(0F410020,?), ref: 0040962E
lstrcat.KERNEL32(0F410020,00424364), ref: 00409640
lstrcat.KERNEL32(0F410020,00640950), ref: 00409653
lstrcat.KERNEL32(0F410020,?), ref: 00409667
lstrcat.KERNEL32(0F410020,00424360), ref: 00409678

Strings

`d, xrefs: 0040956A
Pd, xrefs: 00409646
d, xrefs: 004095D4

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$AllocCurrentDirectoryLocalSystemTimememset
String ID: Pd$`d$d
API String ID: 2245567438-2860892737
Opcode ID: f7b926a8adfeceb713bb45124e609923426521a0c28c93bb342be0af5063d37a
Instruction ID: 93bb6af1f5781316ed859b5f8a0439cc8ea0cf1d4c55f9786d8c544ca3b53902
Opcode Fuzzy Hash: f7b926a8adfeceb713bb45124e609923426521a0c28c93bb342be0af5063d37a
Instruction Fuzzy Hash: BD7163B1B04204AFDB20DBA4EC49DEA7778BF48705F804569F60993261DA74ED82CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A630 Relevance: 33.3, APIs: 22, Instructions: 284stringmemoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040A65F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040A6AC
RtlAllocateHeap.NTDLL(00000000), ref: 0040A6B3
lstrcat.KERNEL32(?,00640A90), ref: 0040A81A
lstrcat.KERNEL32(?,006409F0), ref: 0040A840
lstrcat.KERNEL32(?,00640A90), ref: 0040A8F8
lstrcat.KERNEL32(?,006409F0), ref: 0040A91E
lstrcat.KERNEL32(?,?), ref: 0040A932
lstrcat.KERNEL32(?,00426174), ref: 0040A944
lstrcat.KERNEL32(?,?), ref: 0040A958
lstrcat.KERNEL32(?,00426174), ref: 0040A96A
lstrcat.KERNEL32(?,?), ref: 0040A97E
lstrcat.KERNEL32(?,00426174), ref: 0040A990
lstrcat.KERNEL32(?,?), ref: 0040A9A4
lstrcat.KERNEL32(?,00426174), ref: 0040A9B6
lstrcat.KERNEL32(?,?), ref: 0040A9CA
lstrcat.KERNEL32(?,00426174), ref: 0040A9DC
lstrcat.KERNEL32(?,?), ref: 0040A9F0
lstrcat.KERNEL32(?,00426174), ref: 0040AA02
lstrcat.KERNEL32(?,?), ref: 0040AA16
lstrcat.KERNEL32(?,00424364), ref: 0040AA28
lstrlen.KERNEL32(?), ref: 0040AA3A

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID:
API String ID: 3196222039-0
Opcode ID: aeb554d14b3ca12a3b94cded24f5acb8709624b51211206528faa9257a0415a1
Instruction ID: 13f04b1ce2ea6e8174b2c9ad2ab9b52b8a3cf00cd26c4a73510a5c243352b1ea
Opcode Fuzzy Hash: aeb554d14b3ca12a3b94cded24f5acb8709624b51211206528faa9257a0415a1
Instruction Fuzzy Hash: 44C19FB1A04218ABCB34CF64DC85BEEBB75AF48704F4085D9F709A7291CA349E91CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B290 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,0041C80A,?), ref: 0041B298
StrCmpCA.SHLWAPI(?,004264D0,?,0041C80A,?), ref: 0041B2E5
StrCmpCA.SHLWAPI(?,.zip,?,0041C80A,?), ref: 0041B2FF
StrCmpCA.SHLWAPI(?,.zoo,?,0041C80A,?), ref: 0041B319

Strings

.zip, xrefs: 0041B2F6
.arj, xrefs: 0041B355
.arc, xrefs: 0041B327
.zoo, xrefs: 0041B310
.lzh, xrefs: 0041B33E
.gz, xrefs: 0041B36C
.tgz, xrefs: 0041B383

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 1d633dff6438c988551009d486166c53b6ecb5043b06e4123b29d71182bb15b9
Instruction ID: 4a1488447851f19eb3ae3bded8a971f5fa21a39a103432feb1496de9f38f49d1
Opcode Fuzzy Hash: 1d633dff6438c988551009d486166c53b6ecb5043b06e4123b29d71182bb15b9
Instruction Fuzzy Hash: 90316F34748248EB8B20DFA0D989AFF7778EF517407A00096E81597311D738EE92AB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00407B00 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 205stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 00407B74
StrCmpCA.SHLWAPI(00000000,0042437C), ref: 00407BF6
lstrcat.KERNEL32(?,00000000), ref: 00407C2B
StrCmpCA.SHLWAPI(00000000,0042437C), ref: 00407C4B
StrCmpCA.SHLWAPI(00000000,0042437C), ref: 00407C90
lstrcat.KERNEL32(?,00000000), ref: 00407CC5
StrCmpCA.SHLWAPI(00000000,0042437C), ref: 00407CE5
lstrcat.KERNEL32(?,00000000), ref: 00407D1A
StrCmpCA.SHLWAPI(00000000,00424380), ref: 00407D3A
StrCmpCA.SHLWAPI(00000000,00424380), ref: 00407D5C
lstrcat.KERNEL32(004279E8,00000000), ref: 00407D90
lstrcat.KERNEL32(004279E8,.txt), ref: 00407DA0
StrCmpCA.SHLWAPI(00000000,00424380), ref: 00407DC5

Strings

.txt, xrefs: 00407D96

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: .txt
API String ID: 4038537762-2195685702
Opcode ID: 79d06e1ab8e00152e67aa4f3b5bc92262ade8a5dafe20a0b3b5cde345a93ea30
Instruction ID: c3568060892cf3a5f81aa9e9cb2c9873d9e96ab014ded8205b1c79b676c579c0
Opcode Fuzzy Hash: 79d06e1ab8e00152e67aa4f3b5bc92262ade8a5dafe20a0b3b5cde345a93ea30
Instruction Fuzzy Hash: 8F819371E08228DBDB24DB90DC85BEA73B9BF44304F4044EAE10976190D7BAAED5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405600 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 141networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0041E022,00000001,00000000,00000000,00000000), ref: 0040562E
StrCmpCA.SHLWAPI(00000000,https), ref: 0040565A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00800100,00000000), ref: 004056AF
HttpQueryInfoA.WININET(?,00000013,?,00000100,00000000), ref: 004056EF
StrCmpCA.SHLWAPI(?,200), ref: 00405705
InternetReadFile.WININET(?,?,00000400,?), ref: 00405760
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040578E
CloseHandle.KERNEL32(?,?,00000400), ref: 004057DC
InternetCloseHandle.WININET(?), ref: 004057E6
InternetCloseHandle.WININET(00000000), ref: 004057F3

Strings

200, xrefs: 004056F9
https, xrefs: 00405648

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileOpen$HttpInfoQueryReadWrite
String ID: 200$https
API String ID: 4270283338-2945048398
Opcode ID: 7db1d1b4f32e4b87789e46e1bbbf99ceeb02c268576789ee16dff3c0f8df028f
Instruction ID: a2199209631490673e399cdf8a87f29da23ae425584e3629122b83c3ff64a9fe
Opcode Fuzzy Hash: 7db1d1b4f32e4b87789e46e1bbbf99ceeb02c268576789ee16dff3c0f8df028f
Instruction Fuzzy Hash: 96512FB5B40618ABDB20CBA0DC45FAB77B8EB48705F5044A9F605B72C0D778AA81DF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409220 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 105libraryloaderstringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00640970,004287F0,0000FFFF), ref: 0040924E
lstrcat.KERNEL32(?,004287F0), ref: 0040927D
lstrcat.KERNEL32(?,00426170), ref: 0040928F
lstrcat.KERNEL32(?,00000000), ref: 004092A0
SetEnvironmentVariableA.KERNEL32(00640970,?), ref: 004092B4
LoadLibraryA.KERNEL32(00633638), ref: 004092D2
GetProcAddress.KERNEL32(00000000,00641BE0), ref: 004092F7
GetProcAddress.KERNEL32(00000000,00641D18), ref: 00409310
GetProcAddress.KERNEL32(00000000,00641360), ref: 00409328
GetProcAddress.KERNEL32(00000000,00641C58), ref: 00409340
GetProcAddress.KERNEL32(00000000,006413A0), ref: 00409359
GetProcAddress.KERNEL32(00000000,00641CD0), ref: 00409371

Strings

86c, xrefs: 004092CB
pd, xrefs: 00409248, 004092AD

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: AddressProc$lstrcat$EnvironmentVariable$LibraryLoad
String ID: 86c$pd
API String ID: 570708976-3941438295
Opcode ID: bea8d2e5dae5518fd08546ce2f55086877e4aea2bcb9eb6e36a6a917cb636ed5
Instruction ID: 2f02eb78229f7102e2d474f9f25175466e33205442606a0f122d93740dac5ffa
Opcode Fuzzy Hash: bea8d2e5dae5518fd08546ce2f55086877e4aea2bcb9eb6e36a6a917cb636ed5
Instruction Fuzzy Hash: 3E413D75719204DBC734DF64ED49BAA3BB8B74C305F8045BAB605936A0CB78AA42CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D490 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 129registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 0040D547
wsprintfA.USER32 ref: 0040D57A

Strings

P5d, xrefs: 0040D641
?, xrefs: 0040D4B7
%s\%s, xrefs: 0040D56E

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Enumwsprintf
String ID: %s\%s$?$P5d
API String ID: 1950046707-1829544285
Opcode ID: 003928b378903edcc3d0c34630a060d423d7daa099889772d4ae2210992d40a2
Instruction ID: 0ccfa250d9167da41990a9824b0f085f88b68126aedd256c4410119d94732c87
Opcode Fuzzy Hash: 003928b378903edcc3d0c34630a060d423d7daa099889772d4ae2210992d40a2
Instruction Fuzzy Hash: D8512075A0411CABDB24CF94DC49FDA77BCBF48300F50C5A9E649A6180DF749A86CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00409C50 Relevance: 19.7, APIs: 13, Instructions: 155stringmemoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00409C7F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00409CCF
RtlAllocateHeap.NTDLL(00000000), ref: 00409CD6
lstrcat.KERNEL32(?,00641D30), ref: 00409D51

Part of subcall function 00408B50: memset.MSVCRT ref: 00408BA2
Part of subcall function 00408B50: LocalAlloc.KERNEL32(00000040,?), ref: 00408BF1
Part of subcall function 00408B50: lstrcat.KERNEL32(?,00000000), ref: 00408C57

lstrcat.KERNEL32(?,00000000), ref: 00409D95
lstrcat.KERNEL32(?,00641D60), ref: 00409DA8
lstrcat.KERNEL32(?,?), ref: 00409DBC
lstrcat.KERNEL32(?,00641400), ref: 00409DD0
lstrcat.KERNEL32(?,?), ref: 00409DE4
lstrcat.KERNEL32(?,00426178), ref: 00409DF6
lstrcat.KERNEL32(?,?), ref: 00409E0A
lstrcat.KERNEL32(?,00424360), ref: 00409E1C
lstrlen.KERNEL32(?), ref: 00409E2E

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocAllocateLocalProcesslstrlenmemsetwsprintf
String ID:
API String ID: 2806430148-0
Opcode ID: d1c54e0869acf50a2cbdbe7123835e9757150bb44521ad1dc8e2e5f06379a6f5
Instruction ID: b82cffa5a28cd9e4f500edc761bfa50f9489abe5c5c4a473b1aa01915ee5cf8a
Opcode Fuzzy Hash: d1c54e0869acf50a2cbdbe7123835e9757150bb44521ad1dc8e2e5f06379a6f5
Instruction Fuzzy Hash: 4F5187B1A04108ABDB24DBA4DC46FEA7778BF4C705F408595F70993251DA34AE92CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004159B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415AA3
h5d, xrefs: 00415B05

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID: h5d$image/jpeg
API String ID: 0-1802024147
Opcode ID: c6113e7bc4a59cc04c8f933c3a5d6fa48984d8150a26de2bc49110a8809e01da
Instruction ID: 553ef97d577b286da4fa97144c91fac6a9b628117ade677beca75c5cdcd698f8
Opcode Fuzzy Hash: c6113e7bc4a59cc04c8f933c3a5d6fa48984d8150a26de2bc49110a8809e01da
Instruction Fuzzy Hash: 20511DB5A14208EFCB10DBE4DC85FEEBBB8AF8C700F504519F601E7290D674A942CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B490 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 0041B49E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041B561
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041B57E
ReadFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 0041B594
SetFilePointer.KERNEL32(00000000,00000024,00000000,00000000), ref: 0041B5A4
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0041B5BA
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 0041B5E3

Strings

PE, xrefs: 0041B61A
(, xrefs: 0041B56A

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: File$Pointer$Read$HandleInformationSize
String ID: ($PE
API String ID: 4143101051-3347799738
Opcode ID: 1bd33b5cc4c5e791fafcc097f8fd7499b2ffe58e17b8da3cfd14edf7e1e6222d
Instruction ID: ef2bbce649ed63edfa4e97749175eda6aa2f8cf2fa19c3fe8e5e35070ad2501e
Opcode Fuzzy Hash: 1bd33b5cc4c5e791fafcc097f8fd7499b2ffe58e17b8da3cfd14edf7e1e6222d
Instruction Fuzzy Hash: F4813B71E00208EFEB14CFD8D895BEEBBB5FF48305F648059E515AB294D734AA81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004072E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 178stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00000000), ref: 0040739A
lstrcat.KERNEL32(?,00000000), ref: 004073B3

Part of subcall function 00415C10: SHGetFolderPathA.SHELL32(00000000,004073C0,00000000,00000000,?,?,000003E8), ref: 00415C3B

Part of subcall function 00415B70: StrStrA.SHLWAPI(0063F300,?,?,004073D7,?,0063F300,00000000), ref: 00415B7E

lstrcpy.KERNEL32(?,00000000), ref: 004073E2

Part of subcall function 00415B70: lstrcpyn.KERNEL32(00427FF0,0063F300,0063F300,?,004073D7,?,0063F300), ref: 00415BA2
Part of subcall function 00415B70: wsprintfA.USER32 ref: 00415BFB

lstrcpy.KERNEL32(?,00000000), ref: 00407411
lstrcpy.KERNEL32(?,00000000), ref: 00407440
lstrcpy.KERNEL32(?,00000000), ref: 0040746F

Strings

<, xrefs: 004074B4

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathlstrcpynwsprintf
String ID: <
API String ID: 2415926151-4251816714
Opcode ID: 31df352d34637d328f7825ea65e7a82c1266c220d2d7e305be6cbf3eb0545f7e
Instruction ID: 8ce3cc66a5c33e16da3530987a2eeced46bbfe134afadf37dbe4ce96bc48b175
Opcode Fuzzy Hash: 31df352d34637d328f7825ea65e7a82c1266c220d2d7e305be6cbf3eb0545f7e
Instruction Fuzzy Hash: D76143F1E00218EBD724EB60DC85FDA7378AB48304F84459AF70966191EB749BC9CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE30 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107stringmemoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040AE5F
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040AEB5
RtlAllocateHeap.NTDLL(00000000), ref: 0040AEBC
lstrcat.KERNEL32(?,?), ref: 0040AF1F
lstrcat.KERNEL32(?,00426174), ref: 0040AF31
lstrcat.KERNEL32(?,?), ref: 0040AF45
lstrcat.KERNEL32(?,00424364), ref: 0040AF57
lstrlen.KERNEL32(?), ref: 0040AF69

Strings

H c, xrefs: 0040AE8F

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID: H c
API String ID: 3196222039-3237417258
Opcode ID: a30c4907f7eba0dfe6c0981f17554a7aa0e28aab5f7bbd388ec691395c1733e1
Instruction ID: f707268772baf716d55d015f2c5e67d09fb88d2b0e24c6ec235c8007084fc916
Opcode Fuzzy Hash: a30c4907f7eba0dfe6c0981f17554a7aa0e28aab5f7bbd388ec691395c1733e1
Instruction Fuzzy Hash: 4B41B6B1E0421CABCB24DBA4DC46FEA7778AF48704F4045E5F70993141DA74AE91CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409FC0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107stringmemoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00409FEF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040A03F
RtlAllocateHeap.NTDLL(00000000), ref: 0040A046
lstrcat.KERNEL32(?,?), ref: 0040A0A9
lstrcat.KERNEL32(?,00424364), ref: 0040A0BB
lstrcat.KERNEL32(?,?), ref: 0040A0CF
lstrcat.KERNEL32(?,00424360), ref: 0040A0E1
lstrlen.KERNEL32(?), ref: 0040A0F3

Strings

X#c, xrefs: 0040A01C

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID: X#c
API String ID: 3196222039-4160545177
Opcode ID: 8d09127ade56661d2eb06c3ed62f651ca989be1f7b29e79230d09e62ae7191d6
Instruction ID: d00e69c4ce6a20a54b1eed6ae102ac74f6e843d41d75590f5a271a5c8264a78b
Opcode Fuzzy Hash: 8d09127ade56661d2eb06c3ed62f651ca989be1f7b29e79230d09e62ae7191d6
Instruction Fuzzy Hash: DF4176B1A0421CABCB24DFA4DC46EEA7778AF4C704F4085A5F70997141DA34AE91CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00414940 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00414D64
%s%s%s, xrefs: 00414DA7

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s
API String ID: 0-1506711308
Opcode ID: 0dd9828e0916d08e502b5959c5ed71b09d9fd11b5b8ce2d6c275135eebd47c79
Instruction ID: fa4ff23f0b6c4930f367a407db879f1771bc651142c78bea6ef718451b369e38
Opcode Fuzzy Hash: 0dd9828e0916d08e502b5959c5ed71b09d9fd11b5b8ce2d6c275135eebd47c79
Instruction Fuzzy Hash: 46027DB0A042199FCB25CF54DD84BEAB7B9AB85305F1481DAE40967341EB38AFC1CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D160 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D16D
RtlAllocateHeap.NTDLL(00000000), ref: 0040D174
memset.NTDLL ref: 0040D185
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 0040D196
__aulldiv.LIBCMT ref: 0040D1B0
wsprintfA.USER32 ref: 0040D1DC

Strings

@, xrefs: 0040D18B
%d MB, xrefs: 0040D1D3

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateGlobalMemoryProcessStatus__aulldivmemsetwsprintf
String ID: %d MB$@
API String ID: 3391354518-3474575989
Opcode ID: 3d7750f2c3588b61caf88385b8d036eed8896707604dbc2f32a052e29f57928c
Instruction ID: 83153d19209911d3804af04f93d11786e0b7538e05b0561a9ce4f893c136d53f
Opcode Fuzzy Hash: 3d7750f2c3588b61caf88385b8d036eed8896707604dbc2f32a052e29f57928c
Instruction Fuzzy Hash: E9015EB1E04218ABDB10DFE4DC49FAEB778FF04700F504559F605AB2C0D7B8A9058B98

Uniqueness

Uniqueness Score: -1.00%

Function 00409AC0 Relevance: 12.1, APIs: 8, Instructions: 107stringmemoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00409AEF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00409B45
RtlAllocateHeap.NTDLL(00000000), ref: 00409B4C
lstrcat.KERNEL32(?,?), ref: 00409BAF
lstrcat.KERNEL32(?,00426174), ref: 00409BC1
lstrcat.KERNEL32(?,?), ref: 00409BD5
lstrcat.KERNEL32(?,00424364), ref: 00409BE7
lstrlen.KERNEL32(?), ref: 00409BF9

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocateProcesslstrlenwsprintf
String ID:
API String ID: 3196222039-0
Opcode ID: 140780b802c8de6e49c9b6f7c99b6c7d8329a781707837ce71f4c72566a187ca
Instruction ID: 097497359b13f11fa24a19080b81617e253730a511a0190b7fe58f6f057161da
Opcode Fuzzy Hash: 140780b802c8de6e49c9b6f7c99b6c7d8329a781707837ce71f4c72566a187ca
Instruction Fuzzy Hash: 344182B1A04118ABCB24DBA4DC4AFEA7778AF48705F4045E9F70993141DA74AE81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408B50 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 104memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408BA2
LocalAlloc.KERNEL32(00000040,?), ref: 00408BF1
lstrcat.KERNEL32(?,00000000), ref: 00408C57

Strings

@, xrefs: 00408BAA
(aB, xrefs: 00408C7B
(aB, xrefs: 00408C72
v10, xrefs: 00408B6E

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcatmemset
String ID: (aB$(aB$@$v10
API String ID: 4123878530-821435851
Opcode ID: b3489d05a3ed2d37716ec4efc0c1b7abf917be8c4d6bb261c47512adebcc2b0c
Instruction ID: 5d51088398a3d09193f5f19327052d3ddf3ac29a2310b1440ccbd6c81e1c9746
Opcode Fuzzy Hash: b3489d05a3ed2d37716ec4efc0c1b7abf917be8c4d6bb261c47512adebcc2b0c
Instruction Fuzzy Hash: BD415271A04218DBEB18CFD4D944BEEB7B4FF44304F04816EF505AB284DB78AA45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D420 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30memorystringCOMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0040D42D
GetProcessHeap.KERNEL32(00000000,00000064), ref: 0040D43B
RtlAllocateHeap.NTDLL(00000000), ref: 0040D442
memset.NTDLL ref: 0040D459
lstrcat.KERNEL32(?,?), ref: 0040D46A

Strings

(aB, xrefs: 0040D47A

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCurrentProcessProfilelstrcatmemset
String ID: (aB
API String ID: 4122951905-757838864
Opcode ID: 7aa01a401c15b73822f2b542d9dbbe33a783009c1bc8bd0f0e49874e00ad4f31
Instruction ID: 3ef2f66cfa7c458a363807bc4ecd9b43b47e05186848137e3493775ab4426156
Opcode Fuzzy Hash: 7aa01a401c15b73822f2b542d9dbbe33a783009c1bc8bd0f0e49874e00ad4f31
Instruction Fuzzy Hash: EEF05E71B052199BDF309BB4EC09F69BB78BF04705F4084A6FB49E7290DE34A9068F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFC0 Relevance: 9.1, APIs: 6, Instructions: 94memorystringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040AFEF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040B04B
RtlAllocateHeap.NTDLL(00000000), ref: 0040B052
lstrcat.KERNEL32(?,?), ref: 0040B099
lstrcat.KERNEL32(?,00424364), ref: 0040B0AB
lstrlen.KERNEL32(?), ref: 0040B0BA

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocateProcesslstrlenwsprintf
String ID:
API String ID: 2177231248-0
Opcode ID: 4f4c2b702d017f1f3545a18c58bda111fdfd51740e4c70e8af012efe31bc6fc7
Instruction ID: 18c9f8c6a154931e4e35bec770ddd7db80b74e934d9cdc9d382de81b3079f4fb
Opcode Fuzzy Hash: 4f4c2b702d017f1f3545a18c58bda111fdfd51740e4c70e8af012efe31bc6fc7
Instruction Fuzzy Hash: 193192B1A0010CABCB24DBA4DC46FEB7778EF48304F4085A9F70997241DA34AE51CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00409E80 Relevance: 9.1, APIs: 6, Instructions: 92memorystringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00409EAF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00409EFF
RtlAllocateHeap.NTDLL(00000000), ref: 00409F06
lstrcat.KERNEL32(?,?), ref: 00409F4D
lstrcat.KERNEL32(?,00424364), ref: 00409F5F
lstrlen.KERNEL32(?), ref: 00409F6E

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocateProcesslstrlenwsprintf
String ID:
API String ID: 2177231248-0
Opcode ID: 55270685b8670e814c835f7ec53de5eaa68329f3efa87ec6e798ee751c5e7bc1
Instruction ID: 9eb82f4f8ae03875233d8157813d0b7d5cdd0ef18fd519fee1cd8563dc83dc20
Opcode Fuzzy Hash: 55270685b8670e814c835f7ec53de5eaa68329f3efa87ec6e798ee751c5e7bc1
Instruction Fuzzy Hash: AA3163B1A04208ABCB24DBA4DC46EEA7778AF48704F4045A9F709D7151DA34EE91CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004081C0 Relevance: 9.1, APIs: 6, Instructions: 75timestringCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,00000104), ref: 00408241
lstrcat.KERNEL32(?,006338D8), ref: 00408255
sscanf.NTDLL ref: 00408293
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004082A7
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 004082B8
ExitProcess.KERNEL32 ref: 004082D2

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesslstrcatsscanf
String ID:
API String ID: 2797641603-0
Opcode ID: 2580b87efa1fc9e78af6cf07324dad4481afda0eeda08919c8f2b6b7fd42d897
Instruction ID: c3cd673f1fa0b2ec55f51e111767c9865c6c00eca3dd8c3c5eff82f31dc940e9
Opcode Fuzzy Hash: 2580b87efa1fc9e78af6cf07324dad4481afda0eeda08919c8f2b6b7fd42d897
Instruction Fuzzy Hash: BB31EF71D1461CABCB68DFA5DC85ADEB7B9AF48300F4085EEE149A3250EA305B85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00415C60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000104,?,00000104), ref: 00415C99
wsprintfA.USER32 ref: 00415CB4
ShellExecuteEx.SHELL32(0000003C), ref: 00415D13

Strings

HLd, xrefs: 00415CA6
<, xrefs: 00415CCA

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: ExecuteFileModuleNameShellwsprintf
String ID: <$HLd
API String ID: 690967290-3845776323
Opcode ID: 3a41585b6a96ffb63fe355c5684a81ca30dae0cb2304b53792eb40cac8678878
Instruction ID: b6b6ca1061fbb4124f2fa1a12c68bb74f02bcf8ba4fc06459a5e714305233434
Opcode Fuzzy Hash: 3a41585b6a96ffb63fe355c5684a81ca30dae0cb2304b53792eb40cac8678878
Instruction Fuzzy Hash: 97211FB1E0020CABDB14EB90DCC6FDEB7B8AB84745F404599F614A7190DBB85688CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D3B4
RtlAllocateHeap.NTDLL(00000000), ref: 0040D3BB
RegQueryValueExA.ADVAPI32(8r@,006435E0,00000000,00000000,?,000000FF), ref: 0040D3FC

Strings

5d, xrefs: 0040D3F1
8r@, xrefs: 0040D3C4, 0040D402, 0040D3F8, 0040D3C7, 0040D3FB, 0040D405

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessQueryValue
String ID: 8r@$5d
API String ID: 3318767951-2405357222
Opcode ID: c948c1e27f037406e63a06a72dc9235c4cfa3ab010ed8b201c50b9c39f8726d7
Instruction ID: e4a3afe1c2a26e52a6ab1516ded79d8f1b69931258f44e2e53aad9fd70af52f8
Opcode Fuzzy Hash: c948c1e27f037406e63a06a72dc9235c4cfa3ab010ed8b201c50b9c39f8726d7
Instruction Fuzzy Hash: E8014475B44208FBD720DBE0DC49FAEB77CEB48700F5045A9FA05A7290DA746A018B54

Uniqueness

Uniqueness Score: -1.00%

Function 00405590 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33stringnetworkCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,10000000,0000003C,?,0000003C,?,00000040), ref: 004055D0
InternetCrackUrlA.WININET(?,00000000), ref: 004055DB

Strings

http, xrefs: 004055EC
<, xrefs: 004055AF
@, xrefs: 004055BC

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$@$http
API String ID: 1274457161-26727890
Opcode ID: 480d353e3033dee7ba64866b56f79bf4895b42fb15b43a546321786f39c6f5c3
Instruction ID: 036cfeb6636bbdb482450af1c63629e56b5eecb83763e32b414ca024fe918b85
Opcode Fuzzy Hash: 480d353e3033dee7ba64866b56f79bf4895b42fb15b43a546321786f39c6f5c3
Instruction Fuzzy Hash: E4F01D75A00208BBDB14DFA5EC85FDEBBBCEB44344F408119FA04AB190DB78E504CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415240 Relevance: 7.6, APIs: 5, Instructions: 50stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000003,00000000,00000000,?), ref: 0041524E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 0041525D
new[].LIBCMTD ref: 0041527D
lstrlen.KERNEL32(?,?,?), ref: 0041529A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 004152A9

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidelstrlen$new[]
String ID:
API String ID: 4156461339-0
Opcode ID: 1cb115c24d360550f01618f8c83bab92e6313edd7b752136a8c1d462c7f132d4
Instruction ID: 83e120f723c34b44389c7f1ae315971a3a9a8834eeb574e7471f223e0891014a
Opcode Fuzzy Hash: 1cb115c24d360550f01618f8c83bab92e6313edd7b752136a8c1d462c7f132d4
Instruction Fuzzy Hash: 94012175B04108BFDB54DFA8DC46F9E7BB8EF48304F104058F509D7291DA70AA018B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D0F4
RtlAllocateHeap.NTDLL(00000000), ref: 0040D0FB
RegQueryValueExA.ADVAPI32(00407089,00644230,00000000,00000000,?,000000FF), ref: 0040D13C

Strings

0Bd, xrefs: 0040D131

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessQueryValue
String ID: 0Bd
API String ID: 3318767951-1404744772
Opcode ID: 5c913f65ec6ce16666216d1e60dac11169d28b082d51df6f791a35ed40e8bc01
Instruction ID: ed73f0ceab511a504b186bdf787763fa0e2175891b9a2fb3ef6e99c90d1150b4
Opcode Fuzzy Hash: 5c913f65ec6ce16666216d1e60dac11169d28b082d51df6f791a35ed40e8bc01
Instruction Fuzzy Hash: E4014475B44208FBD720DFE0DC49FAEB77CEF48700F5045A5FA05A7290DA705A018B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040D204
RtlAllocateHeap.NTDLL(00000000), ref: 0040D20B
RegQueryValueExA.ADVAPI32(p@,00643598,00000000,00000000,?,000000FF), ref: 0040D24C

Strings

p@, xrefs: 0040D214, 0040D252, 0040D248, 0040D217, 0040D24B, 0040D255

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessQueryValue
String ID: p@
API String ID: 3318767951-3184700666
Opcode ID: 36a5e795217b58b146b0e085a4999da7fcce7f6c0b60c814c775307ad2adfca7
Instruction ID: 679ea68745c7f817856e725e83233ae2ad5c2c3a2d2c3fef7011ab6a2c6eb545
Opcode Fuzzy Hash: 36a5e795217b58b146b0e085a4999da7fcce7f6c0b60c814c775307ad2adfca7
Instruction Fuzzy Hash: A8013175B44208FFD720DBE0DC49FAEB778EB48700F5085A9FA05A7294DA745A058B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D270 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 0040D27F
IsWow64Process.KERNEL32(00000000), ref: 0040D286

Strings

&d, xrefs: 0040D296
p%d, xrefs: 0040D29F

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: Process$CurrentWow64
String ID: &d$p%d
API String ID: 1905925150-907801819
Opcode ID: 3b895b419327625ab91f6addac08ebff8c2413c47063bb4ff4c44d2965e3d47d
Instruction ID: fbdbbe6116ea310a4b989d61a21010c8d5584c165aa24871dcfceae1910eb7c3
Opcode Fuzzy Hash: 3b895b419327625ab91f6addac08ebff8c2413c47063bb4ff4c44d2965e3d47d
Instruction Fuzzy Hash: 02E0E670A19108DBDB64DFD4EE08BAA77BCEF05301F5040F9A504D3290DB78D905D769

Uniqueness

Uniqueness Score: -1.00%

Function 00407910 Relevance: 6.4, APIs: 5, Instructions: 150stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040794C
lstrcpy.KERNEL32(?,00000000), ref: 0040799C
lstrcpy.KERNEL32(?,00000000), ref: 004079CA
lstrcpy.KERNEL32(?,00000000), ref: 004079F8
lstrcpy.KERNEL32(?,00000000), ref: 00407A26

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcpy$wsprintf
String ID:
API String ID: 553454533-0
Opcode ID: d46b2884eafde9a7a47a55da1a24e5e81919de88e8003c1761f62a09f71297d6
Instruction ID: 1e05246594c4fcd9d081c29ac311f3f14fbda28c1f0e7327660a6d5041caca37
Opcode Fuzzy Hash: d46b2884eafde9a7a47a55da1a24e5e81919de88e8003c1761f62a09f71297d6
Instruction Fuzzy Hash: C55187F6E40108FBC714EF94EC86FEB7378AB5C304F44459DB609A2141E674AA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE60 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,0041C84E,?,?), ref: 0041BED8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C84E), ref: 0041BF2A

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: dfc13cb206038efe147c7b7d1966cb27e75dcdde47e97197750e5ff787cb2b64
Instruction ID: ee73b41cf1878973dc7588ff2d8ebdfc618fa0d8b783b958392b34b6197aeeb2
Opcode Fuzzy Hash: dfc13cb206038efe147c7b7d1966cb27e75dcdde47e97197750e5ff787cb2b64
Instruction Fuzzy Hash: F851B874A002099FDB14DFA8C884BDEBBB5BB4C304F14C15AE825AB391D735A985CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB20 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

new[].LIBCMTD ref: 0041BB80
memcpy.NTDLL(00000000,?,000000FF,?,0041C60D,?,000000FF,?,00004000), ref: 0041BBAC
memcpy.NTDLL(?,00004000,000000FF,?,0041C60D,?,000000FF,?,00004000), ref: 0041BC3D

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: memcpy$new[]
String ID:
API String ID: 3541104900-0
Opcode ID: 12ba4f0a6b653882ebc32832ac8fa57de36765d84c7569ead15923ec4cb79325
Instruction ID: 8624acb8a7135c67029156a0b554a9ed2406ef7acc6b9d96229395aed0561db2
Opcode Fuzzy Hash: 12ba4f0a6b653882ebc32832ac8fa57de36765d84c7569ead15923ec4cb79325
Instruction Fuzzy Hash: 7651D8B8A04209DFCB44CF99C581AAEBBB2FF88314F508199E9059B745D734E981CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154C0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000,00000004,?,00401241,?,0000001A,?,00000104), ref: 004154E4

lstrcat.KERNEL32(?,00000000), ref: 0040C684
lstrcat.KERNEL32(?,?), ref: 0040C6A9
lstrcat.KERNEL32(?,00642000), ref: 0040C6BD

Part of subcall function 00415830: GetFileAttributesA.KERNEL32(?,?,?,0040C5AF,?), ref: 0041583A

Part of subcall function 00408FB0: StrStrA.SHLWAPI(00000000,00641D48), ref: 00409003

Strings

p#d, xrefs: 0040C709, 0040C70C

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$AttributesFileFolderPath
String ID: p#d
API String ID: 4178457443-1606837090
Opcode ID: a775a0c7505b329631c10e6536f959051c880fdae260c7370bf493e716f1b43c
Instruction ID: 27a8e471dc83cfad2cc1b7a884a95ba103402176dfdf436337361cc704f8f1a3
Opcode Fuzzy Hash: a775a0c7505b329631c10e6536f959051c880fdae260c7370bf493e716f1b43c
Instruction Fuzzy Hash: A23150B6D1010CEBCB14DBE0DC85EDF737CAB58304F40469AF609A3141EA74AB89CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(0063F300,?,?,004073D7,?,0063F300,00000000), ref: 00415B7E
lstrcpyn.KERNEL32(00427FF0,0063F300,0063F300,?,004073D7,?,0063F300), ref: 00415BA2
wsprintfA.USER32 ref: 00415BFB

Strings

%s%s, xrefs: 00415BEA

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcpynwsprintf
String ID: %s%s
API String ID: 1799455324-3252725368
Opcode ID: 78b20853df43a04535fdee9c5f653645c2bfdf2189a14c160cdca62224a9df33
Instruction ID: 4b2a891298b0e56dfdcec1775192b4b92a8ddb23ec250966d2ceee98ffac7476
Opcode Fuzzy Hash: 78b20853df43a04535fdee9c5f653645c2bfdf2189a14c160cdca62224a9df33
Instruction Fuzzy Hash: 02210A75A08248EFCF14CFACC984AEDBBB4EF44304F508199E809AB345D775AA40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2E0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040D33C

Strings

0&d, xrefs: 0040D2EF
zq@, xrefs: 0040D32C, 0040D32F
%dx%d, xrefs: 0040D330

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %dx%d$0&d$zq@
API String ID: 2111968516-951934985
Opcode ID: a1a4f2ce331039f70fa77e811cc1df655a563772cfa40c622775460a28e9f665
Instruction ID: c0024477d186a8933da72eb7f84188d9956972e9ed449601d5b5b375b13ce55e
Opcode Fuzzy Hash: a1a4f2ce331039f70fa77e811cc1df655a563772cfa40c622775460a28e9f665
Instruction Fuzzy Hash: BA011D75F44308ABE710DBA4DC8AFBEB778FB48701F408598FA14A7280DA756A018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringregistryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 0040D547
wsprintfA.USER32 ref: 0040D57A
RegQueryValueExA.ADVAPI32(00000000,006435B0,00000000,000F003F,?,00000400), ref: 0040D5F2
lstrlen.KERNEL32(?), ref: 0040D607
lstrcat.KERNEL32(004072AB,?), ref: 0040D61D
RegQueryValueExA.ADVAPI32(00000000,00643550,00000000,000F003F,?,00000400), ref: 0040D64F
lstrcat.KERNEL32(004072AB,004261D4), ref: 0040D662
lstrcat.KERNEL32(004072AB,?), ref: 0040D673
lstrcat.KERNEL32(004072AB,00424364), ref: 0040D682

Strings

%s\%s, xrefs: 0040D56E

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: lstrcat$QueryValue$Enumlstrlenwsprintf
String ID: %s\%s
API String ID: 2230113703-4073750446
Opcode ID: 8deae1037241e4408a0e49e08591c047b144ff31957e8347a4176184bbb43256
Instruction ID: 9a2fc04b174e0b8e5ba8e352111f42e260ce6b0786ef765824501d0fea6aa687
Opcode Fuzzy Hash: 8deae1037241e4408a0e49e08591c047b144ff31957e8347a4176184bbb43256
Instruction Fuzzy Hash: 64110A71A401289BDB20CB90CD45FE9B7BCFF44304F50C5E9A649A6180DE745A868FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408930 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

new[].LIBCMTD ref: 00408938

Strings

yB, xrefs: 0040894F, 00408952
yB, xrefs: 00408943

Memory Dump Source

Source File: 00000000.00000002.2096720743.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096709109.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096738126.000000000041E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096751112.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096764731.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096777090.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096789561.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OperaGXSetup.jbxd

Yara matches

Similarity

API ID: new[]
String ID: yB$yB
API String ID: 4059295235-2702588346
Opcode ID: b0973b5c25c19cb11fd647d27961e58fc0799f828494207c3ab4d821335483ff
Instruction ID: 4dca0a12310282541e8601212d6e2364ddbf534a79e38e3b3ebbf19e91489cc4
Opcode Fuzzy Hash: b0973b5c25c19cb11fd647d27961e58fc0799f828494207c3ab4d821335483ff
Instruction Fuzzy Hash: BBF054B5E00208FBDB00FBE4C946BDEB7B4DB04304F1084A9F905A7281E6749B50CB95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OperaGXSetup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Mars Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OperaGXSetup.exe_82691ba76431485db1fd9a98ff162bea1ce379e_bd6eeb5d_af97da17-0a28-4c60-aeaa-0305e8f09c3f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B38.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CC0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D1E.tmp.xml

C:\Users\user\Desktop\WL6PZU3W

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
OperaGXSetup.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre