launcher.exe

• File Path: C:\Program Files\Opera\launcher.exe
• Description: Opera Internet Browser

Hashes

Type	Hash
MD5	2D33B71636578644BFE844EA3B7A8EDC
SHA1	30C72D829D14BD8B37109DAE1B234354396CC229
SHA256	ABE39FE53362785419CDE37BB5CFB209EDC00E0772FEDFAB520F21CB231ED46E
SHA384	9E26093F60B8E673174122E0B8D8159ED79B5C97BD1B9F4788C65525F95D5158D0C38D2EB091F4075595854488F03EA6
SHA512	5BE6C8AC24ADEB2F328AAA5970525C0C871DEC5D57289E179FE37875249A45FFE77BFF4B45C37BA382ECE5F8161713876CD6477C4FA6881AD54889A6E1CB6B99
SSDEEP	24576:pOF4j7Ztlm2zXuVHniBz8sCzzf6s32PzTtLvcmdA:0C7Dlmi2sCf6smnta
IMP	36851E1C9922AA7E01142CE3BA9880DB
PESHA1	E68910278E8600E5A1A139A8D558320C9F73727A
PE256	B6572FEB92A220B3767E4F429520B1CAB6568641DB3C29EED8A074474BA687BA

Runtime Data

Child Processes:

opera.exe

Open Handles:

Path	Type
(RW-) C:\xCyclopedia	File
\BaseNamedObjects__ComCatalogCache__	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters	Section

Loaded Modules:

Path
C:\Program Files\Opera\launcher.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll

Signature

• Status: Signature verified.
• Serial: 05F4210DB2B283A32FF2AED29FCB68A4
• Thumbprint: 878B0B298671F44FC739C08D826BB22DB1A2A021
• Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
• Subject: CN=Opera Software AS, O=Opera Software AS, L=Oslo, C=NO, SERIALNUMBER=916 368 127, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NO

File Metadata

• Original Filename:
• Product Name: Opera Internet Browser
• Company Name: Opera Software
• File Version: 71.0.3770.171
• Product Version: 71.0.3770.171
• Language: English (United States)
• Legal Copyright: Copyright Opera Software 2020
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/71
• VirusTotal Link: https://www.virustotal.com/gui/file/abe39fe53362785419cde37bb5cfb209edc00e0772fedfab520f21cb231ed46e/detection/

Possible Misuse

The following table contains possible examples of launcher.exe being misused. While launcher.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_invoke_obfuscation_clip_services_security.yml	title: Invoke-Obfuscation CLIP+ Launcher	DRL 1.0
sigma	win_invoke_obfuscation_stdin_services_security.yml	title: Invoke-Obfuscation STDIN+ Launcher	DRL 1.0
sigma	win_invoke_obfuscation_var_services_security.yml	title: Invoke-Obfuscation VAR+ Launcher	DRL 1.0
sigma	win_invoke_obfuscation_via_rundll_services_security.yml	title: Invoke-Obfuscation RUNDLL LAUNCHER	DRL 1.0
sigma	win_invoke_obfuscation_via_rundll_services_security.yml	description: Detects Obfuscated Powershell via RUNDLL LAUNCHER	DRL 1.0
sigma	win_invoke_obfuscation_via_var_services_security.yml	title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION	DRL 1.0
sigma	win_invoke_obfuscation_via_var_services_security.yml	description: Detects Obfuscated Powershell via VAR++ LAUNCHER	DRL 1.0
sigma	win_invoke_obfuscation_clip_services.yml	title: Invoke-Obfuscation CLIP+ Launcher	DRL 1.0
sigma	win_invoke_obfuscation_stdin_services.yml	title: Invoke-Obfuscation STDIN+ Launcher	DRL 1.0
sigma	win_invoke_obfuscation_var_services.yml	title: Invoke-Obfuscation VAR+ Launcher	DRL 1.0
sigma	win_invoke_obfuscation_via_rundll_services.yml	title: Invoke-Obfuscation RUNDLL LAUNCHER	DRL 1.0
sigma	win_invoke_obfuscation_via_rundll_services.yml	description: Detects Obfuscated Powershell via RUNDLL LAUNCHER	DRL 1.0
sigma	win_invoke_obfuscation_via_var_services.yml	title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION	DRL 1.0
sigma	win_invoke_obfuscation_via_var_services.yml	description: Detects Obfuscated Powershell via VAR++ LAUNCHER	DRL 1.0
sigma	posh_pm_invoke_obfuscation_clip.yml	title: Invoke-Obfuscation CLIP+ Launcher	DRL 1.0
sigma	posh_pm_invoke_obfuscation_stdin.yml	title: Invoke-Obfuscation STDIN+ Launcher	DRL 1.0
sigma	posh_pm_invoke_obfuscation_var.yml	title: Invoke-Obfuscation VAR+ Launcher	DRL 1.0
sigma	posh_pm_invoke_obfuscation_via_rundll.yml	title: Invoke-Obfuscation RUNDLL LAUNCHER	DRL 1.0
sigma	posh_pm_invoke_obfuscation_via_rundll.yml	description: Detects Obfuscated Powershell via RUNDLL LAUNCHER	DRL 1.0
sigma	posh_pm_invoke_obfuscation_via_var.yml	title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION	DRL 1.0
sigma	posh_pm_invoke_obfuscation_via_var.yml	description: Detects Obfuscated Powershell via VAR++ LAUNCHER	DRL 1.0
sigma	posh_ps_invoke_obfuscation_clip.yml	title: Invoke-Obfuscation CLIP+ Launcher	DRL 1.0
sigma	posh_ps_invoke_obfuscation_stdin.yml	title: Invoke-Obfuscation STDIN+ Launcher	DRL 1.0
sigma	posh_ps_invoke_obfuscation_var.yml	title: Invoke-Obfuscation VAR+ Launcher	DRL 1.0
sigma	posh_ps_invoke_obfuscation_via_rundll.yml	title: Invoke-Obfuscation RUNDLL LAUNCHER	DRL 1.0
sigma	posh_ps_invoke_obfuscation_via_rundll.yml	description: Detects Obfuscated Powershell via RUNDLL LAUNCHER	DRL 1.0
sigma	posh_ps_invoke_obfuscation_via_var.yml	title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION	DRL 1.0
sigma	posh_ps_invoke_obfuscation_via_var.yml	description: Detects Obfuscated Powershell via VAR++ LAUNCHER	DRL 1.0
sigma	proc_creation_win_invoke_obfuscation_clip.yml	title: Invoke-Obfuscation CLIP+ Launcher	DRL 1.0
sigma	proc_creation_win_invoke_obfuscation_stdin.yml	title: Invoke-Obfuscation STDIN+ Launcher	DRL 1.0
sigma	proc_creation_win_invoke_obfuscation_var.yml	title: Invoke-Obfuscation VAR+ Launcher	DRL 1.0
sigma	proc_creation_win_invoke_obfuscation_via_rundll.yml	title: Invoke-Obfuscation RUNDLL LAUNCHER	DRL 1.0
sigma	proc_creation_win_invoke_obfuscation_via_rundll.yml	description: Detects Obfuscated Powershell via RUNDLL LAUNCHER	DRL 1.0
sigma	proc_creation_win_invoke_obfuscation_via_var.yml	title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION	DRL 1.0
sigma	proc_creation_win_invoke_obfuscation_via_var.yml	description: Detects Obfuscated Powershell via VAR++ LAUNCHER	DRL 1.0
sigma	proc_creation_win_susp_covenant.yml	title: Covenant Launcher Indicators	DRL 1.0
sigma	driver_load_invoke_obfuscation_clip+_services.yml	title: Invoke-Obfuscation CLIP+ Launcher	DRL 1.0
sigma	driver_load_invoke_obfuscation_stdin+_services.yml	title: Invoke-Obfuscation STDIN+ Launcher	DRL 1.0
sigma	driver_load_invoke_obfuscation_var+_services.yml	title: Invoke-Obfuscation VAR+ Launcher	DRL 1.0
sigma	driver_load_invoke_obfuscation_via_rundll_services.yml	title: Invoke-Obfuscation RUNDLL LAUNCHER	DRL 1.0
sigma	driver_load_invoke_obfuscation_via_rundll_services.yml	description: Detects Obfuscated Powershell via RUNDLL LAUNCHER	DRL 1.0
sigma	driver_load_invoke_obfuscation_via_var++_services.yml	title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION	DRL 1.0
sigma	driver_load_invoke_obfuscation_via_var++_services.yml	description: Detects Obfuscated Powershell via VAR++ LAUNCHER	DRL 1.0
malware-ioc	kryptocibule	.Main launcher (armsvc.exe)	© ESET 2014-2018
malware-ioc	misp-ramsay.json	"comment": "Installer Launcher",	© ESET 2014-2018
malware-ioc	winnti_group	==== VMProtected launcher	© ESET 2014-2018
atomic-red-team	T1555.003.md	if (((Test-Path “$env:LOCALAPPDATA\Programs\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files (x86)\Opera\launcher.exe”))) {exit 0} else {exit 1}	MIT License. © 2018 Red Canary
signature-base	apt_apt30_backspace.yar	$s0 = “Launcher.EXE” fullword wide	CC BY-NC 4.0
signature-base	apt_cobaltstrike_evasive.yar	description = “Detects CobaltStrike MZ header ReflectiveLoader launcher”	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$s1 = “* Failed to get connection information. Aborting launcher!” fullword wide	CC BY-NC 4.0
signature-base	apt_op_wocao.yar	description = “Process injector/launcher”	CC BY-NC 4.0
signature-base	spy_equation_fiveeyes.yar	description = “Equation Group Malware - EoP package and malware launcher”	CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.