launcher.exe

  • File Path: C:\program files\Opera\launcher.exe
  • Description: Opera Internet Browser

Hashes

Type Hash
MD5 6C55C6092C51074E772EB77821726119
SHA1 D5FE3305EB181DE3F5E557A91C5A3088972A8433
SHA256 E7043BFDEFFFB0EBC799C7087CE435506775470CB4C46F341C77EB9ECAECD355
SHA384 CF380E491ABFF3CC23480C689B75F7DC244A81BC170C45AE3F918CC01238E554B97B862E96E977228AEAA5A0E23C4D24
SHA512 DA6238925EE2783C3FAC01E2228015A8BD54C47E4EBFE7ECC03625B57274E87671CD5F9970147EE3C28048BD137F5D10F1FCB5F39419BA92270B949957D4D4B6
SSDEEP 24576:Ac/qn2FsLUT4yINSbkuwNdjNx5ZoJbaZ7hivd:d/pbbKNdZxsJeZy

Runtime Data

Child Processes:

opera.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\propsys.dll.mui File
(RW-) C:\Users\user\Documents File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\program files\Opera\launcher.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll

Signature

  • Status: Signature verified.
  • Serial: 05F4210DB2B283A32FF2AED29FCB68A4
  • Thumbprint: 878B0B298671F44FC739C08D826BB22DB1A2A021
  • Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Opera Software AS, O=Opera Software AS, L=Oslo, C=NO, SERIALNUMBER=916 368 127, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NO

File Metadata

  • Original Filename:
  • Product Name: Opera Internet Browser
  • Company Name: Opera Software
  • File Version: 70.0.3728.133
  • Product Version: 70.0.3728.133
  • Language: English (United States)
  • Legal Copyright: Copyright Opera Software 2020

File Similarity (ssdeep match)

File Score
C:\Program Files\Opera\launcher.exe 91

Possible Misuse

The following table contains possible examples of launcher.exe being misused. While launcher.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_invoke_obfuscation_clip_services_security.yml title: Invoke-Obfuscation CLIP+ Launcher DRL 1.0
sigma win_invoke_obfuscation_stdin_services_security.yml title: Invoke-Obfuscation STDIN+ Launcher DRL 1.0
sigma win_invoke_obfuscation_var_services_security.yml title: Invoke-Obfuscation VAR+ Launcher DRL 1.0
sigma win_invoke_obfuscation_via_rundll_services_security.yml title: Invoke-Obfuscation RUNDLL LAUNCHER DRL 1.0
sigma win_invoke_obfuscation_via_rundll_services_security.yml description: Detects Obfuscated Powershell via RUNDLL LAUNCHER DRL 1.0
sigma win_invoke_obfuscation_via_var_services_security.yml title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION DRL 1.0
sigma win_invoke_obfuscation_via_var_services_security.yml description: Detects Obfuscated Powershell via VAR++ LAUNCHER DRL 1.0
sigma win_invoke_obfuscation_clip_services.yml title: Invoke-Obfuscation CLIP+ Launcher DRL 1.0
sigma win_invoke_obfuscation_stdin_services.yml title: Invoke-Obfuscation STDIN+ Launcher DRL 1.0
sigma win_invoke_obfuscation_var_services.yml title: Invoke-Obfuscation VAR+ Launcher DRL 1.0
sigma win_invoke_obfuscation_via_rundll_services.yml title: Invoke-Obfuscation RUNDLL LAUNCHER DRL 1.0
sigma win_invoke_obfuscation_via_rundll_services.yml description: Detects Obfuscated Powershell via RUNDLL LAUNCHER DRL 1.0
sigma win_invoke_obfuscation_via_var_services.yml title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION DRL 1.0
sigma win_invoke_obfuscation_via_var_services.yml description: Detects Obfuscated Powershell via VAR++ LAUNCHER DRL 1.0
sigma posh_pm_invoke_obfuscation_clip.yml title: Invoke-Obfuscation CLIP+ Launcher DRL 1.0
sigma posh_pm_invoke_obfuscation_stdin.yml title: Invoke-Obfuscation STDIN+ Launcher DRL 1.0
sigma posh_pm_invoke_obfuscation_var.yml title: Invoke-Obfuscation VAR+ Launcher DRL 1.0
sigma posh_pm_invoke_obfuscation_via_rundll.yml title: Invoke-Obfuscation RUNDLL LAUNCHER DRL 1.0
sigma posh_pm_invoke_obfuscation_via_rundll.yml description: Detects Obfuscated Powershell via RUNDLL LAUNCHER DRL 1.0
sigma posh_pm_invoke_obfuscation_via_var.yml title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION DRL 1.0
sigma posh_pm_invoke_obfuscation_via_var.yml description: Detects Obfuscated Powershell via VAR++ LAUNCHER DRL 1.0
sigma posh_ps_invoke_obfuscation_clip.yml title: Invoke-Obfuscation CLIP+ Launcher DRL 1.0
sigma posh_ps_invoke_obfuscation_stdin.yml title: Invoke-Obfuscation STDIN+ Launcher DRL 1.0
sigma posh_ps_invoke_obfuscation_var.yml title: Invoke-Obfuscation VAR+ Launcher DRL 1.0
sigma posh_ps_invoke_obfuscation_via_rundll.yml title: Invoke-Obfuscation RUNDLL LAUNCHER DRL 1.0
sigma posh_ps_invoke_obfuscation_via_rundll.yml description: Detects Obfuscated Powershell via RUNDLL LAUNCHER DRL 1.0
sigma posh_ps_invoke_obfuscation_via_var.yml title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION DRL 1.0
sigma posh_ps_invoke_obfuscation_via_var.yml description: Detects Obfuscated Powershell via VAR++ LAUNCHER DRL 1.0
sigma proc_creation_win_invoke_obfuscation_clip.yml title: Invoke-Obfuscation CLIP+ Launcher DRL 1.0
sigma proc_creation_win_invoke_obfuscation_stdin.yml title: Invoke-Obfuscation STDIN+ Launcher DRL 1.0
sigma proc_creation_win_invoke_obfuscation_var.yml title: Invoke-Obfuscation VAR+ Launcher DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_rundll.yml title: Invoke-Obfuscation RUNDLL LAUNCHER DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_rundll.yml description: Detects Obfuscated Powershell via RUNDLL LAUNCHER DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_var.yml title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_var.yml description: Detects Obfuscated Powershell via VAR++ LAUNCHER DRL 1.0
sigma proc_creation_win_susp_covenant.yml title: Covenant Launcher Indicators DRL 1.0
sigma driver_load_invoke_obfuscation_clip+_services.yml title: Invoke-Obfuscation CLIP+ Launcher DRL 1.0
sigma driver_load_invoke_obfuscation_stdin+_services.yml title: Invoke-Obfuscation STDIN+ Launcher DRL 1.0
sigma driver_load_invoke_obfuscation_var+_services.yml title: Invoke-Obfuscation VAR+ Launcher DRL 1.0
sigma driver_load_invoke_obfuscation_via_rundll_services.yml title: Invoke-Obfuscation RUNDLL LAUNCHER DRL 1.0
sigma driver_load_invoke_obfuscation_via_rundll_services.yml description: Detects Obfuscated Powershell via RUNDLL LAUNCHER DRL 1.0
sigma driver_load_invoke_obfuscation_via_var++_services.yml title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION DRL 1.0
sigma driver_load_invoke_obfuscation_via_var++_services.yml description: Detects Obfuscated Powershell via VAR++ LAUNCHER DRL 1.0
malware-ioc kryptocibule .Main launcher (armsvc.exe) © ESET 2014-2018
malware-ioc misp-ramsay.json "comment": "Installer Launcher", © ESET 2014-2018
malware-ioc winnti_group ==== VMProtected launcher © ESET 2014-2018
atomic-red-team T1555.003.md if (((Test-Path “$env:LOCALAPPDATA\Programs\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files (x86)\Opera\launcher.exe”))) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s0 = “Launcher.EXE” fullword wide CC BY-NC 4.0
signature-base apt_cobaltstrike_evasive.yar description = “Detects CobaltStrike MZ header ReflectiveLoader launcher” CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s1 = “* Failed to get connection information. Aborting launcher!” fullword wide CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Process injector/launcher” CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar description = “Equation Group Malware - EoP package and malware launcher” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.