quasar | 1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8

Analysis

max time kernel
600s
max time network
367s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cwel.exe
Size

3.1MB
MD5

a96e646d37c712c02f2014859c2ae1b3
SHA1

9c2a5842a9b929e66d2b92be8907d79c4f35fedf
SHA256

1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8
SHA512

eeebf4d049cd72d2d0a732921df9c24deb3323c18a5ca6eaec7bdb7b509106498c6b8b1b7daa33d0aa3e4bb7acdabb9eac29a872c217b6521c7415963d71b4d6
SSDEEP

49152:Pv6I22SsaNYfdPBldt698dBcjH8UHNqRrcvJmkoGdXTHHB72eh2NT:Pv322SsaNYfdPBldt6+dBcjHjYrQ

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-52942.portmap.host:52942

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 41 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2444-1-0x0000000000B20000-0x0000000000E44000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar
behavioral1/memory/2764-10-0x00000000009D0000-0x0000000000CF4000-memory.dmp	family_quasar
behavioral1/memory/2512-23-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/360-36-0x00000000002C0000-0x00000000005E4000-memory.dmp	family_quasar
behavioral1/memory/1568-47-0x0000000000A90000-0x0000000000DB4000-memory.dmp	family_quasar
behavioral1/memory/428-59-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral1/memory/628-70-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/1696-83-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/2488-94-0x0000000000AC0000-0x0000000000DE4000-memory.dmp	family_quasar
behavioral1/memory/2464-105-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/1780-117-0x0000000000880000-0x0000000000BA4000-memory.dmp	family_quasar
behavioral1/memory/328-128-0x0000000000890000-0x0000000000BB4000-memory.dmp	family_quasar
behavioral1/memory/1124-139-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/memory/2360-150-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar
behavioral1/memory/2424-162-0x0000000001100000-0x0000000001424000-memory.dmp	family_quasar
behavioral1/memory/820-212-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar
behavioral1/memory/2024-229-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar
behavioral1/memory/2684-238-0x0000000000860000-0x0000000000B84000-memory.dmp	family_quasar
behavioral1/memory/1924-247-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/memory/1656-264-0x00000000011B0000-0x00000000014D4000-memory.dmp	family_quasar
behavioral1/memory/1820-297-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/memory/2840-306-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar
behavioral1/memory/1804-323-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/2076-340-0x0000000000D80000-0x00000000010A4000-memory.dmp	family_quasar
behavioral1/memory/2724-349-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/memory/740-358-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral1/memory/1376-367-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/memory/1244-376-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar
behavioral1/memory/1720-385-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/memory/2064-394-0x0000000000020000-0x0000000000344000-memory.dmp	family_quasar
behavioral1/memory/2504-403-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar
behavioral1/memory/2884-412-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/1912-421-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral1/memory/1956-430-0x0000000000870000-0x0000000000B94000-memory.dmp	family_quasar
behavioral1/memory/2688-439-0x00000000009A0000-0x0000000000CC4000-memory.dmp	family_quasar
behavioral1/memory/2676-448-0x0000000000F10000-0x0000000001234000-memory.dmp	family_quasar
behavioral1/memory/1020-465-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/memory/2568-474-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar
behavioral1/memory/1164-491-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/1084-500-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar

Executes dropped EXE 53 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid	process
2764	Opera GX.exe
2512	Opera GX.exe
360	Opera GX.exe
1568	Opera GX.exe
428	Opera GX.exe
628	Opera GX.exe
1696	Opera GX.exe
2488	Opera GX.exe
2464	Opera GX.exe
1780	Opera GX.exe
328	Opera GX.exe
1124	Opera GX.exe
2360	Opera GX.exe
2424	Opera GX.exe
2140	Opera GX.exe
3008	Opera GX.exe
728	Opera GX.exe
2844	Opera GX.exe
820	Opera GX.exe
1952	Opera GX.exe
2024	Opera GX.exe
2684	Opera GX.exe
1924	Opera GX.exe
2244	Opera GX.exe
1656	Opera GX.exe
2752	Opera GX.exe
1308	Opera GX.exe
2564	Opera GX.exe
2932	Opera GX.exe
1820	Opera GX.exe
2840	Opera GX.exe
1140	Opera GX.exe
1804	Opera GX.exe
1692	Opera GX.exe
2076	Opera GX.exe
2724	Opera GX.exe
740	Opera GX.exe
1376	Opera GX.exe
1244	Opera GX.exe
1720	Opera GX.exe
2064	Opera GX.exe
2504	Opera GX.exe
2884	Opera GX.exe
1912	Opera GX.exe
1956	Opera GX.exe
2688	Opera GX.exe
2676	Opera GX.exe
2556	Opera GX.exe
1020	Opera GX.exe
2568	Opera GX.exe
2000	Opera GX.exe
1164	Opera GX.exe
1084	Opera GX.exe

Drops file in Program Files directory 64 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.execwel.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File created	C:\Program Files\common Files\Opera GX.exe	cwel.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	cwel.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 52 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1348	PING.EXE
1924	PING.EXE
1464	PING.EXE
2572	PING.EXE
1656	PING.EXE
676	PING.EXE
2800	PING.EXE
992	PING.EXE
1336	PING.EXE
2296	PING.EXE
1292	PING.EXE
2152	PING.EXE
2368	PING.EXE
2232	PING.EXE
2640	PING.EXE
2092	PING.EXE
1604	PING.EXE
1360	PING.EXE
1928	PING.EXE
564	PING.EXE
1596	PING.EXE
2944	PING.EXE
1964	PING.EXE
1600	PING.EXE
2436	PING.EXE
2144	PING.EXE
2588	PING.EXE
2296	PING.EXE
2072	PING.EXE
2716	PING.EXE
1600	PING.EXE
1768	PING.EXE
1860	PING.EXE
2400	PING.EXE
2696	PING.EXE
1820	PING.EXE
2788	PING.EXE
2092	PING.EXE
876	PING.EXE
1740	PING.EXE
2636	PING.EXE
1512	PING.EXE
2740	PING.EXE
2036	PING.EXE
1484	PING.EXE
932	PING.EXE
2836	PING.EXE
2732	PING.EXE
728	PING.EXE
740	PING.EXE
2880	PING.EXE
2000	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 53 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2412	schtasks.exe
1388	schtasks.exe
1352	schtasks.exe
1540	schtasks.exe
3016	schtasks.exe
1084	schtasks.exe
2000	schtasks.exe
1236	schtasks.exe
468	schtasks.exe
2384	schtasks.exe
1004	schtasks.exe
960	schtasks.exe
564	schtasks.exe
2784	schtasks.exe
2148	schtasks.exe
2656	schtasks.exe
1352	schtasks.exe
2348	schtasks.exe
3004	schtasks.exe
1124	schtasks.exe
948	schtasks.exe
2896	schtasks.exe
936	schtasks.exe
1104	schtasks.exe
2492	schtasks.exe
2720	schtasks.exe
1988	schtasks.exe
1292	schtasks.exe
2644	schtasks.exe
1636	schtasks.exe
2712	schtasks.exe
528	schtasks.exe
2996	schtasks.exe
2384	schtasks.exe
2000	schtasks.exe
1388	schtasks.exe
1904	schtasks.exe
668	schtasks.exe
1348	schtasks.exe
1828	schtasks.exe
468	schtasks.exe
2584	schtasks.exe
1140	schtasks.exe
2884	schtasks.exe
568	schtasks.exe
2688	schtasks.exe
2104	schtasks.exe
2584	schtasks.exe
2004	schtasks.exe
1684	schtasks.exe
3032	schtasks.exe
2064	schtasks.exe
2780	schtasks.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

cwel.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	pid	process
Token: SeDebugPrivilege	2444	cwel.exe
Token: SeDebugPrivilege	2764	Opera GX.exe
Token: SeDebugPrivilege	2512	Opera GX.exe
Token: SeDebugPrivilege	360	Opera GX.exe
Token: SeDebugPrivilege	1568	Opera GX.exe
Token: SeDebugPrivilege	428	Opera GX.exe
Token: SeDebugPrivilege	628	Opera GX.exe
Token: SeDebugPrivilege	1696	Opera GX.exe
Token: SeDebugPrivilege	2488	Opera GX.exe
Token: SeDebugPrivilege	2464	Opera GX.exe
Token: SeDebugPrivilege	1780	Opera GX.exe
Token: SeDebugPrivilege	328	Opera GX.exe
Token: SeDebugPrivilege	1124	Opera GX.exe
Token: SeDebugPrivilege	2360	Opera GX.exe
Token: SeDebugPrivilege	2424	Opera GX.exe
Token: SeDebugPrivilege	2140	Opera GX.exe
Token: SeDebugPrivilege	3008	Opera GX.exe
Token: SeDebugPrivilege	728	Opera GX.exe
Token: SeDebugPrivilege	2844	Opera GX.exe
Token: SeDebugPrivilege	820	Opera GX.exe
Token: SeDebugPrivilege	1952	Opera GX.exe
Token: SeDebugPrivilege	2024	Opera GX.exe
Token: SeDebugPrivilege	2684	Opera GX.exe
Token: SeDebugPrivilege	1924	Opera GX.exe
Token: SeDebugPrivilege	2244	Opera GX.exe
Token: SeDebugPrivilege	1656	Opera GX.exe
Token: SeDebugPrivilege	2752	Opera GX.exe
Token: SeDebugPrivilege	1308	Opera GX.exe
Token: SeDebugPrivilege	2932	Opera GX.exe
Token: SeDebugPrivilege	1820	Opera GX.exe
Token: SeDebugPrivilege	2840	Opera GX.exe
Token: SeDebugPrivilege	1140	Opera GX.exe
Token: SeDebugPrivilege	1804	Opera GX.exe
Token: SeDebugPrivilege	1692	Opera GX.exe
Token: SeDebugPrivilege	2076	Opera GX.exe
Token: SeDebugPrivilege	2724	Opera GX.exe
Token: SeDebugPrivilege	740	Opera GX.exe
Token: SeDebugPrivilege	1376	Opera GX.exe
Token: SeDebugPrivilege	1244	Opera GX.exe
Token: SeDebugPrivilege	1720	Opera GX.exe
Token: SeDebugPrivilege	2064	Opera GX.exe
Token: SeDebugPrivilege	2504	Opera GX.exe
Token: SeDebugPrivilege	2884	Opera GX.exe
Token: SeDebugPrivilege	1912	Opera GX.exe
Token: SeDebugPrivilege	1956	Opera GX.exe
Token: SeDebugPrivilege	2688	Opera GX.exe
Token: SeDebugPrivilege	2676	Opera GX.exe
Token: SeDebugPrivilege	2556	Opera GX.exe
Token: SeDebugPrivilege	1020	Opera GX.exe
Token: SeDebugPrivilege	2568	Opera GX.exe
Token: SeDebugPrivilege	2000	Opera GX.exe
Token: SeDebugPrivilege	1164	Opera GX.exe
Token: SeDebugPrivilege	1084	Opera GX.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

pid	process
2764	Opera GX.exe
2512	Opera GX.exe
360	Opera GX.exe
1568	Opera GX.exe
428	Opera GX.exe
628	Opera GX.exe
1696	Opera GX.exe
2488	Opera GX.exe
2464	Opera GX.exe
1780	Opera GX.exe
328	Opera GX.exe
1124	Opera GX.exe
2360	Opera GX.exe
2424	Opera GX.exe
2140	Opera GX.exe
3008	Opera GX.exe
728	Opera GX.exe
2844	Opera GX.exe
820	Opera GX.exe
1952	Opera GX.exe
2024	Opera GX.exe
2684	Opera GX.exe
1924	Opera GX.exe
2244	Opera GX.exe
1656	Opera GX.exe
2752	Opera GX.exe
1308	Opera GX.exe
2932	Opera GX.exe
1820	Opera GX.exe
2840	Opera GX.exe
1140	Opera GX.exe
1804	Opera GX.exe
1692	Opera GX.exe
2076	Opera GX.exe
2724	Opera GX.exe
740	Opera GX.exe
1376	Opera GX.exe
1244	Opera GX.exe
1720	Opera GX.exe
2064	Opera GX.exe
2504	Opera GX.exe
2884	Opera GX.exe
1912	Opera GX.exe
1956	Opera GX.exe
2688	Opera GX.exe
2676	Opera GX.exe
2556	Opera GX.exe
1020	Opera GX.exe
2568	Opera GX.exe
2000	Opera GX.exe
1164	Opera GX.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

pid	process
2764	Opera GX.exe
2512	Opera GX.exe
360	Opera GX.exe
1568	Opera GX.exe
428	Opera GX.exe
628	Opera GX.exe
1696	Opera GX.exe
2488	Opera GX.exe
2464	Opera GX.exe
1780	Opera GX.exe
328	Opera GX.exe
1124	Opera GX.exe
2360	Opera GX.exe
2424	Opera GX.exe
2140	Opera GX.exe
3008	Opera GX.exe
728	Opera GX.exe
2844	Opera GX.exe
820	Opera GX.exe
1952	Opera GX.exe
2024	Opera GX.exe
2684	Opera GX.exe
1924	Opera GX.exe
2244	Opera GX.exe
1656	Opera GX.exe
2752	Opera GX.exe
1308	Opera GX.exe
2932	Opera GX.exe
1820	Opera GX.exe
2840	Opera GX.exe
1140	Opera GX.exe
1804	Opera GX.exe
1692	Opera GX.exe
2076	Opera GX.exe
2724	Opera GX.exe
740	Opera GX.exe
1376	Opera GX.exe
1244	Opera GX.exe
1720	Opera GX.exe
2064	Opera GX.exe
2504	Opera GX.exe
2884	Opera GX.exe
1912	Opera GX.exe
1956	Opera GX.exe
2688	Opera GX.exe
2676	Opera GX.exe
2556	Opera GX.exe
1020	Opera GX.exe
2568	Opera GX.exe
2000	Opera GX.exe
1164	Opera GX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cwel.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exe

description	pid	process	target process
PID 2444 wrote to memory of 2412	2444	cwel.exe	schtasks.exe
PID 2444 wrote to memory of 2412	2444	cwel.exe	schtasks.exe
PID 2444 wrote to memory of 2412	2444	cwel.exe	schtasks.exe
PID 2444 wrote to memory of 2764	2444	cwel.exe	Opera GX.exe
PID 2444 wrote to memory of 2764	2444	cwel.exe	Opera GX.exe
PID 2444 wrote to memory of 2764	2444	cwel.exe	Opera GX.exe
PID 2764 wrote to memory of 2688	2764	Opera GX.exe	schtasks.exe
PID 2764 wrote to memory of 2688	2764	Opera GX.exe	schtasks.exe
PID 2764 wrote to memory of 2688	2764	Opera GX.exe	schtasks.exe
PID 2764 wrote to memory of 2596	2764	Opera GX.exe	cmd.exe
PID 2764 wrote to memory of 2596	2764	Opera GX.exe	cmd.exe
PID 2764 wrote to memory of 2596	2764	Opera GX.exe	cmd.exe
PID 2596 wrote to memory of 2652	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 2652	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 2652	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 1292	2596	cmd.exe	PING.EXE
PID 2596 wrote to memory of 1292	2596	cmd.exe	PING.EXE
PID 2596 wrote to memory of 1292	2596	cmd.exe	PING.EXE
PID 2596 wrote to memory of 2512	2596	cmd.exe	Opera GX.exe
PID 2596 wrote to memory of 2512	2596	cmd.exe	Opera GX.exe
PID 2596 wrote to memory of 2512	2596	cmd.exe	Opera GX.exe
PID 2512 wrote to memory of 3004	2512	Opera GX.exe	schtasks.exe
PID 2512 wrote to memory of 3004	2512	Opera GX.exe	schtasks.exe
PID 2512 wrote to memory of 3004	2512	Opera GX.exe	schtasks.exe
PID 2512 wrote to memory of 2784	2512	Opera GX.exe	cmd.exe
PID 2512 wrote to memory of 2784	2512	Opera GX.exe	cmd.exe
PID 2512 wrote to memory of 2784	2512	Opera GX.exe	cmd.exe
PID 2784 wrote to memory of 2832	2784	cmd.exe	chcp.com
PID 2784 wrote to memory of 2832	2784	cmd.exe	chcp.com
PID 2784 wrote to memory of 2832	2784	cmd.exe	chcp.com
PID 2784 wrote to memory of 728	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 728	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 728	2784	cmd.exe	PING.EXE
PID 2784 wrote to memory of 360	2784	cmd.exe	Opera GX.exe
PID 2784 wrote to memory of 360	2784	cmd.exe	Opera GX.exe
PID 2784 wrote to memory of 360	2784	cmd.exe	Opera GX.exe
PID 360 wrote to memory of 1636	360	Opera GX.exe	schtasks.exe
PID 360 wrote to memory of 1636	360	Opera GX.exe	schtasks.exe
PID 360 wrote to memory of 1636	360	Opera GX.exe	schtasks.exe
PID 360 wrote to memory of 1808	360	Opera GX.exe	cmd.exe
PID 360 wrote to memory of 1808	360	Opera GX.exe	cmd.exe
PID 360 wrote to memory of 1808	360	Opera GX.exe	cmd.exe
PID 1808 wrote to memory of 1640	1808	cmd.exe	chcp.com
PID 1808 wrote to memory of 1640	1808	cmd.exe	chcp.com
PID 1808 wrote to memory of 1640	1808	cmd.exe	chcp.com
PID 1808 wrote to memory of 1484	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 1484	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 1484	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 1568	1808	cmd.exe	Opera GX.exe
PID 1808 wrote to memory of 1568	1808	cmd.exe	Opera GX.exe
PID 1808 wrote to memory of 1568	1808	cmd.exe	Opera GX.exe
PID 1568 wrote to memory of 2996	1568	Opera GX.exe	schtasks.exe
PID 1568 wrote to memory of 2996	1568	Opera GX.exe	schtasks.exe
PID 1568 wrote to memory of 2996	1568	Opera GX.exe	schtasks.exe
PID 1568 wrote to memory of 2940	1568	Opera GX.exe	cmd.exe
PID 1568 wrote to memory of 2940	1568	Opera GX.exe	cmd.exe
PID 1568 wrote to memory of 2940	1568	Opera GX.exe	cmd.exe
PID 2940 wrote to memory of 2220	2940	cmd.exe	chcp.com
PID 2940 wrote to memory of 2220	2940	cmd.exe	chcp.com
PID 2940 wrote to memory of 2220	2940	cmd.exe	chcp.com
PID 2940 wrote to memory of 2092	2940	cmd.exe	PING.EXE
PID 2940 wrote to memory of 2092	2940	cmd.exe	PING.EXE
PID 2940 wrote to memory of 2092	2940	cmd.exe	PING.EXE
PID 2940 wrote to memory of 428	2940	cmd.exe	Opera GX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cwel.exe
"C:\Users\Admin\AppData\Local\Temp\cwel.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgI6k1Jl9E8y.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2652

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1292

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\63Gibv3oSgP7.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2832

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:728

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIz7Vv33RTkX.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1640

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1484

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKKOkGyVbrT9.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2220

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2092

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:428

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H1EMzjPrrGn1.bat" "
11⤵
PID:1332

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1860

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1928

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
12⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYi6MHigEFB4.bat" "
13⤵
PID:2908

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1512

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zlkkWxfS7RxH.bat" "
15⤵
PID:2712

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2736

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2588

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XBrkrTAAXXEK.bat" "
17⤵
PID:2484

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:1292

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2640

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYi0ft94DLv9.bat" "
19⤵
PID:2828

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:796

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:740

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1780

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QX8mmg36TQ0X.bat" "
21⤵
PID:1480

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2252

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2880

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
22⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:328

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\r7r7LUkcQbnr.bat" "
23⤵
PID:2796

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2872

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2092

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1124

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkQlROzBPqsz.bat" "
25⤵
PID:1772

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:1928

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1348

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
26⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2360

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1Je0DQ53ygLJ.bat" "
27⤵
PID:2448

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2564

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2400

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
28⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pV5H3bnWRcwv.bat" "
29⤵
PID:2708

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:2932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2696

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
30⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2140

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cb1Czn1rSpkh.bat" "
31⤵
PID:2496

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:1820

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1924

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
32⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
33⤵
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NTlst9a1hbek.bat" "
33⤵
PID:2868

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:1612

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:2152

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
34⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:728

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
35⤵
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6R0JTPYMU7wc.bat" "
35⤵
PID:1616

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:2368

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:1656

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
36⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2844

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
37⤵
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuqaxK7g8y6o.bat" "
37⤵
PID:2872

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:2300

C:\Windows\system32\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2296

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
38⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:820

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
39⤵
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ER7WpAH0kNsV.bat" "
39⤵
PID:1164

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:2260

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:2072

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
40⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
41⤵
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\01JkJpfVQxgX.bat" "
41⤵
PID:528

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:2164

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:992

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
42⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
43⤵
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5W812I5RusTd.bat" "
43⤵
PID:2620

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:1464

C:\Windows\system32\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:2636

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
44⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2684

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
45⤵
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ExtxeM35Xv6q.bat" "
45⤵
PID:916

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:860

C:\Windows\system32\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:1820

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
46⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1924

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
47⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\giXJ7I8Osly3.bat" "
47⤵
PID:2840

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:1612

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:564

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
49⤵
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ffvOf1PoFxnY.bat" "
49⤵
PID:1472

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:1736

C:\Windows\system32\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:2368

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
50⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1656

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
51⤵
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0XUIod4UNi0r.bat" "
51⤵
PID:1828

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:2300

C:\Windows\system32\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:932

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
52⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
53⤵
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Nqt8vhAaFUVQ.bat" "
53⤵
PID:1532

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:2260

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:1596

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
54⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
55⤵
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmlf3EkVvBvL.bat" "
55⤵
PID:340

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:1344

C:\Windows\system32\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:1604

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
56⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
57⤵
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bY4aoK7FjOZu.bat" "
57⤵
PID:1252

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:2060

C:\Windows\system32\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:1464

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
59⤵
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eBKTOqwOiEeL.bat" "
59⤵
PID:2708

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:860

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:876

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
60⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
61⤵
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JfXLqcYSEVGt.bat" "
61⤵
PID:468

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:2776

C:\Windows\system32\PING.EXE
ping -n 10 localhost
62⤵
- Runs ping.exe
PID:2788

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
62⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
63⤵
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bAUbgZahbWKo.bat" "
63⤵
PID:1660

C:\Windows\system32\chcp.com
chcp 65001
64⤵
PID:1484

C:\Windows\system32\PING.EXE
ping -n 10 localhost
64⤵
- Runs ping.exe
PID:1336

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
64⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1140

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
65⤵
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1nho92udz2gI.bat" "
65⤵
PID:844

C:\Windows\system32\chcp.com
chcp 65001
66⤵
PID:2112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
66⤵
- Runs ping.exe
PID:2000

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
66⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
67⤵
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DBtMFIylDWQr.bat" "
67⤵
PID:2888

C:\Windows\system32\chcp.com
chcp 65001
68⤵
PID:1532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
68⤵
- Runs ping.exe
PID:1964

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
68⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
69⤵
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4MPqd5fVQkDc.bat" "
69⤵
PID:2004

C:\Windows\system32\chcp.com
chcp 65001
70⤵
PID:3060

C:\Windows\system32\PING.EXE
ping -n 10 localhost
70⤵
- Runs ping.exe
PID:676

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
70⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
71⤵
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\luU83cPeMSZa.bat" "
71⤵
PID:1388

C:\Windows\system32\chcp.com
chcp 65001
72⤵
PID:2732

C:\Windows\system32\PING.EXE
ping -n 10 localhost
72⤵
- Runs ping.exe
PID:2716

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
72⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
73⤵
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkUhP66hKW51.bat" "
73⤵
PID:2816

C:\Windows\system32\chcp.com
chcp 65001
74⤵
PID:384

C:\Windows\system32\PING.EXE
ping -n 10 localhost
74⤵
- Runs ping.exe
PID:1600

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
74⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:740

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
75⤵
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xglynfuId0wQ.bat" "
75⤵
PID:1912

C:\Windows\system32\chcp.com
chcp 65001
76⤵
PID:2224

C:\Windows\system32\PING.EXE
ping -n 10 localhost
76⤵
- Runs ping.exe
PID:2836

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
76⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
77⤵
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEiIRDxj6oEo.bat" "
77⤵
PID:1688

C:\Windows\system32\chcp.com
chcp 65001
78⤵
PID:1504

C:\Windows\system32\PING.EXE
ping -n 10 localhost
78⤵
- Runs ping.exe
PID:2944

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
78⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
79⤵
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2sWJc9ctddM0.bat" "
79⤵
PID:2068

C:\Windows\system32\chcp.com
chcp 65001
80⤵
PID:1516

C:\Windows\system32\PING.EXE
ping -n 10 localhost
80⤵
- Runs ping.exe
PID:1768

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
80⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
81⤵
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIe4YkzjntbV.bat" "
81⤵
PID:1604

C:\Windows\system32\chcp.com
chcp 65001
82⤵
PID:1928

C:\Windows\system32\PING.EXE
ping -n 10 localhost
82⤵
- Runs ping.exe
PID:2800

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
82⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
83⤵
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUc94euePH5s.bat" "
83⤵
PID:2760

C:\Windows\system32\chcp.com
chcp 65001
84⤵
PID:1940

C:\Windows\system32\PING.EXE
ping -n 10 localhost
84⤵
- Runs ping.exe
PID:1360

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
84⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
85⤵
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4pAoJuxOCpTj.bat" "
85⤵
PID:1592

C:\Windows\system32\chcp.com
chcp 65001
86⤵
PID:3020

C:\Windows\system32\PING.EXE
ping -n 10 localhost
86⤵
- Runs ping.exe
PID:2740

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
86⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
87⤵
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\W7yAUf8dKrE1.bat" "
87⤵
PID:808

C:\Windows\system32\chcp.com
chcp 65001
88⤵
PID:796

C:\Windows\system32\PING.EXE
ping -n 10 localhost
88⤵
- Runs ping.exe
PID:2144

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
88⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1912

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
89⤵
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VvfomJeUcrbW.bat" "
89⤵
PID:2324

C:\Windows\system32\chcp.com
chcp 65001
90⤵
PID:2112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
90⤵
- Runs ping.exe
PID:2296

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
90⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
91⤵
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nkOCitqBmS5A.bat" "
91⤵
PID:2092

C:\Windows\system32\chcp.com
chcp 65001
92⤵
PID:2492

C:\Windows\system32\PING.EXE
ping -n 10 localhost
92⤵
- Runs ping.exe
PID:2232

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
92⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
93⤵
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\P6Pe7kG2EveF.bat" "
93⤵
PID:1508

C:\Windows\system32\chcp.com
chcp 65001
94⤵
PID:2408

C:\Windows\system32\PING.EXE
ping -n 10 localhost
94⤵
- Runs ping.exe
PID:2036

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
94⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
95⤵
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vd9PczE3uPTp.bat" "
95⤵
PID:2616

C:\Windows\system32\chcp.com
chcp 65001
96⤵
PID:1704

C:\Windows\system32\PING.EXE
ping -n 10 localhost
96⤵
- Runs ping.exe
PID:2732

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
96⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2556

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
97⤵
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EIYky1FxlSPZ.bat" "
97⤵
PID:384

C:\Windows\system32\chcp.com
chcp 65001
98⤵
PID:2496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
98⤵
- Runs ping.exe
PID:1600

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
98⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1020

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
99⤵
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Iu5updH7uef.bat" "
99⤵
PID:2820

C:\Windows\system32\chcp.com
chcp 65001
100⤵
PID:3012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
100⤵
- Runs ping.exe
PID:1740

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
100⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2568

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
101⤵
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zgBGWc9EPS8e.bat" "
101⤵
PID:1432

C:\Windows\system32\chcp.com
chcp 65001
102⤵
PID:2948

C:\Windows\system32\PING.EXE
ping -n 10 localhost
102⤵
- Runs ping.exe
PID:1860

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
102⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
103⤵
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CE8TMnhGsV7E.bat" "
103⤵
PID:1904

C:\Windows\system32\chcp.com
chcp 65001
104⤵
PID:672

C:\Windows\system32\PING.EXE
ping -n 10 localhost
104⤵
- Runs ping.exe
PID:2436

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
104⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1164

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
105⤵
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BziC4DMKpT7y.bat" "
105⤵
PID:1604

C:\Windows\system32\chcp.com
chcp 65001
106⤵
PID:1028

C:\Windows\system32\PING.EXE
ping -n 10 localhost
106⤵
- Runs ping.exe
PID:2572

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
106⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
a96e646d37c712c02f2014859c2ae1b3

SHA1
9c2a5842a9b929e66d2b92be8907d79c4f35fedf

SHA256
1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8

SHA512
eeebf4d049cd72d2d0a732921df9c24deb3323c18a5ca6eaec7bdb7b509106498c6b8b1b7daa33d0aa3e4bb7acdabb9eac29a872c217b6521c7415963d71b4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\01JkJpfVQxgX.bat
Filesize
201B

MD5
0f943c73cd013fb03f699618bd063431

SHA1
ae1bb2f36ecf0810be72040b8303f0ce111228f7

SHA256
d1caf2fadb643033780a3cddae0e5c5541863ce9f512d5989b495d253679e11d

SHA512
4758acca31849e5fba1a79522c36565e1632bf19e1fe2b21b5cef3b8ec6aba1fadd7926316c784a438a5f661126d239fe1ea643ecf9b11b69adc22014e1f908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0XUIod4UNi0r.bat
Filesize
201B

MD5
6dcdf1719ee8b84b58786c392fde6a09

SHA1
3715346be12eb9cae75db07fdf481b60de0f8007

SHA256
57ffff1cc7490fe32ea361d15bfb8a1813f7eae9bfd274e2a3e6c1fb6f020577

SHA512
2bfd27124e97c559b2952b45f43630fe92032a0387acdc4db699c9318959bc2886b0eb0ae243298e7e885ea3754e06f2049217694d875cd92186aa1c41467a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Je0DQ53ygLJ.bat
Filesize
201B

MD5
8e93cf509cb95e277326219cfc7e5d12

SHA1
774f05d6902e6e86dbcfda31dcc91061ce527572

SHA256
54197e1cbc9f2c3b516b61000b4b7737cb7d85fc862b58e3494608215b6e6ffb

SHA512
7e31cbb770fac3a6af4bcc458969297a9e80416e321f2d317a7ae84b72f365f8da55a8bf93b50cb3a7db57644b13641447c6a1ca5c9d23f686fa516f6648d41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nho92udz2gI.bat
Filesize
201B

MD5
db1704c9f5e2e625c158bb4c2530871a

SHA1
4826d066973288099bf2dc0c5aef655c8262618e

SHA256
b2fba05afe9e45d9b748b046d232664cd41fa2bac70be401eb830539716f6f8c

SHA512
2cb04f20004ade2e8dc534d905a2d11bffb92f838b34b14f5fd06b4c11e091575db0d82bb23a5bdf3936e64ea6a74ba586cda977e69901003a8fef4fb9935c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sWJc9ctddM0.bat
Filesize
201B

MD5
39d569ccc86aca37f2b11ece1252f921

SHA1
5f5b81f9773130536cd47ca569a000d343d30641

SHA256
6b90a513cd714d82d3d7fc3edeb91e6cd872d6ef8f8a210d2bf7b960c41020d2

SHA512
2218faa6f1ac0d5f5dd9bc529a0e822ea3964ff8738605d745cb5d3d5446598fa14d38f3b6f34613894754b640a66e846852a161f0ab87525273d3a77738abec

Download Submit
C:\Users\Admin\AppData\Local\Temp\4MPqd5fVQkDc.bat
Filesize
201B

MD5
8b285924bbf6a50a4eb0fa5d76682e53

SHA1
ec8bb7c7ec44a24e3c8177c93860ea4531831af8

SHA256
6ac733acde9d98568fe68678e3185556242e5dcef4c9c40063f795fe8dbf9628

SHA512
85a0ad25364480e99fa2d3a3e8ecbf09346ba6c53307eee2f040c27fb93a050a3080fc89278db85b5ff7806118ac58ce075d150924cfa4494b03ed2f2083e2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pAoJuxOCpTj.bat
Filesize
201B

MD5
698fe6f771faf263729cbc9fca21a494

SHA1
f1aa975994b5a142143b009f3529e10815998d42

SHA256
6a33cedd3967a5867bd6e9cefd0fc3f7df5689fe26f0adb01adbe4f985fe741b

SHA512
6a306ef16cf758c2306611b2b3d8838743449b2ab651ab8fbb8baf7a71da9cda0ef32a1f07cab83753cc19aef42265a23c5bf5fc049685cadf86b30e2a0e101f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5W812I5RusTd.bat
Filesize
201B

MD5
ad61d279117bedcd8cf3f52518cd814c

SHA1
03246088ebe094805262e5308fae9525e2356427

SHA256
561e0f14f11186a1d6ba1bfebca5cb5ee876efd09b587502d074ca2125ee6abe

SHA512
73072816269dd78b05f8bed312cc5567d3383744acdf9ee6dc52f86b30d2c50419aac48f9c1cf67d8eaf630a66babc12dedb705c0002c0c939f85f8a0bf24a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\63Gibv3oSgP7.bat
Filesize
201B

MD5
cb8fd28e7fefceada23fd6b43fbf0435

SHA1
c7415835ee77f0c45241735d8953db5c37b1d480

SHA256
58bf068bbaa5ac0f8e9f4fde8befb94c1d81904d7219dda2c687e489769ee93f

SHA512
436a705b36d2bdf7d74647de479b1bd5dd2d10e11cbb602744e8587ca4b135eaa56b04c6498f6d330056cc6f8deba43fde03798322c317349f9d6a19bf686f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\6R0JTPYMU7wc.bat
Filesize
201B

MD5
f6b79ea3b9ae44a72ee218869b7ccbb2

SHA1
03572a073f83a0529df14eb367d984522fb20f4c

SHA256
293a8329a8910eccec0694b98f655f0e32efdca4e95348606d1ce08bea9cceb6

SHA512
4790fdd8b3453479185c7db386f5531018831ad86ecaea0517fd9abfa0c8f3ec4766a267ff4aeff54fd031ede2fa9a6cc41ae97995fefde9dd2946e043d6b2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Iu5updH7uef.bat
Filesize
201B

MD5
03b87cc0262c9c1fc37bd40483852f6e

SHA1
e3fd2e0080e5a839d3f6dcbd43108bb68357b7cb

SHA256
b0a1c27e324b8bc5370ea914175b68313a3e0b85ef48685e83d36f41b2fd3944

SHA512
84b42a63ea5eec0632570b89e2b6a56ef527de6994beb5605685ce8efb41a09e2d475cf13004524b4b9e93ec62fcf85a7f500589261a6ab89f2967d976ca2f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\BziC4DMKpT7y.bat
Filesize
201B

MD5
fb66f73fed81ca26abb2281690dd77a5

SHA1
9ded3e2527eb6a10b68ce4c5c9c7360f1e48912a

SHA256
c7c50e39a909b95bb9bae7442ea82c33ee0f5c718a717ec5b49009d3d8e3f715

SHA512
64cca3c16bf4f07c698102b93071ee7b25e427da73bd4c718c1342391b92d47027089fc4fef294509467fb9e973ffa4ddb9e083f34b2cbfa624b4aea35194c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8TMnhGsV7E.bat
Filesize
201B

MD5
54c09335d1570e59846517ad78fc7f0f

SHA1
b6ef860346c43a20d846d88c78a59657374be436

SHA256
9cda094183789be84319a81e7947298b6efbdcfe618b3d372eec340a3261297a

SHA512
66ae1472ce4ed8b18d97b171890d3b5b6481388a46a0b83e445e037292785e6499f159d58fa8bd509e09395f76420b23dd465dec2d7b61841a6f7d35c916596b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBtMFIylDWQr.bat
Filesize
201B

MD5
9cd3abd32ab5d3e15a11067d1d980af7

SHA1
33b15d8cdcfba2a174cc02445578fc61b804af3f

SHA256
95f705d2a325f781c4baf0906870132eff43ab25f77998f46f201857b597325c

SHA512
f33da94ccb603084fe9f7d7bd6e3217c7c6b65ff76efb1a0ae21f447e29a40cfdc149668ecd19a4bf3d4b938167a101ea6e658392071ab0ff3ee62d8da5606cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYi0ft94DLv9.bat
Filesize
201B

MD5
84abb21e45b23dab4feebd0c6b44463c

SHA1
5f09f5ca3067b4b7773775bafe335f53ebb6dcd0

SHA256
604b01784e620ac70b62d222ea414f3d156bf24680d0f96239a5eeb140ded66a

SHA512
ac3383b1f34f57fb885e85746c3c7dd34fa53de433dbad30eb516232e5d1937e8a5070e577999e6a837e2c35bdf681c674b29967a87e307b0596343cdef8f158

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgI6k1Jl9E8y.bat
Filesize
201B

MD5
bdedbf936949221f9846c359d845d05e

SHA1
0fcf7f8c8ef6ec199d94c0435bb32f7575bde89e

SHA256
d927eedc6d28116d4c669feb1fd696acb69f87f51d5df6cd428ff401679765bd

SHA512
475c6c905db36b2754d11d0ccec479423bd3ece3279659ba6aaf6a081d86964990bb6f3e0b03ca22cf555739a74838376e87690ea01f54e3144181811d5aecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIYky1FxlSPZ.bat
Filesize
201B

MD5
90abbf538b725a04bec1df96d70ba041

SHA1
093ad48ea1f37c90916aaae9510e396dd23b0b96

SHA256
6ec2cd1a1db57cfd642348c5bfb3af17609dadc26b1ca733b9154f07ba3fe500

SHA512
ff12b7c43b2e387c7289266af057fd60d84ce5cf8ac5094d28e38c32678f32b1be90171c7f21f27460d206d6dae3f4ad6bb304cb88c92d01c2b920a584776ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER7WpAH0kNsV.bat
Filesize
201B

MD5
4d3b6e21f8c3c86ccacca4c4b6356c9c

SHA1
5fed9f30759e2de2354b1c4c718b04d47bec5dab

SHA256
5e679de0afc1783ddeed06fd82256f05281ee3de7f8eaa7210f657d59aa48147

SHA512
84c13260c33b4cec390c0395faaf32061dd6848527cbdf25710ae6f3ce91c117ca653f7ef3e7967bc1c4a26799a8e502e77735d68ddeff2ebd80639cb4ba184a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExtxeM35Xv6q.bat
Filesize
201B

MD5
5bd71429821d170f9e285e7990b181c1

SHA1
ee1da88a135e51813b15ffbfcd5cdb94c7b54bd7

SHA256
26a30ebe5d8dd7378a11a808bcd2b937d095a1de37d0da398094f1a4f72716f4

SHA512
43b1594093c3b37c121102f656817f4a9b68dd71700c77dcf8502a232bd6276ff1697c8fd95009ebf0d52582e574950adbb2e796baa148bb32f591fe6fecd05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\H1EMzjPrrGn1.bat
Filesize
201B

MD5
a1ec6ce7ffde4dd7f7fa41661e005b13

SHA1
7a6e6b055f41dcf56775069581f34852cf7b240b

SHA256
41ce58de5c90a417f3e7fc40dd4424c8d599cb5bcb08033c8ce23bf637ecd540

SHA512
76a341aefe9c85a14cab9322dc4fc83a850a0b5b0b9ca5be361bf7ece4d1aebf5185d7a925115f17d35e5ff30e161b2ef4cca721266b82466c2163a1b3e830f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JfXLqcYSEVGt.bat
Filesize
201B

MD5
fb453f4032ea3656f6848daccc56280b

SHA1
1fa7caa88016cb74a6011a1d45eb0422a4319f09

SHA256
ebb7d1e20a23d2dcab78ca717db5a378706277330724fdb41cb211053f53eb90

SHA512
5093884ca7ade9242c2c83c91da471efffab3e952f8d9ab9eba7f951d037bd0c0b821367dcbba0f91b373c9fcb260f15fa83974d84e71de2d4df7ec0611f6ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkUhP66hKW51.bat
Filesize
201B

MD5
8eeed8fed5bc6f0802e82e05046632e3

SHA1
8801ad88a93787ecc2ff4791f75f0bf70bb86ce7

SHA256
bb73903a7affde9e2f97c5e07fea57f44a5ce33da15d527b888ad9ca862fc69e

SHA512
6c4160f68df8b12484803af8383044ffc767e009e5191c0eed6315e23ed3d25ae33c40acdbacddf0a52cff3b748cae4bb6788eed6687c0d4305f553ebdcaa995

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTlst9a1hbek.bat
Filesize
201B

MD5
e1acada27bf4c7ef21ab61f1cb246b94

SHA1
31a3558395899a5b287b74f08d54f03b818fda0e

SHA256
1eae761fc9234ee052153eb6591385a497a4b578f5e6a0b33ead9cbed4e92bef

SHA512
205a62156f27bf4425f52b476e2ef7473f818c0af55dff59fdb226a5be69554d994f92c8d0dee01af7937c6a5241276e43fcfccc73a9d5a3f94e0ea0cacb343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nqt8vhAaFUVQ.bat
Filesize
201B

MD5
e27b7a12d21e6a2c3751bab603d5f3be

SHA1
fbf52d1ea7e4cd0574679c4463b370b0149e538b

SHA256
1a4a7e132de60daeb0ab20947d6b6e478eb89f5bc4b834be06474e85f17e7077

SHA512
e1ed5adc89c87807a9a577b42b55656382c1da1588820ef0f8710907979f1c825b8ff1b44ab2186ba847cf376693db9d1cc826dcbbf89476cd944a43be344191

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6Pe7kG2EveF.bat
Filesize
201B

MD5
60cd6b58399f7ae740424936a709fcf6

SHA1
063b4a41286daf16427b1611264cdad628f44e34

SHA256
f7d85677cff28bdc02e14c5e7d3dc2100b9a38743fa773af9311c5a023958bae

SHA512
840ed59478b21600dfa94da19836e9fba8e75b72cb09e23d1041d55022dfb8f030df188704412184f62b3216fc185aba6147f6493a00d59ec71c96e07e6c6625

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKKOkGyVbrT9.bat
Filesize
201B

MD5
5f725e7d2b52070e2138cb83b9dafcc0

SHA1
1836053a84525d3a6ce55496284c6d7ee6b5cf9e

SHA256
031bb7957a08b7d4e6aa80d6afb190f39eb692fc18cb39ac72470d02627a23eb

SHA512
fc89752213210ae0383edf90202b8c8bae913de6bf548de5196969e2e541ac54738c8dcc9aacce62341b1e990ea0796610a353355f60d8a27016fbdd2518df69

Download Submit
C:\Users\Admin\AppData\Local\Temp\QX8mmg36TQ0X.bat
Filesize
201B

MD5
6e2dcf6c3a301ed0138f311d5cc38945

SHA1
2d2fa21b5a3e471f262081a533b7237f8bb88311

SHA256
92c945ca1e2a6a73f6874842a905854fadfd0da13d99515f1daa918835d312e8

SHA512
c6abe058590b12565201a818c0bbf63f8c529be8af84b9d49b4c860f2c98e71f985a362676edacf1161f1f226451b4aa56a5eff349872780adeb0b4089c3df95

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuqaxK7g8y6o.bat
Filesize
201B

MD5
2674edc8a7d26923b159805353d853da

SHA1
7f17e19be15f3e50a45899af2aa7a9874a214f8a

SHA256
635d7097ecabd29aa4f338f2229c48b2722145d57e2b408cd7ed06c9f1c0f406

SHA512
bb9c90e42d124601fd9a6a214c4e0a66066aca1bfe5bb236278810a5697cc828e2b3ab09d98a75b3866c9d4de961c63cfdd37e48b1b89f8891a47d8e5f93d5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEiIRDxj6oEo.bat
Filesize
201B

MD5
8a2428a305874bcb253a1554a2e6b150

SHA1
2db183f799dee525a9ff7337886b61c5212117dc

SHA256
ca02a0c44787cf87d1fac5d45d702d01f6e03f488b78ed7c94589b23cef91eea

SHA512
56e051084d0799ca45fcdd0da208ffe7841355632d17fa7ad7efe0178e8189414577dfb9323aea7f79f906409b7d7c7b42b14886f1b9d1a854b6e299cf0ce38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vd9PczE3uPTp.bat
Filesize
201B

MD5
1bcfd808fc21aea98660f5e778817d4f

SHA1
aad5f93f8ec9e57123aea5d0758da29a37227c4f

SHA256
8c3c37301a39ec9ef259366296838699883eaafeac36ff0021f819e86b9ff6b0

SHA512
48ea22e7f3ae92e8a87b3272a8e798aa92404bb17737e879ec68c6aef572688c85dc3aced53f265731086fe7173770db65a426c55cdfbcff9ab1ebbcb1bb9c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VvfomJeUcrbW.bat
Filesize
201B

MD5
bc24e0430578cb4b33b74734a0ebbc8a

SHA1
e2108eab905a04a8feb01d0d24e1bdf13acc7d82

SHA256
1e6639d48ca791b5a85edbbac858b0507346afa99426866f1610ca4f6094c103

SHA512
95510b3b11e4e9636c3be45cc3b2b86b05e5d754a6832434b9b236b51db225e119e376eee7fd4bc54810db27a6382f807224737c4923523e2410f37aa1b63c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7yAUf8dKrE1.bat
Filesize
201B

MD5
200d8086b48e9e499fee8e98a2d3f17e

SHA1
934bc5641bc021427820ab712a337759fad2341f

SHA256
b7889525749bafa7bf6221cda0fe0b9adcb5a44f097585ec3fdfe80127daa511

SHA512
48b734b7dc580faf08041547aea8397da408675a19b814458e1023a71dfb920b0917bdd1e03fe2d235a0d08ee2eeb309d79b93837348258c6e411e9525193ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUc94euePH5s.bat
Filesize
201B

MD5
4b69682be1540a21d4a8818d3556a8ce

SHA1
c4df0482475d1194cab6d0918486d1753841e0ac

SHA256
4e93d6c3f69a518fb86c8dca2855e9b633fd00e990b7ff61db64c018e9577d51

SHA512
f9499298e4e1cce3eab6ec97b8223db051346bab42cad539cbe8fd295368c855a7fda586aac87b7379f846649dd4d0a2511ffe122e77d6002380cfe466814a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBrkrTAAXXEK.bat
Filesize
201B

MD5
38644f21d45076eeab8a1d112379dcb0

SHA1
b5b0a99c7ab501ffaddfbf8efbfe4d2d285a6c41

SHA256
d3466dfa776a2c228a3b350ed6147a96dad3a95f8581a5a650e8545d55b97a6e

SHA512
d51dbf2c8c33158aa5459b30b489990e86511a4edbbbe8963736d5c723a5c38f9325b550489d32c1da28483d89700ace749f7ade949159053f77e8e51d420bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAUbgZahbWKo.bat
Filesize
201B

MD5
4d4852d5e889e8592f3334f118c9aaf8

SHA1
6637c976a8f6cc3ad0393fc7a0e33f985a756211

SHA256
1822c7fca6d2e2fe70d0b8869962b329d0daebe990d799892f319ecbe19baad1

SHA512
4a08265ad5d108b8acec234f0c02c6b9f0cbf37deaffbada9650b65dcec2c70f3e8c1d0d89b2e0a5621ea3ce5b064a6f1b6a199ec96ae6f350b32d208c73784b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYi6MHigEFB4.bat
Filesize
201B

MD5
b6593b27242e1d6d929a76e8065d5263

SHA1
9b715b5400d11e3fd590881fbe66565e0b5eb26a

SHA256
c59e5fa099a614b487fad96485eb3c4404683e29ef0d1bef98ec99f7b25dfad8

SHA512
dafe3774b6d9aa9d66dda9ef5cec597e7d1ae5431fb1ce0f0d17f4e55635dc96c0cc7d9ff841493d8f0af8a45558c47018f1f4228b8d3971a919f9a3f97d874a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIe4YkzjntbV.bat
Filesize
201B

MD5
6c0bd122657fb7df4246a85dcf26a996

SHA1
dfacf103eb8186b27fbc8926ac34efe7e3373f94

SHA256
a314c3cd4475c3f0f36758c5bdf0837ec69739d97c4bd00dd98565bc8cdf6f11

SHA512
a70b609f03ab7d06ca1bdc769aa881cb67fea186185fcf1e702979b222bb6860170825ed264570dca79a04e51e5bb2d4f310b894e8da4fad78c8870cbf53d306

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb1Czn1rSpkh.bat
Filesize
201B

MD5
cef58f5d1fd993e82faef36b86c3adff

SHA1
642b717138804d7efead7db1417ceaa08804b067

SHA256
ea8376da5ac1bf5653021e4e74e330a38e3fec61faef2d00d172e56f168e3c17

SHA512
035c93454d34cda17c6e0d1cb755c4b58a46cad5be1243e4e45141b341d0e6bc360c2cacf0c70ee930d4b0e11cd92e24681b8668d2fa86231330074f8195df3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmlf3EkVvBvL.bat
Filesize
201B

MD5
3fed5e96e51f6afd3d143ad8f933c041

SHA1
507054d976171ce6d4d233039180395d61883b6a

SHA256
8f0d5edde66c50efe592d9d514f11821991b1a7924d17bc828e6323c1cde13e4

SHA512
66153165afbf71a4840fd8013746459cfb746c34738290936d5ce9e9f51bff87a9676d3d099d2f0b24f69e4639a9798f86ed19bea60f3158b49b278d190145cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eBKTOqwOiEeL.bat
Filesize
201B

MD5
a19327dbbb5ed8ff235df52e598474e9

SHA1
f8b11165cc3fd240fc6afb57ef0ff919b65062cb

SHA256
65cf92febf1005265d57b46cde8e2c802d61cc56ac35a94029c20a79c9899304

SHA512
32680375b87cccfd5c5b1d532a30e4218815ca649bb334b555a8d0562894b0be472a6c39ce2e973129438b73b1b2382026763ac0350e2533597a2eceb77ffbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffvOf1PoFxnY.bat
Filesize
201B

MD5
df70efe7bdd1ba3aeb4719eb25b7368b

SHA1
41b5a1b3b029d62d51208d05ee1653fe046320aa

SHA256
1d97867d90680e05327394803165190ff956526ab324ecb8042be41993320431

SHA512
b527e8fa7d440200784bf2d17d779e8446e8ad7ba72efce5c9956d4e5db1b5064c5879743b63bf7e8d68267d950509509bd562575dc4052e3cd220c2a66dd308

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkQlROzBPqsz.bat
Filesize
201B

MD5
3aa407f4473eceb172cdddc6a93a19b2

SHA1
f289231d458120eb24573f0645274bd61bf600eb

SHA256
83af85c31d49367d83835ec328e92ae8c92287e0b3575a87f9cf46856cc8f9b8

SHA512
55f9f181c52c246461da78fdcb9d092736bf72a87e4dfc7c3ba915842612d781c22bfebf83f925a5410fcbb700800e69fe1b7b7e9137a42eb8a5a9450bd5574b

Download Submit
C:\Users\Admin\AppData\Local\Temp\giXJ7I8Osly3.bat
Filesize
201B

MD5
63024484c90407d36b47f8946be47720

SHA1
494d6e827161b898d6ab8680958a602bf94935d0

SHA256
76c05cc62945178876c703a86e77490868ca917a2bda4a4ccaaecdcc24078f43

SHA512
8bbe41e5ae593169dea22f336f0cfcc6fce8cf18a23d387610b86d7ddd0ebed531dc55abf25861cb7e7edaf9cc6aa4706a27ad80e41a45424bd00241653902fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\luU83cPeMSZa.bat
Filesize
201B

MD5
4660f4c8bbe32cfbb5299832ddddf3b6

SHA1
ea54fd49c35b3f9cf050bcf5e6dcf2653fd26836

SHA256
49b048e1a9401caed9f070ed993abd4542f5eec8465f535da370b898830873de

SHA512
1194acbcd4357287adfe42c43ca7478af42bfa30eb378baf0419c53a6a2e6af2a0df6abbe939f8078cd468da585340c7fd62ce4f952640544ffd4fda35d9013c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkOCitqBmS5A.bat
Filesize
201B

MD5
1488797222ec820bc5a5552ad87c33ab

SHA1
7f40b12741ab7ab25d1338d6243eb08f30e142f3

SHA256
3598b68367bd6c885631e58ed09f6955575d7d07d3c780b76c8ef9bab126a759

SHA512
f693adfa564654b2f1ed5098225514865ed1942cb7121cb6e676d128a0b8f982f6938353c205d9129d4580758ad6578a29fd53934b7d48b6d22125bd871e1f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIz7Vv33RTkX.bat
Filesize
201B

MD5
32ec2d97ac1ecb0264109e834f47c854

SHA1
9000dd058beb8b55f3951c24fb73f227b04db831

SHA256
912f9e6979d5282986259797aeafce84e0d427949f82b283daae8603a252e97e

SHA512
c95eb7f82b3e87b298a7e1e2205f8ed6238bab543fcc634b73b87df7377e0f5f82e01dff32a27a8ed450e702361fc460c16faa552be300d41eef155273847888

Download Submit
C:\Users\Admin\AppData\Local\Temp\pV5H3bnWRcwv.bat
Filesize
201B

MD5
8b8f1e2d0e7b1c5b7a3279c372780287

SHA1
55efa1612aa9a37bfd41cd803ae8d5654a5ef231

SHA256
bf4c3ee10820d1ff6f3b6059b560028fbb09e7e9b1d4c0b406dfe8a17a2b46a6

SHA512
75fb7a61c453c713c933553e7d356b32acf7de28065cbf02f18dab0ca53b4d8065cff75449f90069f17dfb018319fea6169fc7c5a7b1eff6e2e57696e8e18475

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7r7LUkcQbnr.bat
Filesize
201B

MD5
34678a38176d7924b5189ebc67c17767

SHA1
c2e3c84b51cec306785f107316a873f67f4cf095

SHA256
99d811f3fccc580d2f9d0d51e86acf744877415380aff5c459aff23daa1e31db

SHA512
a80792c33fdbfc2219c3e6109a8ae30ab777c1e6f46e1c51b3f6d38cf6dd58d3de631eef0e59653ca83b475d99d927768e8bfdf3d2a2a4cad01891dc8bda84f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xglynfuId0wQ.bat
Filesize
201B

MD5
bd6f737c7304df43ee3ad2ecbe4a204a

SHA1
7bdbe885feaf958fda6b3272567513f3f9cbb91b

SHA256
ec63ff5d2f3d2bdb48fc411364d8a8ebec9b9421ea0247196042c9211c85803f

SHA512
accfba34a2fad332ea971ec81af4e03c7b8f9d627facbf481ec1de6b2c51b1c16f42f8f0dc302fc2ddc25d70c6e2e859eb706afe04f7a85d6c2ff211a0aa29cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgBGWc9EPS8e.bat
Filesize
201B

MD5
82e77525aae238cfc527098107b4ecbe

SHA1
8bf01fb419cc1f49b0d490e022a9232f2863c75b

SHA256
cbecde2aecdce24851f880046c68e4b127518acc5689ceb764f4169e25122b02

SHA512
38888ef112833b75bf0049ba7f4fefe0e2d23d5e419e980c59f4d67c2dbdfe6b0b6f94284091f101a3784d58a8603720c1e867d853c6d4c3b853cb11718bdcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlkkWxfS7RxH.bat
Filesize
201B

MD5
89515e37072c25f2ab3392e7da1be716

SHA1
78e3284c7da406d2f0d02390b6bb7b3d0bed18c6

SHA256
4fd5762cba2af5ee0f3e487c5031157399b635d2a08b3dc3ded278cad999846f

SHA512
a4494dd40a21caa4d5d262d79b619a5958f33b820779619b49da28c19344ed1e114ef54e0bd7dce58601dd338ab77425b4cf62b0f796ab89c39675901d3a520b

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/328-128-0x0000000000890000-0x0000000000BB4000-memory.dmp

Filesize
3.1MB

Download
memory/360-36-0x00000000002C0000-0x00000000005E4000-memory.dmp

Filesize
3.1MB

Download
memory/428-59-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download
memory/628-70-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/740-358-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download
memory/820-212-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download
memory/1020-465-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/1084-500-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/1124-139-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/1164-491-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/1244-376-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/1376-367-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/1568-47-0x0000000000A90000-0x0000000000DB4000-memory.dmp

Filesize
3.1MB

Download
memory/1656-264-0x00000000011B0000-0x00000000014D4000-memory.dmp

Filesize
3.1MB

Download
memory/1696-83-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/1720-385-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/1780-117-0x0000000000880000-0x0000000000BA4000-memory.dmp

Filesize
3.1MB

Download
memory/1804-323-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/1820-297-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/1912-421-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/1924-247-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download
memory/1956-430-0x0000000000870000-0x0000000000B94000-memory.dmp

Filesize
3.1MB

Download
memory/2024-229-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download
memory/2064-394-0x0000000000020000-0x0000000000344000-memory.dmp

Filesize
3.1MB

Download
memory/2076-340-0x0000000000D80000-0x00000000010A4000-memory.dmp

Filesize
3.1MB

Download
memory/2360-150-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/2424-162-0x0000000001100000-0x0000000001424000-memory.dmp

Filesize
3.1MB

Download
memory/2444-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/2444-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2444-1-0x0000000000B20000-0x0000000000E44000-memory.dmp

Filesize
3.1MB

Download
memory/2444-8-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-105-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2488-94-0x0000000000AC0000-0x0000000000DE4000-memory.dmp

Filesize
3.1MB

Download
memory/2504-403-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/2512-23-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/2568-474-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/2676-448-0x0000000000F10000-0x0000000001234000-memory.dmp

Filesize
3.1MB

Download
memory/2684-238-0x0000000000860000-0x0000000000B84000-memory.dmp

Filesize
3.1MB

Download
memory/2688-439-0x00000000009A0000-0x0000000000CC4000-memory.dmp

Filesize
3.1MB

Download
memory/2724-349-0x00000000010A0000-0x00000000013C4000-memory.dmp

Filesize
3.1MB

Download
memory/2764-11-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-10-0x00000000009D0000-0x0000000000CF4000-memory.dmp

Filesize
3.1MB

Download
memory/2764-9-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2764-21-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-306-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/2884-412-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download