quasar | 1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8

Analysis

max time kernel
594s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cwel.exe
Size

3.1MB
MD5

a96e646d37c712c02f2014859c2ae1b3
SHA1

9c2a5842a9b929e66d2b92be8907d79c4f35fedf
SHA256

1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8
SHA512

eeebf4d049cd72d2d0a732921df9c24deb3323c18a5ca6eaec7bdb7b509106498c6b8b1b7daa33d0aa3e4bb7acdabb9eac29a872c217b6521c7415963d71b4d6
SSDEEP

49152:Pv6I22SsaNYfdPBldt698dBcjH8UHNqRrcvJmkoGdXTHHB72eh2NT:Pv322SsaNYfdPBldt6+dBcjHjYrQ

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-52942.portmap.host:52942

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/1060-1-0x0000000000C10000-0x0000000000F34000-memory.dmp family_quasar
C:\Program Files\Common Files\Opera GX.exe family_quasar

resource	yara_rule
behavioral2/memory/1060-1-0x0000000000C10000-0x0000000000F34000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar

Checks computer location settings 2 TTPs 56 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Opera GX.exe

Executes dropped EXE 56 IoCs

Processes:

pid	process
4060	Opera GX.exe
5076	Opera GX.exe
4164	Opera GX.exe
1624	Opera GX.exe
2356	Opera GX.exe
2164	Opera GX.exe
3572	Opera GX.exe
4648	Opera GX.exe
4904	Opera GX.exe
1708	Opera GX.exe
4292	Opera GX.exe
2888	Opera GX.exe
636	Opera GX.exe
2136	Opera GX.exe
2880	Opera GX.exe
3700	Opera GX.exe
4576	Opera GX.exe
2576	Opera GX.exe
1056	Opera GX.exe
4124	Opera GX.exe
1264	Opera GX.exe
4744	Opera GX.exe
3112	Opera GX.exe
3276	Opera GX.exe
1944	Opera GX.exe
2664	Opera GX.exe
1252	Opera GX.exe
2824	Opera GX.exe
2092	Opera GX.exe
1576	Opera GX.exe
4380	Opera GX.exe
3732	Opera GX.exe
4572	Opera GX.exe
4368	Opera GX.exe
1052	Opera GX.exe
2384	Opera GX.exe
1060	Opera GX.exe
3292	Opera GX.exe
1628	Opera GX.exe
1296	Opera GX.exe
3076	Opera GX.exe
988	Opera GX.exe
2768	Opera GX.exe
3552	Opera GX.exe
2132	Opera GX.exe
3492	Opera GX.exe
4988	Opera GX.exe
2564	Opera GX.exe
1420	Opera GX.exe
4276	Opera GX.exe
2392	Opera GX.exe
3212	Opera GX.exe
4652	Opera GX.exe
3600	Opera GX.exe
1556	Opera GX.exe
1468	Opera GX.exe

Drops file in Program Files directory 64 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.execwel.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	cwel.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File created	C:\Program Files\common Files\Opera GX.exe	cwel.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 56 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1348	PING.EXE
2824	PING.EXE
760	PING.EXE
1072	PING.EXE
4932	PING.EXE
4664	PING.EXE
4652	PING.EXE
844	PING.EXE
4544	PING.EXE
3032	PING.EXE
3840	PING.EXE
4900	PING.EXE
884	PING.EXE
1056	PING.EXE
1256	PING.EXE
4156	PING.EXE
3008	PING.EXE
3108	PING.EXE
1140	PING.EXE
1616	PING.EXE
3772	PING.EXE
4272	PING.EXE
4824	PING.EXE
3980	PING.EXE
4076	PING.EXE
1980	PING.EXE
1800	PING.EXE
1648	PING.EXE
404	PING.EXE
1532	PING.EXE
380	PING.EXE
4436	PING.EXE
4076	PING.EXE
3016	PING.EXE
552	PING.EXE
3244	PING.EXE
1736	PING.EXE
4664	PING.EXE
1624	PING.EXE
2496	PING.EXE
3656	PING.EXE
1116	PING.EXE
2212	PING.EXE
1168	PING.EXE
3500	PING.EXE
1348	PING.EXE
1464	PING.EXE
1532	PING.EXE
3552	PING.EXE
4832	PING.EXE
4632	PING.EXE
4172	PING.EXE
2448	PING.EXE
4820	PING.EXE
4452	PING.EXE
2236	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1788	schtasks.exe
4272	schtasks.exe
4368	schtasks.exe
2864	schtasks.exe
4508	schtasks.exe
2832	schtasks.exe
4252	schtasks.exe
1440	schtasks.exe
4432	schtasks.exe
1740	schtasks.exe
1284	schtasks.exe
3172	schtasks.exe
3780	schtasks.exe
3020	schtasks.exe
2272	schtasks.exe
4824	schtasks.exe
2724	schtasks.exe
3512	schtasks.exe
2660	schtasks.exe
3236	schtasks.exe
4124	schtasks.exe
1168	schtasks.exe
2212	schtasks.exe
4208	schtasks.exe
4092	schtasks.exe
4208	schtasks.exe
5072	schtasks.exe
968	schtasks.exe
4492	schtasks.exe
1020	schtasks.exe
1396	schtasks.exe
3328	schtasks.exe
3440	schtasks.exe
1172	schtasks.exe
116	schtasks.exe
4100	schtasks.exe
4800	schtasks.exe
4384	schtasks.exe
1940	schtasks.exe
4400	schtasks.exe
3212	schtasks.exe
2400	schtasks.exe
4252	schtasks.exe
3848	schtasks.exe
2008	schtasks.exe
1000	schtasks.exe
1164	schtasks.exe
1220	schtasks.exe
2784	schtasks.exe
4172	schtasks.exe
1868	schtasks.exe
2604	schtasks.exe
3548	schtasks.exe
4664	schtasks.exe
3500	schtasks.exe
4168	schtasks.exe
840	schtasks.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

cwel.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	pid	process
Token: SeDebugPrivilege	1060	cwel.exe
Token: SeDebugPrivilege	4060	Opera GX.exe
Token: SeDebugPrivilege	5076	Opera GX.exe
Token: SeDebugPrivilege	4164	Opera GX.exe
Token: SeDebugPrivilege	1624	Opera GX.exe
Token: SeDebugPrivilege	2356	Opera GX.exe
Token: SeDebugPrivilege	2164	Opera GX.exe
Token: SeDebugPrivilege	3572	Opera GX.exe
Token: SeDebugPrivilege	4648	Opera GX.exe
Token: SeDebugPrivilege	4904	Opera GX.exe
Token: SeDebugPrivilege	1708	Opera GX.exe
Token: SeDebugPrivilege	4292	Opera GX.exe
Token: SeDebugPrivilege	2888	Opera GX.exe
Token: SeDebugPrivilege	636	Opera GX.exe
Token: SeDebugPrivilege	2136	Opera GX.exe
Token: SeDebugPrivilege	2880	Opera GX.exe
Token: SeDebugPrivilege	3700	Opera GX.exe
Token: SeDebugPrivilege	4576	Opera GX.exe
Token: SeDebugPrivilege	2576	Opera GX.exe
Token: SeDebugPrivilege	1056	Opera GX.exe
Token: SeDebugPrivilege	4124	Opera GX.exe
Token: SeDebugPrivilege	1264	Opera GX.exe
Token: SeDebugPrivilege	4744	Opera GX.exe
Token: SeDebugPrivilege	3112	Opera GX.exe
Token: SeDebugPrivilege	3276	Opera GX.exe
Token: SeDebugPrivilege	1944	Opera GX.exe
Token: SeDebugPrivilege	2664	Opera GX.exe
Token: SeDebugPrivilege	1252	Opera GX.exe
Token: SeDebugPrivilege	2824	Opera GX.exe
Token: SeDebugPrivilege	2092	Opera GX.exe
Token: SeDebugPrivilege	1576	Opera GX.exe
Token: SeDebugPrivilege	4380	Opera GX.exe
Token: SeDebugPrivilege	3732	Opera GX.exe
Token: SeDebugPrivilege	4572	Opera GX.exe
Token: SeDebugPrivilege	4368	Opera GX.exe
Token: SeDebugPrivilege	1052	Opera GX.exe
Token: SeDebugPrivilege	2384	Opera GX.exe
Token: SeDebugPrivilege	1060	Opera GX.exe
Token: SeDebugPrivilege	3292	Opera GX.exe
Token: SeDebugPrivilege	1628	Opera GX.exe
Token: SeDebugPrivilege	1296	Opera GX.exe
Token: SeDebugPrivilege	3076	Opera GX.exe
Token: SeDebugPrivilege	988	Opera GX.exe
Token: SeDebugPrivilege	2768	Opera GX.exe
Token: SeDebugPrivilege	3552	Opera GX.exe
Token: SeDebugPrivilege	2132	Opera GX.exe
Token: SeDebugPrivilege	3492	Opera GX.exe
Token: SeDebugPrivilege	4988	Opera GX.exe
Token: SeDebugPrivilege	2564	Opera GX.exe
Token: SeDebugPrivilege	1420	Opera GX.exe
Token: SeDebugPrivilege	4276	Opera GX.exe
Token: SeDebugPrivilege	2392	Opera GX.exe
Token: SeDebugPrivilege	3212	Opera GX.exe
Token: SeDebugPrivilege	4652	Opera GX.exe
Token: SeDebugPrivilege	3600	Opera GX.exe
Token: SeDebugPrivilege	1556	Opera GX.exe
Token: SeDebugPrivilege	1468	Opera GX.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

pid	process
4060	Opera GX.exe
5076	Opera GX.exe
4164	Opera GX.exe
1624	Opera GX.exe
2356	Opera GX.exe
2164	Opera GX.exe
3572	Opera GX.exe
4648	Opera GX.exe
4904	Opera GX.exe
1708	Opera GX.exe
4292	Opera GX.exe
2888	Opera GX.exe
636	Opera GX.exe
2136	Opera GX.exe
2880	Opera GX.exe
3700	Opera GX.exe
4576	Opera GX.exe
2576	Opera GX.exe
1056	Opera GX.exe
4124	Opera GX.exe
1264	Opera GX.exe
4744	Opera GX.exe
3112	Opera GX.exe
3276	Opera GX.exe
1944	Opera GX.exe
2664	Opera GX.exe
1252	Opera GX.exe
2824	Opera GX.exe
2092	Opera GX.exe
1576	Opera GX.exe
4380	Opera GX.exe
3732	Opera GX.exe
4572	Opera GX.exe
4368	Opera GX.exe
1052	Opera GX.exe
2384	Opera GX.exe
1060	Opera GX.exe
3292	Opera GX.exe
1628	Opera GX.exe
1296	Opera GX.exe
3076	Opera GX.exe
988	Opera GX.exe
2768	Opera GX.exe
3552	Opera GX.exe
2132	Opera GX.exe
3492	Opera GX.exe
4988	Opera GX.exe
2564	Opera GX.exe
1420	Opera GX.exe
4276	Opera GX.exe
2392	Opera GX.exe
3212	Opera GX.exe
4652	Opera GX.exe
3600	Opera GX.exe
1556	Opera GX.exe
1468	Opera GX.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

pid	process
4060	Opera GX.exe
5076	Opera GX.exe
4164	Opera GX.exe
1624	Opera GX.exe
2356	Opera GX.exe
2164	Opera GX.exe
3572	Opera GX.exe
4648	Opera GX.exe
4904	Opera GX.exe
1708	Opera GX.exe
4292	Opera GX.exe
2888	Opera GX.exe
636	Opera GX.exe
2136	Opera GX.exe
2880	Opera GX.exe
3700	Opera GX.exe
4576	Opera GX.exe
2576	Opera GX.exe
1056	Opera GX.exe
4124	Opera GX.exe
1264	Opera GX.exe
4744	Opera GX.exe
3112	Opera GX.exe
3276	Opera GX.exe
1944	Opera GX.exe
2664	Opera GX.exe
1252	Opera GX.exe
2824	Opera GX.exe
2092	Opera GX.exe
1576	Opera GX.exe
4380	Opera GX.exe
3732	Opera GX.exe
4572	Opera GX.exe
4368	Opera GX.exe
1052	Opera GX.exe
2384	Opera GX.exe
1060	Opera GX.exe
3292	Opera GX.exe
1628	Opera GX.exe
1296	Opera GX.exe
3076	Opera GX.exe
988	Opera GX.exe
2768	Opera GX.exe
3552	Opera GX.exe
2132	Opera GX.exe
3492	Opera GX.exe
4988	Opera GX.exe
2564	Opera GX.exe
1420	Opera GX.exe
4276	Opera GX.exe
2392	Opera GX.exe
3212	Opera GX.exe
4652	Opera GX.exe
3600	Opera GX.exe
1556	Opera GX.exe
1468	Opera GX.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exe

pid process

3600 Opera GX.exe
1556 Opera GX.exe
1468 Opera GX.exe

pid	process
3600	Opera GX.exe
1556	Opera GX.exe
1468	Opera GX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cwel.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 3780	1060	cwel.exe	schtasks.exe
PID 1060 wrote to memory of 3780	1060	cwel.exe	schtasks.exe
PID 1060 wrote to memory of 4060	1060	cwel.exe	Opera GX.exe
PID 1060 wrote to memory of 4060	1060	cwel.exe	Opera GX.exe
PID 4060 wrote to memory of 1020	4060	Opera GX.exe	schtasks.exe
PID 4060 wrote to memory of 1020	4060	Opera GX.exe	schtasks.exe
PID 4060 wrote to memory of 100	4060	Opera GX.exe	cmd.exe
PID 4060 wrote to memory of 100	4060	Opera GX.exe	cmd.exe
PID 100 wrote to memory of 4300	100	cmd.exe	chcp.com
PID 100 wrote to memory of 4300	100	cmd.exe	chcp.com
PID 100 wrote to memory of 1624	100	cmd.exe	PING.EXE
PID 100 wrote to memory of 1624	100	cmd.exe	PING.EXE
PID 100 wrote to memory of 5076	100	cmd.exe	Opera GX.exe
PID 100 wrote to memory of 5076	100	cmd.exe	Opera GX.exe
PID 5076 wrote to memory of 4400	5076	Opera GX.exe	schtasks.exe
PID 5076 wrote to memory of 4400	5076	Opera GX.exe	schtasks.exe
PID 5076 wrote to memory of 5060	5076	Opera GX.exe	cmd.exe
PID 5076 wrote to memory of 5060	5076	Opera GX.exe	cmd.exe
PID 5060 wrote to memory of 5088	5060	cmd.exe	chcp.com
PID 5060 wrote to memory of 5088	5060	cmd.exe	chcp.com
PID 5060 wrote to memory of 2448	5060	cmd.exe	PING.EXE
PID 5060 wrote to memory of 2448	5060	cmd.exe	PING.EXE
PID 5060 wrote to memory of 4164	5060	cmd.exe	Opera GX.exe
PID 5060 wrote to memory of 4164	5060	cmd.exe	Opera GX.exe
PID 4164 wrote to memory of 2832	4164	Opera GX.exe	schtasks.exe
PID 4164 wrote to memory of 2832	4164	Opera GX.exe	schtasks.exe
PID 4164 wrote to memory of 1920	4164	Opera GX.exe	cmd.exe
PID 4164 wrote to memory of 1920	4164	Opera GX.exe	cmd.exe
PID 1920 wrote to memory of 3752	1920	cmd.exe	chcp.com
PID 1920 wrote to memory of 3752	1920	cmd.exe	chcp.com
PID 1920 wrote to memory of 1532	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1532	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1624	1920	cmd.exe	Opera GX.exe
PID 1920 wrote to memory of 1624	1920	cmd.exe	Opera GX.exe
PID 1624 wrote to memory of 1788	1624	Opera GX.exe	schtasks.exe
PID 1624 wrote to memory of 1788	1624	Opera GX.exe	schtasks.exe
PID 1624 wrote to memory of 1348	1624	Opera GX.exe	cmd.exe
PID 1624 wrote to memory of 1348	1624	Opera GX.exe	cmd.exe
PID 1348 wrote to memory of 3696	1348	cmd.exe	chcp.com
PID 1348 wrote to memory of 3696	1348	cmd.exe	chcp.com
PID 1348 wrote to memory of 2496	1348	cmd.exe	PING.EXE
PID 1348 wrote to memory of 2496	1348	cmd.exe	PING.EXE
PID 1348 wrote to memory of 2356	1348	cmd.exe	Opera GX.exe
PID 1348 wrote to memory of 2356	1348	cmd.exe	Opera GX.exe
PID 2356 wrote to memory of 1164	2356	Opera GX.exe	schtasks.exe
PID 2356 wrote to memory of 1164	2356	Opera GX.exe	schtasks.exe
PID 2356 wrote to memory of 4904	2356	Opera GX.exe	cmd.exe
PID 2356 wrote to memory of 4904	2356	Opera GX.exe	cmd.exe
PID 4904 wrote to memory of 2008	4904	cmd.exe	chcp.com
PID 4904 wrote to memory of 2008	4904	cmd.exe	chcp.com
PID 4904 wrote to memory of 4820	4904	cmd.exe	PING.EXE
PID 4904 wrote to memory of 4820	4904	cmd.exe	PING.EXE
PID 4904 wrote to memory of 2164	4904	cmd.exe	Opera GX.exe
PID 4904 wrote to memory of 2164	4904	cmd.exe	Opera GX.exe
PID 2164 wrote to memory of 3212	2164	Opera GX.exe	schtasks.exe
PID 2164 wrote to memory of 3212	2164	Opera GX.exe	schtasks.exe
PID 2164 wrote to memory of 4236	2164	Opera GX.exe	cmd.exe
PID 2164 wrote to memory of 4236	2164	Opera GX.exe	cmd.exe
PID 4236 wrote to memory of 4400	4236	cmd.exe	chcp.com
PID 4236 wrote to memory of 4400	4236	cmd.exe	chcp.com
PID 4236 wrote to memory of 380	4236	cmd.exe	PING.EXE
PID 4236 wrote to memory of 380	4236	cmd.exe	PING.EXE
PID 4236 wrote to memory of 3572	4236	cmd.exe	Opera GX.exe
PID 4236 wrote to memory of 3572	4236	cmd.exe	Opera GX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cwel.exe
"C:\Users\Admin\AppData\Local\Temp\cwel.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UpXkN653aCTy.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4300

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1624

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\odHpvVXVPx9x.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:5088

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2448

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kbx5Ylyk7cx6.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1532

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r2Lg6pEHcLsw.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:3696

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2496

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5SvOERsy33f1.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2008

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4820

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jPsE4TBGploh.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4400

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:380

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3572

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMsJqijOvSsV.bat" "
15⤵
PID:3328

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:3272

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1348

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4648

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Si8Tk4k3koUy.bat" "
17⤵
PID:4116

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:1704

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4652

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYAsVZK99ePR.bat" "
19⤵
PID:816

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2412

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3840

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcbKH80vmdhs.bat" "
21⤵
PID:1464

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1648

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:844

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4292

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t0Y4g3O9PQO0.bat" "
23⤵
PID:220

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:3308

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1056

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCJLdMoNhUNi.bat" "
25⤵
PID:1388

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:4276

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4544

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyhKDYQDAt5J.bat" "
27⤵
PID:1556

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2064

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4452

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xzX2SKS1LK6m.bat" "
29⤵
PID:4564

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:4772

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4156

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hB7ALd6vS1FG.bat" "
31⤵
PID:4952

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:3012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1348

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3700

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
33⤵
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a1ZUqss8V61P.bat" "
33⤵
PID:3312

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:4508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4900

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4576

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
35⤵
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0UPMl3cLsBpQ.bat" "
35⤵
PID:2120

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:344

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:3008

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
37⤵
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y6ItnML88IVr.bat" "
37⤵
PID:1740

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:4760

C:\Windows\system32\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:3552

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
39⤵
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29dJN6Y4281I.bat" "
39⤵
PID:2496

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:5088

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3772

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4124

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
41⤵
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2fVIUT9bAXBX.bat" "
41⤵
PID:4516

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:3440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:3656

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1264

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
43⤵
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7HEfudORRcok.bat" "
43⤵
PID:3344

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:1572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:1464

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4744

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
45⤵
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u6vd55AD5SFG.bat" "
45⤵
PID:4604

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:1736

C:\Windows\system32\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:2824

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
47⤵
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VllRoyQ4PhiB.bat" "
47⤵
PID:2460

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:4336

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:3108

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3276

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
49⤵
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pH9itUSPydz7.bat" "
49⤵
PID:2012

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:552

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1944

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
51⤵
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cnqNY3uRDlm4.bat" "
51⤵
PID:3752

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:4656

C:\Windows\system32\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:1116

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2664

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
53⤵
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sJWg9ZRj1YOv.bat" "
53⤵
PID:1788

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:2100

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:4436

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
55⤵
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbfhavof3mQq.bat" "
55⤵
PID:1940

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:2084

C:\Windows\system32\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4076

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
57⤵
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jpR0SOmJdNzz.bat" "
57⤵
PID:2412

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:3472

C:\Windows\system32\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:1980

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
59⤵
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMNwJCqv0nMs.bat" "
59⤵
PID:1584

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:2236

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:4272

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
61⤵
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oB1xbwQ51J7G.bat" "
61⤵
PID:1060

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:4312

C:\Windows\system32\PING.EXE
ping -n 10 localhost
62⤵
- Runs ping.exe
PID:1800

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
62⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
63⤵
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FR9Mm41DzvZe.bat" "
63⤵
PID:3292

C:\Windows\system32\chcp.com
chcp 65001
64⤵
PID:3752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
64⤵
- Runs ping.exe
PID:1648

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
64⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3732

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
65⤵
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OBHMxAN77Zdu.bat" "
65⤵
PID:4912

C:\Windows\system32\chcp.com
chcp 65001
66⤵
PID:4636

C:\Windows\system32\PING.EXE
ping -n 10 localhost
66⤵
- Runs ping.exe
PID:4824

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
66⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
67⤵
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3cfhYpXERjLp.bat" "
67⤵
PID:2956

C:\Windows\system32\chcp.com
chcp 65001
68⤵
PID:3336

C:\Windows\system32\PING.EXE
ping -n 10 localhost
68⤵
- Runs ping.exe
PID:1140

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
68⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
69⤵
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FentbURtSENi.bat" "
69⤵
PID:5096

C:\Windows\system32\chcp.com
chcp 65001
70⤵
PID:3508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
70⤵
- Runs ping.exe
PID:3244

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
70⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1052

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
71⤵
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\slN9uY7Hdj1c.bat" "
71⤵
PID:3172

C:\Windows\system32\chcp.com
chcp 65001
72⤵
PID:4272

C:\Windows\system32\PING.EXE
ping -n 10 localhost
72⤵
- Runs ping.exe
PID:2212

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
72⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2384

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
73⤵
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUX8V5bMfVcy.bat" "
73⤵
PID:920

C:\Windows\system32\chcp.com
chcp 65001
74⤵
PID:2104

C:\Windows\system32\PING.EXE
ping -n 10 localhost
74⤵
- Runs ping.exe
PID:4632

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
74⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
75⤵
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4NNeygybuiBN.bat" "
75⤵
PID:1548

C:\Windows\system32\chcp.com
chcp 65001
76⤵
PID:2872

C:\Windows\system32\PING.EXE
ping -n 10 localhost
76⤵
- Runs ping.exe
PID:4172

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
76⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3292

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
77⤵
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZLeyTL4G8sb.bat" "
77⤵
PID:4436

C:\Windows\system32\chcp.com
chcp 65001
78⤵
PID:5044

C:\Windows\system32\PING.EXE
ping -n 10 localhost
78⤵
- Runs ping.exe
PID:3032

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
78⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
79⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kT5euvRQcPG6.bat" "
79⤵
PID:2280

C:\Windows\system32\chcp.com
chcp 65001
80⤵
PID:2752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
80⤵
- Runs ping.exe
PID:1736

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
80⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1296

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
81⤵
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P8xvfe21NMFX.bat" "
81⤵
PID:3228

C:\Windows\system32\chcp.com
chcp 65001
82⤵
PID:1740

C:\Windows\system32\PING.EXE
ping -n 10 localhost
82⤵
- Runs ping.exe
PID:1168

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
82⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3076

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
83⤵
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nq8QCFFfJkaj.bat" "
83⤵
PID:1212

C:\Windows\system32\chcp.com
chcp 65001
84⤵
PID:4840

C:\Windows\system32\PING.EXE
ping -n 10 localhost
84⤵
- Runs ping.exe
PID:4664

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
84⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:988

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
85⤵
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L3OLjeliwi1D.bat" "
85⤵
PID:2272

C:\Windows\system32\chcp.com
chcp 65001
86⤵
PID:4516

C:\Windows\system32\PING.EXE
ping -n 10 localhost
86⤵
- Runs ping.exe
PID:1616

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
86⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
87⤵
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAPUvAGU3eUw.bat" "
87⤵
PID:2700

C:\Windows\system32\chcp.com
chcp 65001
88⤵
PID:2480

C:\Windows\system32\PING.EXE
ping -n 10 localhost
88⤵
- Runs ping.exe
PID:4832

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
88⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3552

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
89⤵
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\khmFmme0L4XF.bat" "
89⤵
PID:1748

C:\Windows\system32\chcp.com
chcp 65001
90⤵
PID:4756

C:\Windows\system32\PING.EXE
ping -n 10 localhost
90⤵
- Runs ping.exe
PID:2236

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
90⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
91⤵
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCxE810j97V3.bat" "
91⤵
PID:4632

C:\Windows\system32\chcp.com
chcp 65001
92⤵
PID:1768

C:\Windows\system32\PING.EXE
ping -n 10 localhost
92⤵
- Runs ping.exe
PID:760

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
92⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
93⤵
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\820rMvt25ajh.bat" "
93⤵
PID:768

C:\Windows\system32\chcp.com
chcp 65001
94⤵
PID:1760

C:\Windows\system32\PING.EXE
ping -n 10 localhost
94⤵
- Runs ping.exe
PID:884

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
94⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
95⤵
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeYIm8kdEv5I.bat" "
95⤵
PID:2272

C:\Windows\system32\chcp.com
chcp 65001
96⤵
PID:2920

C:\Windows\system32\PING.EXE
ping -n 10 localhost
96⤵
- Runs ping.exe
PID:404

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
96⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
97⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iZia0a0HFQ8N.bat" "
97⤵
PID:2720

C:\Windows\system32\chcp.com
chcp 65001
98⤵
PID:5104

C:\Windows\system32\PING.EXE
ping -n 10 localhost
98⤵
- Runs ping.exe
PID:1256

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
98⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
99⤵
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S0eRxBrdhKpr.bat" "
99⤵
PID:3352

C:\Windows\system32\chcp.com
chcp 65001
100⤵
PID:2236

C:\Windows\system32\PING.EXE
ping -n 10 localhost
100⤵
- Runs ping.exe
PID:3016

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
100⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
101⤵
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lPEncHSpMbHg.bat" "
101⤵
PID:4688

C:\Windows\system32\chcp.com
chcp 65001
102⤵
PID:4440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
102⤵
- Runs ping.exe
PID:3980

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
102⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2392

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
103⤵
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQX5lC5WH0WI.bat" "
103⤵
PID:4768

C:\Windows\system32\chcp.com
chcp 65001
104⤵
PID:2100

C:\Windows\system32\PING.EXE
ping -n 10 localhost
104⤵
- Runs ping.exe
PID:1072

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
104⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3212

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
105⤵
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dZ6W1139mkVl.bat" "
105⤵
PID:400

C:\Windows\system32\chcp.com
chcp 65001
106⤵
PID:100

C:\Windows\system32\PING.EXE
ping -n 10 localhost
106⤵
- Runs ping.exe
PID:4076

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
106⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4652

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
107⤵
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCelXsy9CnOU.bat" "
107⤵
PID:2260

C:\Windows\system32\chcp.com
chcp 65001
108⤵
PID:3044

C:\Windows\system32\PING.EXE
ping -n 10 localhost
108⤵
- Runs ping.exe
PID:1532

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
108⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
109⤵
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMQ45T3FCaua.bat" "
109⤵
PID:3252

C:\Windows\system32\chcp.com
chcp 65001
110⤵
PID:2948

C:\Windows\system32\PING.EXE
ping -n 10 localhost
110⤵
- Runs ping.exe
PID:4932

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
110⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
111⤵
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2DRVmPq1e3xI.bat" "
111⤵
PID:916

C:\Windows\system32\chcp.com
chcp 65001
112⤵
PID:5044

C:\Windows\system32\PING.EXE
ping -n 10 localhost
112⤵
- Runs ping.exe
PID:4664

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
112⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
113⤵
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cBd3bwnTUTRR.bat" "
113⤵
PID:768

C:\Windows\system32\chcp.com
chcp 65001
114⤵
PID:1764

C:\Windows\system32\PING.EXE
ping -n 10 localhost
114⤵
- Runs ping.exe
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=1740 /prefetch:8
1⤵
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2316,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=3396 /prefetch:8
1⤵
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
a96e646d37c712c02f2014859c2ae1b3

SHA1
9c2a5842a9b929e66d2b92be8907d79c4f35fedf

SHA256
1e2e7d27900d3e3956f582ec7f286d7fe87d943562cfe94e4a2248888e3894b8

SHA512
eeebf4d049cd72d2d0a732921df9c24deb3323c18a5ca6eaec7bdb7b509106498c6b8b1b7daa33d0aa3e4bb7acdabb9eac29a872c217b6521c7415963d71b4d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Opera GX.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0UPMl3cLsBpQ.bat
Filesize
201B

MD5
31bf4415091d5ad4912ed5da143747cd

SHA1
38f6abdeb317fe617e040897283f26acf4d97cc4

SHA256
d6852ab862ed2fd930cde8abb30a9b6a076c2dbcec1722873fe20f95e388b399

SHA512
bc4970552d332c1269404cee565c947de27bf30d6fb33a51330fa67c4b78d873169a14ad0b22c4c5a672f151d5c883941de24a4aadf2fcb4d0d16a338258fabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\29dJN6Y4281I.bat
Filesize
201B

MD5
142d440b3b21ea3b5d012a742480b8ab

SHA1
ad05c47fe588e815e33a0c29b21498fd32377571

SHA256
a0340ca0041ad6c327168de1ed5a3391d34ba88ee98cec06f1c46f89c7efe012

SHA512
824d97761f6a65720ec8fbb9e964c732d93ecaf66818179e5e7739ed7c3f765ad5be7f91d828271b2299b80ae6e2e113b4d487f28c10a70bedad353128818e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fVIUT9bAXBX.bat
Filesize
201B

MD5
54c13900afec8fc4111a74b6384b2a84

SHA1
416d6505b83d078c02f1645caeaad0bf132ef7de

SHA256
47f26a475b49fd2550abda1b47f49b03a739ce22eba31552d090c38ae9c09b03

SHA512
c925e36062536783789c317f625a9957ec6918b1584fbbcea1790d88d7c4f7458ddc901ec77919bec38ed129e13c083300080431492903b38ce8deab2430d5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\5SvOERsy33f1.bat
Filesize
201B

MD5
360f3b9224b30b80322030d5a400d9c4

SHA1
56b30aeb5673c81442203b21a345fd4b69ab3caa

SHA256
7943f2ca9cf14ed3273b05a9852f13820bbb665a51685785caf45b65dd210c16

SHA512
411f8eb0e15039782a93b1648891f44726ceee287debcbc3058778fffc144026fca2d42ea257d0214e7108ab6246a3c57890472cf3a8b90c75556bc168342dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7HEfudORRcok.bat
Filesize
201B

MD5
c35e696ce756fb8cb5f4abf7b1a7c09b

SHA1
4837aa986a4e304660318ca5e35b62d2f1c342a5

SHA256
32759f9b5f2f765ffd01a7bef1840d6f13a3d294a556ec0556b9b6a857a07727

SHA512
ea0735736edddc8b22e8d8cbf236792142f64f6a8fbb9f64a1fe0497fb94d58f0dd8c99208e20d590368fd07d58e55d8f8d7b15cd4cdbd16f6732a44d12bef4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FR9Mm41DzvZe.bat
Filesize
201B

MD5
186d70c7911f46ea80790e73146114d4

SHA1
f3e74612f4ff70b0c4e08df0136b279707c2b585

SHA256
332aa1cf81150f2091553ac26d027ffef5a26ff7ed387927518e9abb2d6b3633

SHA512
4213a4675ab53cf077c04c817acb69caca88b1f41e463cd0bc62fb57e80846e1168a8bba7816400a308188c295885bc4bd3194a38e0daa40c6154a4dbb14d1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCJLdMoNhUNi.bat
Filesize
201B

MD5
b6751ffc583b33285b228d09625c73cd

SHA1
1154598df140421946e0b372a29f40b09b09af47

SHA256
bfb09ee0fb36571eaaec4560962a46c6a845513322692c85cd824032ac975d9b

SHA512
042ab78ee7c82762e578ad761d55ec71717aa61006f33f0c3045029dfa7270470adf13092d4f9c2f9bff0a4f27d48f328305924d8453d303dd956bf6d11d569e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcbKH80vmdhs.bat
Filesize
201B

MD5
4ac8501ebbd20a1f24deeb312e934503

SHA1
4a3c738a3187321dc3a007a21d44319f046fe956

SHA256
87ccac6f89645a979588e060d5bb8cd5eec6d8e86b6ebf7222c9679b05deaa47

SHA512
913f7f412b25e2aac991ab11aabac65b91a961c34e9cf1d3072c699c8b3e73f7338e649bfa0514d3abd6f7205c2c37dd9646be209bb729d97a9dd4d68138509b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMNwJCqv0nMs.bat
Filesize
201B

MD5
46d24de96dfb47d983362745c5026a0c

SHA1
ef8d0a407151cdf9771cdf86fd22b64d2f8a140e

SHA256
8cd816f113d7d03316f390d707619d6a631d00265c6e5173fdf54a717414d758

SHA512
a6edf9187b5b2bcbebf353025599d91e169eed352c80fe1cf850f4cd49e7791dadcec93ea9c270798a261a666052d44ae0c296a5bde7ace0d39350bc62d12341

Download Submit
C:\Users\Admin\AppData\Local\Temp\Si8Tk4k3koUy.bat
Filesize
201B

MD5
64708b9ac0724c93bb538f77fa2e7964

SHA1
a72a45d9adc4c301a22164dbcf42fcc7e68b3b5e

SHA256
2d27aef7d392e4871512fe99484c2b870c37b171c3161672b6d6e04452a70d45

SHA512
9fb96b7dbbfa5648b0b6be518b0d9f27862dcaf653e7401ca7eb0a291c762019ed55c5bfe5c8384bafc0d32e68b35d63e84b54761bda8c86304928d78bc185d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UpXkN653aCTy.bat
Filesize
201B

MD5
e89a368fcb7f5b14be340b92d00c7fb4

SHA1
c080dce41bb3e457bfece223f2345899c65f4994

SHA256
ca93d8c829ec12072972487315ef6aca05a7a6302c72c9d24afe74bb1deac77c

SHA512
afb712a56c512c3f61b7e48178c9319e85259a5c856fd115f5e94dd8dfa4a0da42b2e5f2f5a59d344051b8dcaa3e7de8007f106aba3e0e70bd1d8792042219dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMsJqijOvSsV.bat
Filesize
201B

MD5
cc77c026c24606380c8dbc408ec7051b

SHA1
d901cd5bf24ff9ec9ae648ac170efea947e6a61a

SHA256
c86a7debaf9a2e77bdbfdb91d682cadb4b3a051c7bb3f205d35634eb52ee07f3

SHA512
a0dd54e436777da95d6739e3e2daec7087809617e667bd48381c0eb7e49b13fa8e1dde624a4f6602842ea009f9582bce20bc7bb66feaa309dd3771d2b3c87afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VllRoyQ4PhiB.bat
Filesize
201B

MD5
e2315c01ef32d61a38ee976f8e944693

SHA1
2b6e1e3a2de88964502c38c761046aeaf38de641

SHA256
b034c389bdd1b23aaefc2bbcd3997004eae95c291c899b168effa513743195ca

SHA512
496b07cb7b95e378793617ef4a6480dacd56eec935c8fa32bc7f948a42a7398e82fcc9974c398a419b93c4c418e3ff54f8cb25e951d6e89c0944e03acfe2e7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYAsVZK99ePR.bat
Filesize
201B

MD5
5ed8bc494b3bd6dec44f4704fc2fafdd

SHA1
fb5054f8dd124e3ca0bd80ef320fa3c15e02a27e

SHA256
0a46e8e7f9ec0db806ccf665c9b797fe16d535f676e325800d443a63345c5257

SHA512
d9531418f813f559721d6eeb38b4f6189624a25be3a1eed34179217af86b1f5c0e2b1c67b7f413238a8a05968bec9ac8ccab7ccff464eafe513e67441d579138

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y6ItnML88IVr.bat
Filesize
201B

MD5
332a3c0681651bac7b91e0ad0a2d2196

SHA1
702607c8f9a4d43a265cc89049b2f9e0544e1fd9

SHA256
82b3a13dd44152ddc023b66a4ec527dadc55ac6e2a9afc3a090b87bac840cb8e

SHA512
970428edaca688b1fb5e9388e48c7eca62bb5ecd1cd82534c5d24989740298f4ee6eb7425bd66146dc0767bf1f26b0bc5d47f9dd6558767f3cbf117be00be247

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1ZUqss8V61P.bat
Filesize
201B

MD5
93fd7952aae582ba12b72171641a2c6a

SHA1
d3bff97c7b55128a9ee589da18e18e32c22f5c04

SHA256
e591937d8ad53ed45652546d3a43c46b1a0ed8395bce87afe3c09005faeb373b

SHA512
471bcedb192a3471e47e16450a4833199954d73f91322985fabfd59680192ca503e8158221f7a8948ad1c20620ec96ef8c6a2d2145b24269302f066be91cd58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnqNY3uRDlm4.bat
Filesize
201B

MD5
2c769b250d56c3100d5378eedec198ef

SHA1
99f95dcb6f3f837884f0655e58f8ee3c52eb72cc

SHA256
f4e6c10bee00198fa6f3d41f0d2b082e6ca449673d9067a54b70602897986aab

SHA512
5082aacfc1e910dc712d442c89105ab801e8265e72bfa3029fbe066dfba4dede75671780b81eff92b575f1fd7bc294d82485aa3f2ff00314dea6cb48d851dbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbfhavof3mQq.bat
Filesize
201B

MD5
a867a1ac6a2a21156a4fbccad642b8bc

SHA1
2c0f02072550130cd1d97a3f4c39e956a86baf50

SHA256
fd2621e41c77fc7b7c715bb5ad1b93e3e53e66c0b7e7920819ffcb497da6ac40

SHA512
5201361a306e6a961e9acb7fecc35901c3cf7b490b60004ae64fb86e6d48c45a7629e90c3ea4180c60939786ba1c8c924044eee32dabdfb05dd156a6ba66b9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hB7ALd6vS1FG.bat
Filesize
201B

MD5
c2da720f51082bd9fc27a4e4ba4f9f48

SHA1
ad186eae7a9eb63a0603feed714fec54b6738997

SHA256
c781fcce9b3298a3e105e99d11f7feb265d776a720589fbe14a8581cc690d151

SHA512
5999e3ef7e98f74caf3cc74b89b9d00b9db799d8bc4bee52921c4553cf77b269d23036aca8df345533df03f58730932b09c01b9c9f281f38ca12590cdab25937

Download Submit
C:\Users\Admin\AppData\Local\Temp\jPsE4TBGploh.bat
Filesize
201B

MD5
a31c722e8f72423a0bdbca04e65ae554

SHA1
55330ca15317ea2ccabece6364e9ea78e08c5c0e

SHA256
e0431decabefac81b4bb3997d6231a0930501a977e8805bced67bf743741db2b

SHA512
19a69f7bd59efd597915772df666f03faa94687f15b169dfc33bf98423d8216db9baacb51bb56b65d2d38061a5b8e38c91b6ef3936de959cba94c8a65a3f3b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpR0SOmJdNzz.bat
Filesize
201B

MD5
4390cb28dc5be163bfa7fc56dd8cb9ed

SHA1
8f864b5b6d56956839584282aa137d1f48e88116

SHA256
25357f9caec764ef22e7ca24ddac0a5b47e0d6d08fa816139e4992a39563d02b

SHA512
57fc9882d2fafaa11586f7bd8e7609cd174744f3f44d8d6101fe57a30f65b9a9950468825ad42eac1b540738377eda79aecea1d1815f1f00c075fcca21128170

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbx5Ylyk7cx6.bat
Filesize
201B

MD5
360681cffc22e30c765231485024a300

SHA1
09cf9dceca2e25e62238fe292ac41e5a728ef494

SHA256
9dd03f94ed46b8d6c78fc94134705158ca77aff272a31e30c2d20418065263c4

SHA512
f248e511e6c8cd10ebac7e3d86fbb9c06dcb1bb14880a57a1ace42c7cc93e8eee6196369f0b0c986545a9e3a732b6de5263486f61090f309de7097e06a98662a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oB1xbwQ51J7G.bat
Filesize
201B

MD5
01d42fc223c05a312ee9d0a94975866e

SHA1
b14512e0d19721e04c09236536c4cca284358372

SHA256
b35ed8f2cace1d13c61bbc5d92d3976b1b88a31e955ac032a177ed7401013b75

SHA512
7e968816f6b5ac371d432c7abafb9e0229992690d534ad6d8b89de7cf6be7d840e9254bc4e0074900e6d98cde7d9d17671d7ebb791c1e937a58059d686ae8de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\odHpvVXVPx9x.bat
Filesize
201B

MD5
0adaaab071dccecab6b453128e9cf0cd

SHA1
681fb2e027b927aba6879c6b1b785217f42749d9

SHA256
ca30d73792c370cee68196b6c710e0e042b299c5f74e06af1bcf0e30012fa90e

SHA512
032fcbb70c9e8dc663413d8aec7dc6bc04230949eed03aeafc304b54db94b1f2b9827ad942751e3296b2cd5a48e432153db58d16224515fa91654d7568d65da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pH9itUSPydz7.bat
Filesize
201B

MD5
e67e7f7d74fd76586600067b50c9c162

SHA1
00d03f08e6664ea337f61d3fe06a0dd190f83b33

SHA256
b66c74ec9187abcce87e1cccfe0bd680705efbabd67eada3aab35980379e46ae

SHA512
d182e58745b6e52328125b2d1dfb52be8d5217dc60ba1487c38ef20a33b2e0accf566a0c457c1a72cf62c16dfd3d3a8d90c3a38bd130cba84b9918b623c9dd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2Lg6pEHcLsw.bat
Filesize
201B

MD5
035cfcbb920156cdf05fb6e62de83194

SHA1
af1104a655f2254129341aab984ad99e19cca162

SHA256
4ba0f49938cf11295aa8b429aab5e96f970ea213d144336a752f4fcf21d41a95

SHA512
9f5c0a620cef85162de6f33b7877bff1587d95f021772dd591280da9068b2b52baf2ad35e23f618afbfdcfa12ffc719f6ba642f87a2befef3fd8bff33a4c5d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJWg9ZRj1YOv.bat
Filesize
201B

MD5
93f86b3a70d6984aeb2b0dcf7348071a

SHA1
15907bb894f07dd12bcde364998b7dfbab798226

SHA256
2b6dbebb231047ca8a1ce0ee07f59e98cbcc8a37edd6da38c889a9decd6340e9

SHA512
2e71f2448fc664fcdab2ff7e22fe95bb606cf55dbe962d44259be0a7577a5ec32667597769303f00b5a525041ecec157759cae3d53e176fbe411ffe4830ec25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0Y4g3O9PQO0.bat
Filesize
201B

MD5
c2794b0e92ceb8bdbf9caf9e6c377b37

SHA1
91d5bafb13a7fb635da1611e4fbdcd4489be7a6b

SHA256
256dc6907bada153967910002799fa37734131b044e4f4871b246ddbd8ebd4ae

SHA512
e429d5b88bea693bed231dc2034adf579471acb2e05c5ef02b02a407b51b65a7eae4971dc1ad0a44df3dedbcddb74536d96b66d01dba60ffd393c2787b5083a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u6vd55AD5SFG.bat
Filesize
201B

MD5
c99c2817e93860771a9b311d51a79993

SHA1
36847287787a3d7971f1dc66a2a02c419b771212

SHA256
d97b31039f5846dce8b59d2d3d6a3d572b4739c3f1ff63ac022e7a00bb7d6079

SHA512
01a10c06a0b68302edb2bb6598116979d4e9995bb040aba4f7e387b2267f1556e944e48197ddbe39d5f11ca87c37fc2d0d1c17a1c08bf564095596af35f394d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzX2SKS1LK6m.bat
Filesize
201B

MD5
3bdd4a4e7160230e67d5d27e877dcdd9

SHA1
b4938230a729b197e4ad50fdfa2a38fad2ae881c

SHA256
3618604d2834414c8da7f75220e98a97c2d3a0521bd139e87e278cf1f0dcaf2f

SHA512
92bc5461b2924d1b7305df4e6a9d1cd9cfc6a4c3d2554a1f1eb5c70f3982959e14d6fc17ae8bc25f5eb0d77d23f9db251c88ac59028c4d7cae74e9fa65df6edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyhKDYQDAt5J.bat
Filesize
201B

MD5
fa975850094d30d346ae9c775c2a9499

SHA1
594f2b6e7eb151d21313d1f157ae589aa124b766

SHA256
d8a92b4faa05fcd2b57b4053365f8f9cccb3bff11289aaa9b4e6967338f488e9

SHA512
2ed53f219f02a79406f8b6e6392b3ec139b93311fba8e152f5af6f055fe74ecc5b32d3058f1d312424d6042994ad40ddde98841c970dbee49b3c7deb7a98f240

Download Submit
memory/1060-2-0x00007FFAAC1A0000-0x00007FFAACC61000-memory.dmp

Filesize
10.8MB

Download
memory/1060-10-0x00007FFAAC1A0000-0x00007FFAACC61000-memory.dmp

Filesize
10.8MB

Download
memory/1060-0-0x00007FFAAC1A3000-0x00007FFAAC1A5000-memory.dmp

Filesize
8KB

Download
memory/1060-1-0x0000000000C10000-0x0000000000F34000-memory.dmp

Filesize
3.1MB

Download
memory/4060-9-0x00007FFAAC1A0000-0x00007FFAACC61000-memory.dmp

Filesize
10.8MB

Download
memory/4060-11-0x00007FFAAC1A0000-0x00007FFAACC61000-memory.dmp

Filesize
10.8MB

Download
memory/4060-12-0x000000001BC90000-0x000000001BCE0000-memory.dmp

Filesize
320KB

Download
memory/4060-18-0x00007FFAAC1A0000-0x00007FFAACC61000-memory.dmp

Filesize
10.8MB

Download
memory/4060-13-0x000000001BDA0000-0x000000001BE52000-memory.dmp

Filesize
712KB

Download