quasar | 1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

Analysis

max time kernel
589s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

512.exe
Size

3.1MB
MD5

317a46786b73fccfafa5b5678c1a21a1
SHA1

e72c0001fb47a477514f5abdb348ae489de65f72
SHA256

1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
SHA512

237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
SSDEEP

49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/3232-1-0x0000000000340000-0x0000000000664000-memory.dmp family_quasar
C:\Program Files\Common Files\Opera GX.exe family_quasar

resource	yara_rule
behavioral2/memory/3232-1-0x0000000000340000-0x0000000000664000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Opera GX.exe

Executes dropped EXE 31 IoCs

Processes:

pid	process
1016	Opera GX.exe
1068	Opera GX.exe
2676	Opera GX.exe
2740	Opera GX.exe
3308	Opera GX.exe
1088	Opera GX.exe
3040	Opera GX.exe
4536	Opera GX.exe
2980	Opera GX.exe
3552	Opera GX.exe
4732	Opera GX.exe
536	Opera GX.exe
1576	Opera GX.exe
4216	Opera GX.exe
1496	Opera GX.exe
1156	Opera GX.exe
628	Opera GX.exe
3220	Opera GX.exe
2732	Opera GX.exe
5040	Opera GX.exe
2464	Opera GX.exe
1668	Opera GX.exe
1352	Opera GX.exe
2324	Opera GX.exe
3700	Opera GX.exe
2364	Opera GX.exe
740	Opera GX.exe
3248	Opera GX.exe
1468	Opera GX.exe
1220	Opera GX.exe
808	Opera GX.exe

Drops file in Program Files directory 64 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe512.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	512.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File created	C:\Program Files\common Files\Opera GX.exe	512.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	512.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4968	PING.EXE
3172	PING.EXE
1124	PING.EXE
2600	PING.EXE
392	PING.EXE
3528	PING.EXE
620	PING.EXE
3960	PING.EXE
4068	PING.EXE
5092	PING.EXE
5020	PING.EXE
2040	PING.EXE
2724	PING.EXE
2608	PING.EXE
4348	PING.EXE
1908	PING.EXE
3496	PING.EXE
2292	PING.EXE
1576	PING.EXE
2848	PING.EXE
3720	PING.EXE
4988	PING.EXE
2856	PING.EXE
2224	PING.EXE
2308	PING.EXE
2948	PING.EXE
4872	PING.EXE
1608	PING.EXE
4368	PING.EXE
2596	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 32 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2292	schtasks.exe
736	schtasks.exe
4356	schtasks.exe
3688	schtasks.exe
1668	schtasks.exe
1720	schtasks.exe
2724	schtasks.exe
212	schtasks.exe
4272	schtasks.exe
1384	schtasks.exe
5032	schtasks.exe
3716	schtasks.exe
4392	schtasks.exe
3212	schtasks.exe
5116	schtasks.exe
4164	schtasks.exe
3376	schtasks.exe
1944	schtasks.exe
4568	schtasks.exe
984	schtasks.exe
3364	schtasks.exe
536	schtasks.exe
3860	schtasks.exe
4356	schtasks.exe
1212	schtasks.exe
4432	schtasks.exe
2468	schtasks.exe
4880	schtasks.exe
1248	schtasks.exe
2288	schtasks.exe
1292	schtasks.exe
2148	schtasks.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

512.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	pid	process
Token: SeDebugPrivilege	3232	512.exe
Token: SeDebugPrivilege	1016	Opera GX.exe
Token: SeDebugPrivilege	1068	Opera GX.exe
Token: SeDebugPrivilege	2676	Opera GX.exe
Token: SeDebugPrivilege	2740	Opera GX.exe
Token: SeDebugPrivilege	3308	Opera GX.exe
Token: SeDebugPrivilege	1088	Opera GX.exe
Token: SeDebugPrivilege	3040	Opera GX.exe
Token: SeDebugPrivilege	4536	Opera GX.exe
Token: SeDebugPrivilege	2980	Opera GX.exe
Token: SeDebugPrivilege	3552	Opera GX.exe
Token: SeDebugPrivilege	4732	Opera GX.exe
Token: SeDebugPrivilege	536	Opera GX.exe
Token: SeDebugPrivilege	1576	Opera GX.exe
Token: SeDebugPrivilege	4216	Opera GX.exe
Token: SeDebugPrivilege	1496	Opera GX.exe
Token: SeDebugPrivilege	1156	Opera GX.exe
Token: SeDebugPrivilege	628	Opera GX.exe
Token: SeDebugPrivilege	3220	Opera GX.exe
Token: SeDebugPrivilege	2732	Opera GX.exe
Token: SeDebugPrivilege	5040	Opera GX.exe
Token: SeDebugPrivilege	2464	Opera GX.exe
Token: SeDebugPrivilege	1668	Opera GX.exe
Token: SeDebugPrivilege	1352	Opera GX.exe
Token: SeDebugPrivilege	2324	Opera GX.exe
Token: SeDebugPrivilege	3700	Opera GX.exe
Token: SeDebugPrivilege	2364	Opera GX.exe
Token: SeDebugPrivilege	740	Opera GX.exe
Token: SeDebugPrivilege	3248	Opera GX.exe
Token: SeDebugPrivilege	1468	Opera GX.exe
Token: SeDebugPrivilege	1220	Opera GX.exe
Token: SeDebugPrivilege	808	Opera GX.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

pid	process
1016	Opera GX.exe
1068	Opera GX.exe
2676	Opera GX.exe
2740	Opera GX.exe
3308	Opera GX.exe
1088	Opera GX.exe
3040	Opera GX.exe
4536	Opera GX.exe
2980	Opera GX.exe
3552	Opera GX.exe
4732	Opera GX.exe
536	Opera GX.exe
1576	Opera GX.exe
4216	Opera GX.exe
1496	Opera GX.exe
1156	Opera GX.exe
628	Opera GX.exe
3220	Opera GX.exe
2732	Opera GX.exe
5040	Opera GX.exe
2464	Opera GX.exe
1668	Opera GX.exe
1352	Opera GX.exe
2324	Opera GX.exe
3700	Opera GX.exe
2364	Opera GX.exe
740	Opera GX.exe
3248	Opera GX.exe
1468	Opera GX.exe
1220	Opera GX.exe
808	Opera GX.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

pid	process
1016	Opera GX.exe
1068	Opera GX.exe
2676	Opera GX.exe
2740	Opera GX.exe
3308	Opera GX.exe
1088	Opera GX.exe
3040	Opera GX.exe
4536	Opera GX.exe
2980	Opera GX.exe
3552	Opera GX.exe
4732	Opera GX.exe
536	Opera GX.exe
1576	Opera GX.exe
4216	Opera GX.exe
1496	Opera GX.exe
1156	Opera GX.exe
628	Opera GX.exe
3220	Opera GX.exe
2732	Opera GX.exe
5040	Opera GX.exe
2464	Opera GX.exe
1668	Opera GX.exe
1352	Opera GX.exe
2324	Opera GX.exe
3700	Opera GX.exe
2364	Opera GX.exe
740	Opera GX.exe
3248	Opera GX.exe
1468	Opera GX.exe
1220	Opera GX.exe
808	Opera GX.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

pid	process
1016	Opera GX.exe
1088	Opera GX.exe
3040	Opera GX.exe
4536	Opera GX.exe
2980	Opera GX.exe
3552	Opera GX.exe
4732	Opera GX.exe
536	Opera GX.exe
1576	Opera GX.exe
4216	Opera GX.exe
1496	Opera GX.exe
1156	Opera GX.exe
628	Opera GX.exe
3220	Opera GX.exe
2732	Opera GX.exe
5040	Opera GX.exe
2464	Opera GX.exe
1668	Opera GX.exe
1352	Opera GX.exe
2324	Opera GX.exe
3700	Opera GX.exe
740	Opera GX.exe
3248	Opera GX.exe
1468	Opera GX.exe
1220	Opera GX.exe
808	Opera GX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

512.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exe

description	pid	process	target process
PID 3232 wrote to memory of 1384	3232	512.exe	schtasks.exe
PID 3232 wrote to memory of 1384	3232	512.exe	schtasks.exe
PID 3232 wrote to memory of 1016	3232	512.exe	Opera GX.exe
PID 3232 wrote to memory of 1016	3232	512.exe	Opera GX.exe
PID 1016 wrote to memory of 536	1016	Opera GX.exe	schtasks.exe
PID 1016 wrote to memory of 536	1016	Opera GX.exe	schtasks.exe
PID 1016 wrote to memory of 908	1016	Opera GX.exe	cmd.exe
PID 1016 wrote to memory of 908	1016	Opera GX.exe	cmd.exe
PID 908 wrote to memory of 384	908	cmd.exe	chcp.com
PID 908 wrote to memory of 384	908	cmd.exe	chcp.com
PID 908 wrote to memory of 1576	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1576	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1068	908	cmd.exe	Opera GX.exe
PID 908 wrote to memory of 1068	908	cmd.exe	Opera GX.exe
PID 1068 wrote to memory of 3688	1068	Opera GX.exe	schtasks.exe
PID 1068 wrote to memory of 3688	1068	Opera GX.exe	schtasks.exe
PID 1068 wrote to memory of 4516	1068	Opera GX.exe	cmd.exe
PID 1068 wrote to memory of 4516	1068	Opera GX.exe	cmd.exe
PID 4516 wrote to memory of 400	4516	cmd.exe	chcp.com
PID 4516 wrote to memory of 400	4516	cmd.exe	chcp.com
PID 4516 wrote to memory of 1608	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 1608	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 2676	4516	cmd.exe	Opera GX.exe
PID 4516 wrote to memory of 2676	4516	cmd.exe	Opera GX.exe
PID 2676 wrote to memory of 1720	2676	Opera GX.exe	schtasks.exe
PID 2676 wrote to memory of 1720	2676	Opera GX.exe	schtasks.exe
PID 2676 wrote to memory of 4456	2676	Opera GX.exe	cmd.exe
PID 2676 wrote to memory of 4456	2676	Opera GX.exe	cmd.exe
PID 4456 wrote to memory of 3476	4456	cmd.exe	chcp.com
PID 4456 wrote to memory of 3476	4456	cmd.exe	chcp.com
PID 4456 wrote to memory of 2948	4456	cmd.exe	PING.EXE
PID 4456 wrote to memory of 2948	4456	cmd.exe	PING.EXE
PID 4456 wrote to memory of 2740	4456	cmd.exe	Opera GX.exe
PID 4456 wrote to memory of 2740	4456	cmd.exe	Opera GX.exe
PID 2740 wrote to memory of 1668	2740	Opera GX.exe	schtasks.exe
PID 2740 wrote to memory of 1668	2740	Opera GX.exe	schtasks.exe
PID 2740 wrote to memory of 4292	2740	Opera GX.exe	cmd.exe
PID 2740 wrote to memory of 4292	2740	Opera GX.exe	cmd.exe
PID 4292 wrote to memory of 5012	4292	cmd.exe	chcp.com
PID 4292 wrote to memory of 5012	4292	cmd.exe	chcp.com
PID 4292 wrote to memory of 4368	4292	cmd.exe	PING.EXE
PID 4292 wrote to memory of 4368	4292	cmd.exe	PING.EXE
PID 4292 wrote to memory of 3308	4292	cmd.exe	Opera GX.exe
PID 4292 wrote to memory of 3308	4292	cmd.exe	Opera GX.exe
PID 3308 wrote to memory of 2724	3308	Opera GX.exe	schtasks.exe
PID 3308 wrote to memory of 2724	3308	Opera GX.exe	schtasks.exe
PID 3308 wrote to memory of 4504	3308	Opera GX.exe	cmd.exe
PID 3308 wrote to memory of 4504	3308	Opera GX.exe	cmd.exe
PID 4504 wrote to memory of 5016	4504	cmd.exe	chcp.com
PID 4504 wrote to memory of 5016	4504	cmd.exe	chcp.com
PID 4504 wrote to memory of 4348	4504	cmd.exe	PING.EXE
PID 4504 wrote to memory of 4348	4504	cmd.exe	PING.EXE
PID 4504 wrote to memory of 1088	4504	cmd.exe	Opera GX.exe
PID 4504 wrote to memory of 1088	4504	cmd.exe	Opera GX.exe
PID 1088 wrote to memory of 5032	1088	Opera GX.exe	schtasks.exe
PID 1088 wrote to memory of 5032	1088	Opera GX.exe	schtasks.exe
PID 1088 wrote to memory of 3232	1088	Opera GX.exe	cmd.exe
PID 1088 wrote to memory of 3232	1088	Opera GX.exe	cmd.exe
PID 3232 wrote to memory of 2680	3232	cmd.exe	chcp.com
PID 3232 wrote to memory of 2680	3232	cmd.exe	chcp.com
PID 3232 wrote to memory of 2856	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 2856	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3040	3232	cmd.exe	Opera GX.exe
PID 3232 wrote to memory of 3040	3232	cmd.exe	Opera GX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\512.exe
"C:\Users\Admin\AppData\Local\Temp\512.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eT1RYEQGKVll.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:384

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1576

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9mVnOFUDBfNC.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:400

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1608

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t2sG1TTkS5ZD.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3476

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2948

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x7HiDO9yCaZl.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:5012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4368

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3XCv3QfHJ0uO.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:5016

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4348

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaegfVcR8knn.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2680

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2856

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUgfn9xVu6cV.bat" "
15⤵
PID:2716

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:4484

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2596

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\88mBntQDqnBw.bat" "
17⤵
PID:4980

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2040

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1908

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1otUjzcH6OaY.bat" "
19⤵
PID:4116

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:4448

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1124

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1yNaN3CmYdjP.bat" "
21⤵
PID:5016

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2308

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2848

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r3zuGwcDlVDS.bat" "
23⤵
PID:1120

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:4632

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2600

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiyRZiN4z35O.bat" "
25⤵
PID:2440

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:3292

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3720

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kENeu0EmhL4D.bat" "
27⤵
PID:3236

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:436

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3496

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L7XMMqRFA91i.bat" "
29⤵
PID:3648

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:4432

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:5020

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKuEBWbrZhno.bat" "
31⤵
PID:4584

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:2568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:392

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
33⤵
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uxtNcsoF62ZE.bat" "
33⤵
PID:4376

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:1388

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:620

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:628

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
35⤵
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YzDzd61ypN0e.bat" "
35⤵
PID:2840

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:4612

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:3528

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
37⤵
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UZmihJnh2YLU.bat" "
37⤵
PID:4140

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:1628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:4988

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
39⤵
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vjOkthQmeYDZ.bat" "
39⤵
PID:1800

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:4200

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:2224

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
41⤵
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VNzbonQXv2yo.bat" "
41⤵
PID:3304

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:3560

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:2040

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
43⤵
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g6OvWckWo97S.bat" "
43⤵
PID:5004

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:2996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:4872

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
45⤵
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cr6TcHys1tMN.bat" "
45⤵
PID:5112

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:4852

C:\Windows\system32\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:4968

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
47⤵
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2i7Oczb2V7Jv.bat" "
47⤵
PID:832

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:912

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2308

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
49⤵
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t075rewLWIwW.bat" "
49⤵
PID:3288

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:1540

C:\Windows\system32\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:2292

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
51⤵
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EpVTr9TvQFga.bat" "
51⤵
PID:1972

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:3356

C:\Windows\system32\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:3960

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2364

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
53⤵
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w0el4JzgN78m.bat" "
53⤵
PID:4460

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:4648

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2724

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
55⤵
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f3RZnOz8bjz7.bat" "
55⤵
PID:3688

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:4788

C:\Windows\system32\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:2608

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3248

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
57⤵
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaoNn0u9WNPH.bat" "
57⤵
PID:2996

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:3648

C:\Windows\system32\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:4068

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
59⤵
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgCylke5enGs.bat" "
59⤵
PID:3996

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:4288

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:5092

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
61⤵
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W4LLDxofg0p7.bat" "
61⤵
PID:1388

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:548

C:\Windows\system32\PING.EXE
ping -n 10 localhost
62⤵
- Runs ping.exe
PID:3172

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
62⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
63⤵
- Scheduled Task/Job: Scheduled Task
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
317a46786b73fccfafa5b5678c1a21a1

SHA1
e72c0001fb47a477514f5abdb348ae489de65f72

SHA256
1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

SHA512
237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Opera GX.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1otUjzcH6OaY.bat
Filesize
201B

MD5
cab55ea9ec827d948a9392412b2deeea

SHA1
47adff98e1a9e2607548c73f7dd6dc58ce762712

SHA256
f2fbef2b0da0ccdd5f29d27475a9f1940be487961c9bacb64f0a96f9a271b6b1

SHA512
1bff6d44dcbfe705da4f77f571f03acec7c32fe8d74fa7037c2323099e99b4a65ff0a2b0efc418ff2b2b993fdc53e59b04e138bbe0c630e57fc2af0481d1ed7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1yNaN3CmYdjP.bat
Filesize
201B

MD5
dce0a1a8becfb8810065141acb62f252

SHA1
3588e0086cff4f6f09f639504af552eb46912c97

SHA256
d2c27e76910553fc7cd6d8b8994c949fe4e22c42a3f0b0f48d7659e39a9c29b6

SHA512
28acacf6dd6f81352961a19a9deb9f4d3776684ecade11dcbbd52b63bff0456a99a873d405e9e49046d93d95355fc87e782ac7aaf23ede6fdcb646d0c5de361a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2i7Oczb2V7Jv.bat
Filesize
201B

MD5
eb3934d58c08c3b1fb4532a4fc82efd3

SHA1
7dcf085ca2f8a2ce34fcc0ad44c15cd3d54487ef

SHA256
3f6163449538c21a6760f3b77d238ae5230e0c0ed71a3a382be4ca7e6be9c29f

SHA512
e7f11155ea44627b2b275fef90965f40123eed1e4897bdeba2a216be140607ec1e3b08697df69bc9aa68db79b122d7ff0e141b2893a974604141bb5374030e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\3XCv3QfHJ0uO.bat
Filesize
201B

MD5
0225f803a947ae0318c481169c75c74d

SHA1
937f27a5eb6dacc02a169c49b3bb3123e4e7d68f

SHA256
f3c9e9ac9285df6dc3e05bbeece3116729af9a29181f9a2ec9b895842f66f5fe

SHA512
ab2cc7bda126ed0cd9fe2ea419b1e0003ce45266f0a143ae8edd8ee3d7bb11541f275756705d410973cc74b8d5a46b0199c20a0934f04f80b8c17967777c4c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\88mBntQDqnBw.bat
Filesize
201B

MD5
6223e82533bf6e7e091872633ae68b57

SHA1
6efff910a12b93e6bba4f23cf4371b28fcfafc4b

SHA256
2b99ecc869a1e2e05d14046b3261cb2dd276bfc772d81bb21e17f3b326db9790

SHA512
f21270581c385dab808b96d88ee221f1eff4850f0fca29e6e3e1d3a42d40bd402f6c7f22c2b067f52ae337b442eca35761e836cd1dc54f2c8f886b0ed9e5302d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9mVnOFUDBfNC.bat
Filesize
201B

MD5
3c26903875454945fcacb9f2c92cf69e

SHA1
af5312e3e24ec6f29e7d0b9ebe8619abd4cc7c2f

SHA256
b1b5ef16a3f9ddd361f9b2f0e849b3fe2be11326281a29b032cdd7dcef239a98

SHA512
ba603096dd4259865f9b217aa55c7fc899e4e84995c247cae255c235fdcac5890d3c06b328bf5b3d3e0138788c4eb5fa55c785f5fc2d06d9b0f5835d5e882510

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaegfVcR8knn.bat
Filesize
201B

MD5
a4ac89c9d1899c56fcdf0d27705e87ca

SHA1
bf506b7d919b3a9e71b1f76c3c25f6bf327b712d

SHA256
c486db6e01712df65975eba947ca53296215b91aca10a5a2a2656baafd0af894

SHA512
dfe21ac061f983791b588cf9548003c711dfe6a3925494de53812715a83609be5633d7b9945c7c0a575d95b465c5b4ad8885ae0f6cb721b33115985fa437dd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cr6TcHys1tMN.bat
Filesize
201B

MD5
3731a59437c7c12a472a39d47c1a1aee

SHA1
db2b5708d948c7e9506b4061bd57a12830463581

SHA256
26862221fd47c80c3c689d39dcac3f4942bac97255bc6b54c1b7c70fbc4f3140

SHA512
e1f17d83bffdb72b8dc8e909f0768e4884e585d8922efdb9b9a84c1c7b996bf72b0d6e89ef3acd1a97373792bdce280836b290995d91249e45899254c34e16e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiyRZiN4z35O.bat
Filesize
201B

MD5
8b5a5e3d2128aa060dd91df454f4db04

SHA1
dff5416ffced667a3cf62b275a17ad76ce4732c2

SHA256
4fae51fe3eb32040e8db53a5bfe0ee4f6d502c2de7a051a3d9ee75dcb8df4ec0

SHA512
d668730050849d2de472372b51dfa247c55b3c0a3465d3207311c0b540dc2a29da4e43af1bcfdfb93479b642ac14d0889fd7318d507a8494c8aac3536b050337

Download Submit
C:\Users\Admin\AppData\Local\Temp\EpVTr9TvQFga.bat
Filesize
201B

MD5
95188fcff01f69d14642bd1c50434f85

SHA1
793555a30fca5410159eaa84897245f67f438697

SHA256
a917a8589bf484b6f9e272d5338b63893980e5febefe196b6dd8795a0c12ff41

SHA512
5e526c026f73d29423471a308e62878e12065f24f44d7873a7f030e1e474e9f382e1f429c3cedec6b5bec3539fac1a40e200dd0face0086068b24538dc65e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\L7XMMqRFA91i.bat
Filesize
201B

MD5
2802bac0b20a4a4f62c7e2b336b1b653

SHA1
d427d95d79f784c88bcdaa47407df9af230cc656

SHA256
41dfa270999c5c19dd9c2ea50954a474c9e3d81aae1b7b5e82626ace8869be4c

SHA512
38cca7513ad3bdb9e7c8f68080a2b54eda6c5e792670b1bf758bb0c9f4ed65fc5a7194e84287d190265c5bada6de28707be530bc6dd4e1df43c3f24077c389c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TKuEBWbrZhno.bat
Filesize
201B

MD5
c662f0dc4af4cd6a587aaa91b14c8893

SHA1
1d7767dea8eb41e0fcefb79d2aac69f6e3292b62

SHA256
0e5dab390399dfe9ab165c9252035b05ebea4191ff6c1a569a3173ccaa04c5c6

SHA512
d58a6c341310156847feaea74f99ee02da512b240551c4e060ed202f9c021738c9c21ff17cec319d1fa0f44078ed3e3747507677502c0d10451065cd2d5bad2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZmihJnh2YLU.bat
Filesize
201B

MD5
1c38016f68a76ca1836735b327125b16

SHA1
8bae8cb76ca7cda1acef810b2eb37d4061e08ae4

SHA256
bc0895bb39d31cf9489ca17332f3644f9c06cbf930fa06fd311bb1c76af888a7

SHA512
2cff9feb274e0a7d466aa4e1183f979bdb3524570244c52f2bc640489c5024881234c79d3a25060118e4299318d6bf56c920ff79e7c883ed69d9ac3bd59cbacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNzbonQXv2yo.bat
Filesize
201B

MD5
9fb94d85a5ecc1a20c5f44f04473e998

SHA1
7ec9a737aee812c049422349cf46cb83b1cb3013

SHA256
c05a5d479ac53b05c692cf32a4beb2b4c040d5b3c74ef634bfb4199183ff8ee1

SHA512
16f5d6a9958676c6fdd2c0e5c03fc7ea5279fc4fb024341fe1cd058577f438000794058e8686e7304fdd025c985d8d0681b3a5d5fab21e75c1641f6b50b674cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\W4LLDxofg0p7.bat
Filesize
201B

MD5
047fcb295010043c735d7241b831f3a9

SHA1
06b0271cd9ba480f6b705742996242e427c3a6ed

SHA256
5eba5b1049b7281c9e0447cbab1c292d59c081e93502aff52c40dd6ad5715650

SHA512
5bfdf86395c539891fadc294309367d54e549cfca6f4a6df7a20ac8d94dd4e05304997d6e6c308dbf12cc84b495f38cd84babc86c630441ece64fd6de837c50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzDzd61ypN0e.bat
Filesize
201B

MD5
f3aa0552186b1e6fcc6b4f008061865f

SHA1
27a2ff64e250141c0c4939509c8adea761b684d5

SHA256
53e1c45a49473c3ac911f781a75c96f42d4279c2ed68e5870c07436c10fa0a85

SHA512
b54970bfbe3403af90ca4f523108be708bc2c8a92b68739b36d26b19c8e1ebfd8c55b43f3a82661e2dc2d1b052ac13ff540c7c5de3b8b82e4dc69b77764dcedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgCylke5enGs.bat
Filesize
201B

MD5
07a879712b009b6772fbaf6c94fa53f1

SHA1
6e7fccbd22c5802f63e293ab70e9ce6c8f659a63

SHA256
e0fb3bdbe1d548634956c109d9957d7fd21e8bd303c6314b05f301b13f5fde8a

SHA512
fdf6829b4899d0ef6f5d7c64397624b0d630ff6a2f66cbb24679dee39bd711ed8314fbc1ca31d975873b2b9d248a96dfcb43270c56823d6f894940186b305b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\eT1RYEQGKVll.bat
Filesize
201B

MD5
0c9ed34f55ba22e57712cd2a00e49a89

SHA1
c6eba382049977b095d71285e87fcdd6668aa90a

SHA256
7e5f92cae57c3a86d703a78a2bc89a0270032b4706d427ad7938b7c77f8da2da

SHA512
b853f5358d3a3be85d30127a4d27bf247aea8369d9f8169e242d407b7e61997b43782f9842976e2c44dfaf95eb6f895a66d160d3642362783566389414ffc10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3RZnOz8bjz7.bat
Filesize
201B

MD5
440ca62f07432a88b2aa0e5c6e656659

SHA1
0a724b71951747aef10184431c521f312694d7bd

SHA256
093b23e548c1c8732e36248c1b4177e9cbcdbe13d8ea9953632379b561624060

SHA512
04082498d2ef857954c9f01623545b22a00e2487356259ce9952cc0823373813138a67ab41632b7b16c6c9bf648f46f08b516317fd3110b7d9724955f0447b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\g6OvWckWo97S.bat
Filesize
201B

MD5
649d5c16ecb69c9f9cbd9598b3a6c19d

SHA1
08420adbedefeb6aff9961b09d3e89359dc8384a

SHA256
bbc74db8d2cb9ef8f985955ff05255c23992ae0b6107a0327d1f5b17ac02e633

SHA512
1a61ac2fcaccca5a1f76e360a1330a10f2f2b36677c856a33a7e25c0155036dde9db6c25f98e9553fbd92f4a85466531ae61c399456de2a3178071ad5cc9dcc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kENeu0EmhL4D.bat
Filesize
201B

MD5
058eba475ae4a5d845732925aabb370b

SHA1
a8a6834fa36c55213167ee21db5a35d519ec8ea8

SHA256
8a151aee8e9f1782421dff94d90a88c46c37aff29b3ab626fdf7ee51c7c120f3

SHA512
ee664f3801dfc8a7f87c88f118e01ddc769a102695f92583fb0471794509a9bb8ce5805eca597004b8574f4149b7f7c904e5cdbb1c3b4fd69b8efadb26ecd6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUgfn9xVu6cV.bat
Filesize
201B

MD5
46c9f38dd8cc86b4ea0410719555005b

SHA1
68f3fef40dacdd1ae6f4d7cca2b88c35133898eb

SHA256
9a9986a9cb7ecc5aeef0f41be569e352e2b51cb71354dcadf4d199714920a829

SHA512
a866f6de77a7d5dc11446857332e5b6bb99951f1af5f05326c2de970c0076beb55ca73c32b5e1281f16f35b2b9b84ba09dcc4c2253dd8881a7408c2be4caff54

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3zuGwcDlVDS.bat
Filesize
201B

MD5
24523d309f628f78caeec628c5621566

SHA1
b097d3e08594b72b7708b3676b63bf922ea622bd

SHA256
73caff43187a9586cb3e8ae833172ed77f859743b2ee35755e6cd78eddeec7f0

SHA512
afa24c6715d6197ad271f20ecaf3580bfec522846e45473a5ee46688afe2db9910c270efd0aafe534e7d1e5ba1bede3e44efc1b903bfbfa7ed257f3b9931de33

Download Submit
C:\Users\Admin\AppData\Local\Temp\t075rewLWIwW.bat
Filesize
201B

MD5
b69f5399ffc10e1635f6d85af259b08f

SHA1
94a984aa1fdda8c98d5487152ca07d10f0d1fd56

SHA256
0a03d6c7d866554cb7ee11e1a51c00574c9c3dd95dad328d5533b8c9833b25fc

SHA512
5f3f7a45a3a4fd619a91cb9fea91e78585594756915d87ed85c18e1fc166ba3e94a8d776fafa2a986180358adce7f1e08288df814b4e73d2750a7c500fac0477

Download Submit
C:\Users\Admin\AppData\Local\Temp\t2sG1TTkS5ZD.bat
Filesize
201B

MD5
3b8b69dfa655cf00e8e8bf809d0bc454

SHA1
a972760455a3a5e16be26f7ad58b85f6339b0e6b

SHA256
8463fd7363c220be5f6c1f86b836757230a2e3f7f9a29ed385135d73852335ed

SHA512
bb43c03fb7914c7f40a1f2dd3b1a2b09175e1ea0c2631551b68a3e0a52e53c7836734ffbb0e67bf10265ba24358c0b73bba3a1cdf363ec568c09a644ab3980d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxtNcsoF62ZE.bat
Filesize
201B

MD5
f34b4b5bfcb8381425f842bdf15cc399

SHA1
e1a01a5da44c0a8d3815d1c00f708ce5402e7186

SHA256
62df350ebe6bd84fb98aeff5f360e1bafaa2dd1e10e7745347cb02d7d5b4199a

SHA512
ddeace1bf7bc3aa93c14e8d37feea7d34c70f1b27b1fef6ff4a4aca19ae47d585311c51ddd0b2f102aa2e106785e5b1aa3c6a5e40ec5e5384e55e7de99568dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjOkthQmeYDZ.bat
Filesize
201B

MD5
e12e85b674b5ad02ae56ff948d1e502b

SHA1
82fbf7348f56a0f00f3120cdeed7ebafecdcd2bf

SHA256
cecc92adf24c06f51cc20bb3b09a2ea08ce4bbc0081f07b0c375629388dac825

SHA512
6ad09564ec901d64f1b1e00dbbeb2e758f6d925f2321a0469f8428a4826cf4287ee9dad31cfcda6b6faf6c7131f8e7dbe52a76b302a33778bac4d602b7d80a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\w0el4JzgN78m.bat
Filesize
201B

MD5
69b2b59badb50b490a00f69fe8e71879

SHA1
40cb585be30b971e4e6865b7d430f9ff4bb665d2

SHA256
7f0cf8e244217b0ba401e4a7bee1eb85f024c2cc8a09789e63b7bc0cb318f1a5

SHA512
4a82db0dd09928f0f208c22a5d46275dc1f4fdf1e753afe04fd84f37e3bd5b6f0c7588405691471505e962e292295c232f96469e25640f9926a638e04bad76e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7HiDO9yCaZl.bat
Filesize
201B

MD5
8c1bdeaa42a779c5f97f527ab3d9f000

SHA1
927360a9f6a248992bec70a358b5e47e94c1bf49

SHA256
eb9d59f23e03caba0432da245132fbab53dc8b2930e747e3e0e3efdddae2ec12

SHA512
f6c5fedad91454948fdfe9ace472d7bce70de27fcaedec12671372bb7753be5b3c3e66e6b87066ccb32918221c1665dbfcee570b7c21fff4a33160f1fe0ee0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xaoNn0u9WNPH.bat
Filesize
201B

MD5
4e71dfd6667f0da47c6149a46043ac26

SHA1
cc633518ab0c825436cddd4a5c1806e5cc0f966a

SHA256
3d6919af605874ef90bce1716cfaf217b522ef8e7f8813fb94bd83dc300fc97d

SHA512
8c70c58f8af57fc2c1451ffeb6bfcc85b273230b8b921bab3d9da9cba3b2da616dd0dc9d562be75d4884ce4204d36590fe5002c12bbeaec3dc56f998672aa09a

Download Submit
memory/1016-13-0x000000001DDB0000-0x000000001DE62000-memory.dmp

Filesize
712KB

Download
memory/1016-10-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/1016-11-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/1016-12-0x000000001DCA0000-0x000000001DCF0000-memory.dmp

Filesize
320KB

Download
memory/1016-19-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3232-2-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3232-9-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/3232-0-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

Filesize
8KB

Download
memory/3232-1-0x0000000000340000-0x0000000000664000-memory.dmp

Filesize
3.1MB

Download