quasar | 1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

317a46786b73fccfafa5b5678c1a21a1.exe
Size

3.1MB
MD5

317a46786b73fccfafa5b5678c1a21a1
SHA1

e72c0001fb47a477514f5abdb348ae489de65f72
SHA256

1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2
SHA512

237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f
SSDEEP

49152:Sv6I22SsaNYfdPBldt698dBcjH3mRJ6SbR3LoGdmTHHB72eh2NT:Sv322SsaNYfdPBldt6+dBcjH3mRJ6M

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2360-1-0x0000000000E90000-0x00000000011B4000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar
behavioral1/memory/2072-9-0x0000000000820000-0x0000000000B44000-memory.dmp	family_quasar
behavioral1/memory/2512-23-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/memory/2812-34-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral1/memory/856-45-0x0000000000EE0000-0x0000000001204000-memory.dmp	family_quasar
behavioral1/memory/1880-56-0x0000000000370000-0x0000000000694000-memory.dmp	family_quasar
behavioral1/memory/1892-69-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar
behavioral1/memory/1704-80-0x0000000001000000-0x0000000001324000-memory.dmp	family_quasar
behavioral1/memory/3020-113-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/984-134-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/824-146-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/memory/1680-158-0x0000000001360000-0x0000000001684000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid	process
2072	Opera GX.exe
2512	Opera GX.exe
2812	Opera GX.exe
856	Opera GX.exe
1880	Opera GX.exe
1892	Opera GX.exe
1704	Opera GX.exe
2560	Opera GX.exe
2460	Opera GX.exe
3020	Opera GX.exe
2328	Opera GX.exe
984	Opera GX.exe
824	Opera GX.exe
1680	Opera GX.exe
2592	Opera GX.exe

Drops file in Program Files directory 31 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe317a46786b73fccfafa5b5678c1a21a1.exe

description	ioc	process
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File created	C:\Program Files\common Files\Opera GX.exe	317a46786b73fccfafa5b5678c1a21a1.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	317a46786b73fccfafa5b5678c1a21a1.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	317a46786b73fccfafa5b5678c1a21a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2672 PING.EXE
1676 PING.EXE
1728 PING.EXE
2484 PING.EXE
2380 PING.EXE
2264 PING.EXE
2448 PING.EXE
2904 PING.EXE
1836 PING.EXE
1768 PING.EXE
2016 PING.EXE
1744 PING.EXE
1664 PING.EXE
1372 PING.EXE

pid	process
2672	PING.EXE
1676	PING.EXE
1728	PING.EXE
2484	PING.EXE
2380	PING.EXE
2264	PING.EXE
2448	PING.EXE
2904	PING.EXE
1836	PING.EXE
1768	PING.EXE
2016	PING.EXE
1744	PING.EXE
1664	PING.EXE
1372	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2488	schtasks.exe
1188	schtasks.exe
1284	schtasks.exe
1132	schtasks.exe
3032	schtasks.exe
2624	schtasks.exe
1936	schtasks.exe
2592	schtasks.exe
896	schtasks.exe
2148	schtasks.exe
1588	schtasks.exe
2080	schtasks.exe
332	schtasks.exe
2316	schtasks.exe
2860	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

317a46786b73fccfafa5b5678c1a21a1.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	pid	process
Token: SeDebugPrivilege	2360	317a46786b73fccfafa5b5678c1a21a1.exe
Token: SeDebugPrivilege	2072	Opera GX.exe
Token: SeDebugPrivilege	2512	Opera GX.exe
Token: SeDebugPrivilege	2812	Opera GX.exe
Token: SeDebugPrivilege	856	Opera GX.exe
Token: SeDebugPrivilege	1880	Opera GX.exe
Token: SeDebugPrivilege	1892	Opera GX.exe
Token: SeDebugPrivilege	1704	Opera GX.exe
Token: SeDebugPrivilege	2560	Opera GX.exe
Token: SeDebugPrivilege	2460	Opera GX.exe
Token: SeDebugPrivilege	3020	Opera GX.exe
Token: SeDebugPrivilege	2328	Opera GX.exe
Token: SeDebugPrivilege	984	Opera GX.exe
Token: SeDebugPrivilege	824	Opera GX.exe
Token: SeDebugPrivilege	1680	Opera GX.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid	process
2072	Opera GX.exe
2512	Opera GX.exe
2812	Opera GX.exe
856	Opera GX.exe
1880	Opera GX.exe
1892	Opera GX.exe
1704	Opera GX.exe
2560	Opera GX.exe
2460	Opera GX.exe
3020	Opera GX.exe
2328	Opera GX.exe
984	Opera GX.exe
824	Opera GX.exe
1680	Opera GX.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid	process
2072	Opera GX.exe
2512	Opera GX.exe
2812	Opera GX.exe
856	Opera GX.exe
1880	Opera GX.exe
1892	Opera GX.exe
1704	Opera GX.exe
2560	Opera GX.exe
2460	Opera GX.exe
3020	Opera GX.exe
2328	Opera GX.exe
984	Opera GX.exe
824	Opera GX.exe
1680	Opera GX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

317a46786b73fccfafa5b5678c1a21a1.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exe

description	pid	process	target process
PID 2360 wrote to memory of 2860	2360	317a46786b73fccfafa5b5678c1a21a1.exe	schtasks.exe
PID 2360 wrote to memory of 2860	2360	317a46786b73fccfafa5b5678c1a21a1.exe	schtasks.exe
PID 2360 wrote to memory of 2860	2360	317a46786b73fccfafa5b5678c1a21a1.exe	schtasks.exe
PID 2360 wrote to memory of 2072	2360	317a46786b73fccfafa5b5678c1a21a1.exe	Opera GX.exe
PID 2360 wrote to memory of 2072	2360	317a46786b73fccfafa5b5678c1a21a1.exe	Opera GX.exe
PID 2360 wrote to memory of 2072	2360	317a46786b73fccfafa5b5678c1a21a1.exe	Opera GX.exe
PID 2072 wrote to memory of 2592	2072	Opera GX.exe	schtasks.exe
PID 2072 wrote to memory of 2592	2072	Opera GX.exe	schtasks.exe
PID 2072 wrote to memory of 2592	2072	Opera GX.exe	schtasks.exe
PID 2072 wrote to memory of 2852	2072	Opera GX.exe	cmd.exe
PID 2072 wrote to memory of 2852	2072	Opera GX.exe	cmd.exe
PID 2072 wrote to memory of 2852	2072	Opera GX.exe	cmd.exe
PID 2852 wrote to memory of 2616	2852	cmd.exe	chcp.com
PID 2852 wrote to memory of 2616	2852	cmd.exe	chcp.com
PID 2852 wrote to memory of 2616	2852	cmd.exe	chcp.com
PID 2852 wrote to memory of 2484	2852	cmd.exe	PING.EXE
PID 2852 wrote to memory of 2484	2852	cmd.exe	PING.EXE
PID 2852 wrote to memory of 2484	2852	cmd.exe	PING.EXE
PID 2852 wrote to memory of 2512	2852	cmd.exe	Opera GX.exe
PID 2852 wrote to memory of 2512	2852	cmd.exe	Opera GX.exe
PID 2852 wrote to memory of 2512	2852	cmd.exe	Opera GX.exe
PID 2512 wrote to memory of 2488	2512	Opera GX.exe	schtasks.exe
PID 2512 wrote to memory of 2488	2512	Opera GX.exe	schtasks.exe
PID 2512 wrote to memory of 2488	2512	Opera GX.exe	schtasks.exe
PID 2512 wrote to memory of 3004	2512	Opera GX.exe	cmd.exe
PID 2512 wrote to memory of 3004	2512	Opera GX.exe	cmd.exe
PID 2512 wrote to memory of 3004	2512	Opera GX.exe	cmd.exe
PID 3004 wrote to memory of 2096	3004	cmd.exe	chcp.com
PID 3004 wrote to memory of 2096	3004	cmd.exe	chcp.com
PID 3004 wrote to memory of 2096	3004	cmd.exe	chcp.com
PID 3004 wrote to memory of 2016	3004	cmd.exe	PING.EXE
PID 3004 wrote to memory of 2016	3004	cmd.exe	PING.EXE
PID 3004 wrote to memory of 2016	3004	cmd.exe	PING.EXE
PID 3004 wrote to memory of 2812	3004	cmd.exe	Opera GX.exe
PID 3004 wrote to memory of 2812	3004	cmd.exe	Opera GX.exe
PID 3004 wrote to memory of 2812	3004	cmd.exe	Opera GX.exe
PID 2812 wrote to memory of 1188	2812	Opera GX.exe	schtasks.exe
PID 2812 wrote to memory of 1188	2812	Opera GX.exe	schtasks.exe
PID 2812 wrote to memory of 1188	2812	Opera GX.exe	schtasks.exe
PID 2812 wrote to memory of 2776	2812	Opera GX.exe	cmd.exe
PID 2812 wrote to memory of 2776	2812	Opera GX.exe	cmd.exe
PID 2812 wrote to memory of 2776	2812	Opera GX.exe	cmd.exe
PID 2776 wrote to memory of 2260	2776	cmd.exe	chcp.com
PID 2776 wrote to memory of 2260	2776	cmd.exe	chcp.com
PID 2776 wrote to memory of 2260	2776	cmd.exe	chcp.com
PID 2776 wrote to memory of 1744	2776	cmd.exe	PING.EXE
PID 2776 wrote to memory of 1744	2776	cmd.exe	PING.EXE
PID 2776 wrote to memory of 1744	2776	cmd.exe	PING.EXE
PID 2776 wrote to memory of 856	2776	cmd.exe	Opera GX.exe
PID 2776 wrote to memory of 856	2776	cmd.exe	Opera GX.exe
PID 2776 wrote to memory of 856	2776	cmd.exe	Opera GX.exe
PID 856 wrote to memory of 1284	856	Opera GX.exe	schtasks.exe
PID 856 wrote to memory of 1284	856	Opera GX.exe	schtasks.exe
PID 856 wrote to memory of 1284	856	Opera GX.exe	schtasks.exe
PID 856 wrote to memory of 2824	856	Opera GX.exe	cmd.exe
PID 856 wrote to memory of 2824	856	Opera GX.exe	cmd.exe
PID 856 wrote to memory of 2824	856	Opera GX.exe	cmd.exe
PID 2824 wrote to memory of 2008	2824	cmd.exe	chcp.com
PID 2824 wrote to memory of 2008	2824	cmd.exe	chcp.com
PID 2824 wrote to memory of 2008	2824	cmd.exe	chcp.com
PID 2824 wrote to memory of 2672	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 2672	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 2672	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 1880	2824	cmd.exe	Opera GX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\317a46786b73fccfafa5b5678c1a21a1.exe
"C:\Users\Admin\AppData\Local\Temp\317a46786b73fccfafa5b5678c1a21a1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Xdvuz4mKIiTY.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2616

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2484

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uzoiQezYpAjn.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2096

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2016

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Mr1rh4lcmbIc.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2260

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1744

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BssbNLlqLLfx.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2008

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2672

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1880

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UK2CKB9w1bGG.bat" "
11⤵
PID:2100

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1664

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
12⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1892

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6AGeheVTaqP.bat" "
13⤵
PID:660

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2304

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2380

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GdZ5CycwkFYf.bat" "
15⤵
PID:3024

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2264

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\57e3lK5ouDfE.bat" "
17⤵
PID:2596

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2448

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y0Di24veDdy6.bat" "
19⤵
PID:1720

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2028

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1676

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3020

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ZHC0IG7Vp9U.bat" "
21⤵
PID:2688

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1728

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
22⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wY5WeWy1dtvY.bat" "
23⤵
PID:2008

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2904

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
24⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:984

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7aUSrRMvLuI4.bat" "
25⤵
PID:944

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:540

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1372

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
26⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\e8IuN4NOucTH.bat" "
27⤵
PID:2184

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:988

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1836

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
28⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5gqpDl2qMp2S.bat" "
29⤵
PID:2300

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:2020

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1768

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
30⤵
- Executes dropped EXE
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
317a46786b73fccfafa5b5678c1a21a1

SHA1
e72c0001fb47a477514f5abdb348ae489de65f72

SHA256
1dba5015247e9e52949d62c60c23713657123b7786cb790d6f1534126936c1b2

SHA512
237b4b626c30911e1f705ac9765d33446f6948630e2a4179d444391cd4e8338e34691da69a8f044b329889c3680aa9cc19108482abe51f179c354d81c8ce678f

Download Submit
C:\Users\Admin\AppData\Local\Temp\57e3lK5ouDfE.bat
Filesize
201B

MD5
c426d567238f945d19303f18687a3ca3

SHA1
45c87a9fffe36ff5e8f5dd04ffe9c38f18868a27

SHA256
c26a437b688926e9cfc70fd40fdd8483e6bed1b1c68e17401b2db515403d45e2

SHA512
6028bbd16fa319fc556762777cfb43721827aa8b33047d5ff3fd4ea6f6cf10b3717032e34f4a71f888f1913ea2d1fe6cb99674782481f5a62f2ccaa605bb2966

Download Submit
C:\Users\Admin\AppData\Local\Temp\5gqpDl2qMp2S.bat
Filesize
201B

MD5
802c79c90dfde98c014bfb70fb53e317

SHA1
7a7c7164d9188b45638d5f28bcd6ab47a8ca0e0d

SHA256
4f82744114807da321a0b95a7d6c75b0dd0913df46c2be3260ef3f704c03174c

SHA512
111d87b1f36f0ad56ef5c0ae2c3ec09d1c47c0d8eba129459976705ff53ff8a5c9a8fbc6c9bda50ea508ede3ff7a30e5ece3996c13dd336db366d4ec91c24bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aUSrRMvLuI4.bat
Filesize
201B

MD5
60eafca6590820b92b0f47eec34ac9f1

SHA1
1c98810ebde920ca82bf71c0ccb0e62ea724c6d5

SHA256
ecbd91c258cff599da8b586f3e75662db9a3c5503f56ace6ccd4a0c1217d70c6

SHA512
d923695b8e3617997d39dc4b5b0fab760ac73cbb69fad6760809f9223fcaff262b21ac437df006cf23065d3320b28294c1485b4e282fe4044644f5fa2d454d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ZHC0IG7Vp9U.bat
Filesize
201B

MD5
77046123634a6e0d59fdffdaaf4f897e

SHA1
34d0bee0f4f99f5f8bd63e249da3856add4b3fbd

SHA256
2b277a978d5425b9d075bcb3558c26d0c31d1a6258cff94921ca4a26e301d372

SHA512
fad39901d5708a30c52f012b6339ba7c594369a421d99bd9cbb28357bdd6d6cbb8e39cc1faa40031a64627cb17d8ac2ce6771afdf628babfad55a1e3faa47ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BssbNLlqLLfx.bat
Filesize
201B

MD5
24609283be32693ca7e61f97ea1c9e89

SHA1
705204991ff76bba8f5c7b972ba7cfb15b2369e9

SHA256
49bb86927697d59e13a52cf72fe180da5488eab95683e5cb5a20946f77a869a7

SHA512
4ade9151e177190f09a9bddfbc99a225edf3d5d1f8059c1928fd7328990464764827bfb09b543f8e68749e64ae0cbd78abb1df1194bc70cc8a66601f8f98fd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6AGeheVTaqP.bat
Filesize
201B

MD5
dc90ab497f8102d0cff63c1867ce1871

SHA1
98320f7ad4a08078b8b606e47f6550a91847f6fa

SHA256
a683d567aecf4d91ad4319b465def901924b7c98459afa30172e3208be17e937

SHA512
3c0f40b2b077288e063990a0df2c30d0e9b782983df964d0f733acd70ebb2bfccb9dd3fe5468387b9f574ee613c59fe59f29f2c2248168ef81d5212e68a84a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\GdZ5CycwkFYf.bat
Filesize
201B

MD5
5988204da3915cb0460594fa572c6876

SHA1
3b1f31cc5ef7a03912abad4151c6606eac560e1d

SHA256
33e2137c3cc613ef632500b8e86360e92f2076db81fd273e33be366bf8c72fe8

SHA512
c6219263dd79adc03eb65f90be32e3a97f81cd257ae095f4605f92b028bd20e8839b8d7535e65328adfb236f1b02205e8be941641e86e3b450ff5db5184ece6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mr1rh4lcmbIc.bat
Filesize
201B

MD5
59ec3be57c89296c7be21eda5635e023

SHA1
eedd4a3eae48e71e0bae563321e70823c4fe8c21

SHA256
2130030dc1f16c1dbcc50ad4734d2381cf8e50d33c9285ab73b74404bebe037d

SHA512
472ceca66181f7db127d692c0092dca889630e909ab37ad7a405ff8723d496db57c0bee7cd7464e0a8df95aecfff0e47d077cb32da867c476b64f19ba3d24d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\UK2CKB9w1bGG.bat
Filesize
201B

MD5
533f86aaacdb568c88e599aba5642455

SHA1
e7265181334b95c6951120d1359f557479f6ffd9

SHA256
a9a62e2d05397df6b508fa5bbe533c5b7a074ded6b12c87a3bfbeb5719cb30dc

SHA512
95a0f54861ec7a2e9a16ef7768d8a8b5034e7782951e7b934e3a63da53dd3a67596b7e6ba6c7f20d1734163b6ee8ed1bf20aef06233475dd96e187b94a947da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xdvuz4mKIiTY.bat
Filesize
201B

MD5
ed713c0e74b3e4ca035b9f3421460960

SHA1
a4d46144d747e9a78d18a955a54d472efb3ca990

SHA256
e90a0892b3df4c22c3cb9493dc7d51f1b58453c80bbf338045ffc772aa1d799b

SHA512
ea0bff7f31e8bc7b333bac02c25d69966e0e0eb89e34daa7956024d872b3f54ac8803fc6ecaef78bdb04f5486a34922d5956fa837334f6c7671e6fa65b7c868d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y0Di24veDdy6.bat
Filesize
201B

MD5
65787372607b4b4e996f84fa63c9e834

SHA1
81c14b97447612a142b2bf7719d2bc6b7f4821b3

SHA256
b3f0ab58e43ceb3737d74a879af7ca4e1bfb0b1b5f41628aecf55f85f350be0d

SHA512
470d74fffe7eac6725fed258f2bb39c3a47fdeec312783571d98e015487cb8b5734b281e38edddfa61d781c9727b2bab63adc275bb6b46daaaf2213148124171

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8IuN4NOucTH.bat
Filesize
201B

MD5
5e9f6ef9d7f78c46dcd46a069b950039

SHA1
b9364f89d54ec7ce0a0445557ccb7c0bec317764

SHA256
99601073a72625a08aff6fd9ec6fd786e1a2d8d298fe891f45834e302a85407a

SHA512
84db2e7f311d5bbad728563d754d872f9ac3ad925fcf4e6a8343360010c1eb5b88df0ce54a0cb7c7e71185c2ed1525dbce8a41e760922bc452956507db5aca6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzoiQezYpAjn.bat
Filesize
201B

MD5
446ec31bede4a40f8525d4c082969fe6

SHA1
804517653cb3747fec211cddb24abe3fc0c43f57

SHA256
ec0c99e1ce0294729d96a16fefccdcdbf3c0526775c09d55cb2324bd99691e5c

SHA512
9d5cb8902d4658bac4fc185991383511d2ad267b74893b177e30d0417a513e97752159856c3f3f1b2107db1918b672114be1bb1a5ca621151219fc8728ea323a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wY5WeWy1dtvY.bat
Filesize
201B

MD5
2564851eed853e574e03a81e8b6770ef

SHA1
8d71f34d941ca0fb7f1171d6b763aa12411dfe33

SHA256
2e863b91a6a7268f9200eb3c7c7078f2f4022a385510db4f7490b5b053c0adb5

SHA512
74915ced6e2b2634eeb3b4f56931875a237a3622e54f620819ef788d86847aa3dcfd795b5e9bea26846c91b572dfcd562ef3a5dec74778f72af1ea42821796cf

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/824-146-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/856-45-0x0000000000EE0000-0x0000000001204000-memory.dmp

Filesize
3.1MB

Download
memory/984-134-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/1680-158-0x0000000001360000-0x0000000001684000-memory.dmp

Filesize
3.1MB

Download
memory/1704-80-0x0000000001000000-0x0000000001324000-memory.dmp

Filesize
3.1MB

Download
memory/1880-56-0x0000000000370000-0x0000000000694000-memory.dmp

Filesize
3.1MB

Download
memory/1892-69-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download
memory/2072-11-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-8-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-9-0x0000000000820000-0x0000000000B44000-memory.dmp

Filesize
3.1MB

Download
memory/2072-21-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

Filesize
4KB

Download
memory/2360-10-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-1-0x0000000000E90000-0x00000000011B4000-memory.dmp

Filesize
3.1MB

Download
memory/2512-23-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download
memory/2812-34-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download
memory/3020-113-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download