quasar | cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db

Analysis

max time kernel
145s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22eded04f63ee8412924d986e3a522f.exe
Size

3.1MB
MD5

e22eded04f63ee8412924d986e3a522f
SHA1

ca0b817a54f1401b43b412013c0a948a03155619
SHA256

cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db
SHA512

6ae9c8cf956939a15b3c6fdc40b905f0d5bb03e665309d0a15e3956f9912bd491087ad8cabbacd0dd7e0a2e50fca1af2f055805c8748105c43afc5bff85ba89e
SSDEEP

49152:Dv6I22SsaNYfdPBldt698dBcjHa++PJH1LoGdDTTHHB72eh2NT:Dv322SsaNYfdPBldt6+dBcjHa++Pz

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-44550.portmap.host:44550

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-1-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar
behavioral1/memory/2400-10-0x00000000011D0000-0x00000000014F4000-memory.dmp	family_quasar
behavioral1/memory/1672-33-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral1/memory/636-44-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/1896-66-0x00000000012C0000-0x00000000015E4000-memory.dmp	family_quasar
behavioral1/memory/2616-99-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
behavioral1/memory/1948-110-0x00000000011C0000-0x00000000014E4000-memory.dmp	family_quasar
behavioral1/memory/1332-132-0x00000000000F0000-0x0000000000414000-memory.dmp	family_quasar
behavioral1/memory/1992-143-0x0000000000820000-0x0000000000B44000-memory.dmp	family_quasar
behavioral1/memory/2164-155-0x00000000009A0000-0x0000000000CC4000-memory.dmp	family_quasar
behavioral1/memory/3004-167-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid	process
2400	Opera GX.exe
2532	Opera GX.exe
1672	Opera GX.exe
636	Opera GX.exe
788	Opera GX.exe
1896	Opera GX.exe
1508	Opera GX.exe
2588	Opera GX.exe
2616	Opera GX.exe
1948	Opera GX.exe
2280	Opera GX.exe
1332	Opera GX.exe
1992	Opera GX.exe
2164	Opera GX.exe
3004	Opera GX.exe

Drops file in Program Files directory 33 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exee22eded04f63ee8412924d986e3a522f.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File created	C:\Program Files\common Files\Opera GX.exe	e22eded04f63ee8412924d986e3a522f.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	e22eded04f63ee8412924d986e3a522f.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	e22eded04f63ee8412924d986e3a522f.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2820 PING.EXE
2748 PING.EXE
868 PING.EXE
392 PING.EXE
1816 PING.EXE
1060 PING.EXE
1524 PING.EXE
1056 PING.EXE
2800 PING.EXE
3060 PING.EXE
2724 PING.EXE
3064 PING.EXE
1940 PING.EXE
1428 PING.EXE
2800 PING.EXE

pid	process
2820	PING.EXE
2748	PING.EXE
868	PING.EXE
392	PING.EXE
1816	PING.EXE
1060	PING.EXE
1524	PING.EXE
1056	PING.EXE
2800	PING.EXE
3060	PING.EXE
2724	PING.EXE
3064	PING.EXE
1940	PING.EXE
1428	PING.EXE
2800	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2192	schtasks.exe
1304	schtasks.exe
1084	schtasks.exe
1960	schtasks.exe
1804	schtasks.exe
2272	schtasks.exe
308	schtasks.exe
1744	schtasks.exe
3024	schtasks.exe
2672	schtasks.exe
864	schtasks.exe
616	schtasks.exe
2852	schtasks.exe
2868	schtasks.exe
1732	schtasks.exe
2076	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

e22eded04f63ee8412924d986e3a522f.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	pid	process
Token: SeDebugPrivilege	2348	e22eded04f63ee8412924d986e3a522f.exe
Token: SeDebugPrivilege	2400	Opera GX.exe
Token: SeDebugPrivilege	2532	Opera GX.exe
Token: SeDebugPrivilege	1672	Opera GX.exe
Token: SeDebugPrivilege	636	Opera GX.exe
Token: SeDebugPrivilege	788	Opera GX.exe
Token: SeDebugPrivilege	1896	Opera GX.exe
Token: SeDebugPrivilege	1508	Opera GX.exe
Token: SeDebugPrivilege	2588	Opera GX.exe
Token: SeDebugPrivilege	2616	Opera GX.exe
Token: SeDebugPrivilege	1948	Opera GX.exe
Token: SeDebugPrivilege	2280	Opera GX.exe
Token: SeDebugPrivilege	1332	Opera GX.exe
Token: SeDebugPrivilege	1992	Opera GX.exe
Token: SeDebugPrivilege	2164	Opera GX.exe
Token: SeDebugPrivilege	3004	Opera GX.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid	process
2400	Opera GX.exe
2532	Opera GX.exe
1672	Opera GX.exe
636	Opera GX.exe
788	Opera GX.exe
1896	Opera GX.exe
1508	Opera GX.exe
2588	Opera GX.exe
2616	Opera GX.exe
1948	Opera GX.exe
2280	Opera GX.exe
1332	Opera GX.exe
1992	Opera GX.exe
2164	Opera GX.exe
3004	Opera GX.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid	process
2400	Opera GX.exe
2532	Opera GX.exe
1672	Opera GX.exe
636	Opera GX.exe
788	Opera GX.exe
1896	Opera GX.exe
1508	Opera GX.exe
2588	Opera GX.exe
2616	Opera GX.exe
1948	Opera GX.exe
2280	Opera GX.exe
1332	Opera GX.exe
1992	Opera GX.exe
2164	Opera GX.exe
3004	Opera GX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e22eded04f63ee8412924d986e3a522f.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 2192	2348	e22eded04f63ee8412924d986e3a522f.exe	schtasks.exe
PID 2348 wrote to memory of 2192	2348	e22eded04f63ee8412924d986e3a522f.exe	schtasks.exe
PID 2348 wrote to memory of 2192	2348	e22eded04f63ee8412924d986e3a522f.exe	schtasks.exe
PID 2348 wrote to memory of 2400	2348	e22eded04f63ee8412924d986e3a522f.exe	Opera GX.exe
PID 2348 wrote to memory of 2400	2348	e22eded04f63ee8412924d986e3a522f.exe	Opera GX.exe
PID 2348 wrote to memory of 2400	2348	e22eded04f63ee8412924d986e3a522f.exe	Opera GX.exe
PID 2400 wrote to memory of 2672	2400	Opera GX.exe	schtasks.exe
PID 2400 wrote to memory of 2672	2400	Opera GX.exe	schtasks.exe
PID 2400 wrote to memory of 2672	2400	Opera GX.exe	schtasks.exe
PID 2400 wrote to memory of 2572	2400	Opera GX.exe	cmd.exe
PID 2400 wrote to memory of 2572	2400	Opera GX.exe	cmd.exe
PID 2400 wrote to memory of 2572	2400	Opera GX.exe	cmd.exe
PID 2572 wrote to memory of 2644	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 2644	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 2644	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 2800	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2800	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2800	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2532	2572	cmd.exe	Opera GX.exe
PID 2572 wrote to memory of 2532	2572	cmd.exe	Opera GX.exe
PID 2572 wrote to memory of 2532	2572	cmd.exe	Opera GX.exe
PID 2532 wrote to memory of 1804	2532	Opera GX.exe	schtasks.exe
PID 2532 wrote to memory of 1804	2532	Opera GX.exe	schtasks.exe
PID 2532 wrote to memory of 1804	2532	Opera GX.exe	schtasks.exe
PID 2532 wrote to memory of 2772	2532	Opera GX.exe	cmd.exe
PID 2532 wrote to memory of 2772	2532	Opera GX.exe	cmd.exe
PID 2532 wrote to memory of 2772	2532	Opera GX.exe	cmd.exe
PID 2772 wrote to memory of 2824	2772	cmd.exe	chcp.com
PID 2772 wrote to memory of 2824	2772	cmd.exe	chcp.com
PID 2772 wrote to memory of 2824	2772	cmd.exe	chcp.com
PID 2772 wrote to memory of 2820	2772	cmd.exe	PING.EXE
PID 2772 wrote to memory of 2820	2772	cmd.exe	PING.EXE
PID 2772 wrote to memory of 2820	2772	cmd.exe	PING.EXE
PID 2772 wrote to memory of 1672	2772	cmd.exe	Opera GX.exe
PID 2772 wrote to memory of 1672	2772	cmd.exe	Opera GX.exe
PID 2772 wrote to memory of 1672	2772	cmd.exe	Opera GX.exe
PID 1672 wrote to memory of 1304	1672	Opera GX.exe	schtasks.exe
PID 1672 wrote to memory of 1304	1672	Opera GX.exe	schtasks.exe
PID 1672 wrote to memory of 1304	1672	Opera GX.exe	schtasks.exe
PID 1672 wrote to memory of 812	1672	Opera GX.exe	cmd.exe
PID 1672 wrote to memory of 812	1672	Opera GX.exe	cmd.exe
PID 1672 wrote to memory of 812	1672	Opera GX.exe	cmd.exe
PID 812 wrote to memory of 2508	812	cmd.exe	chcp.com
PID 812 wrote to memory of 2508	812	cmd.exe	chcp.com
PID 812 wrote to memory of 2508	812	cmd.exe	chcp.com
PID 812 wrote to memory of 2748	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 2748	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 2748	812	cmd.exe	PING.EXE
PID 812 wrote to memory of 636	812	cmd.exe	Opera GX.exe
PID 812 wrote to memory of 636	812	cmd.exe	Opera GX.exe
PID 812 wrote to memory of 636	812	cmd.exe	Opera GX.exe
PID 636 wrote to memory of 2272	636	Opera GX.exe	schtasks.exe
PID 636 wrote to memory of 2272	636	Opera GX.exe	schtasks.exe
PID 636 wrote to memory of 2272	636	Opera GX.exe	schtasks.exe
PID 636 wrote to memory of 2288	636	Opera GX.exe	cmd.exe
PID 636 wrote to memory of 2288	636	Opera GX.exe	cmd.exe
PID 636 wrote to memory of 2288	636	Opera GX.exe	cmd.exe
PID 2288 wrote to memory of 2684	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 2684	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 2684	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 1940	2288	cmd.exe	PING.EXE
PID 2288 wrote to memory of 1940	2288	cmd.exe	PING.EXE
PID 2288 wrote to memory of 1940	2288	cmd.exe	PING.EXE
PID 2288 wrote to memory of 788	2288	cmd.exe	Opera GX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e22eded04f63ee8412924d986e3a522f.exe
"C:\Users\Admin\AppData\Local\Temp\e22eded04f63ee8412924d986e3a522f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ck3ZspJSnxec.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2644

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2800

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RpLb7QF9t4sR.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2824

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2820

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqWQIceH5inA.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2748

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8L7nhK8mc6rf.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:2684

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1940

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:788

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WllFsDzOAtaf.bat" "
11⤵
PID:2324

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:412

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1060

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
12⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1896

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bs5YEjTLZneL.bat" "
13⤵
PID:2884

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1812

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:868

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DGPkjA6BjLXe.bat" "
15⤵
PID:2836

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1300

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3060

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkbieogfG6Fc.bat" "
17⤵
PID:2452

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2468

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2724

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aDACgDEy6RWc.bat" "
19⤵
PID:2816

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1428

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kFKXQWvR3zd0.bat" "
21⤵
PID:2508

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1192

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1524

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
22⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2280

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y3z9Pch4ROF2.bat" "
23⤵
PID:540

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:392

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
24⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8yLjWtYDwI6K.bat" "
25⤵
PID:1120

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:352

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1056

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
26⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwQfhiyOULQJ.bat" "
27⤵
PID:1188

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2264

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3064

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
28⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\L3AO7Qw5Qgyh.bat" "
29⤵
PID:2208

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:2568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1816

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
30⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3004

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4M7WKEXIum6M.bat" "
31⤵
PID:2012

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:2972

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
e22eded04f63ee8412924d986e3a522f

SHA1
ca0b817a54f1401b43b412013c0a948a03155619

SHA256
cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db

SHA512
6ae9c8cf956939a15b3c6fdc40b905f0d5bb03e665309d0a15e3956f9912bd491087ad8cabbacd0dd7e0a2e50fca1af2f055805c8748105c43afc5bff85ba89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4M7WKEXIum6M.bat
Filesize
201B

MD5
c2f5c9dd8e68315027a21162beb2c2f4

SHA1
184aa44b5525cb6fd3927b0816b527849b9b673b

SHA256
532bd1262eaf02c08e2353a6c4d1ba21a1062f141478ac99180b7ecfb25b62c7

SHA512
d7515c2faac335c298e608386a27311242be811066e7224ef51d54f0e94cf12daf6489a96bb7aa47c188b8a4bbacee03a38a6f003394f004a202b1a074573758

Download Submit
C:\Users\Admin\AppData\Local\Temp\8L7nhK8mc6rf.bat
Filesize
201B

MD5
e271a73c3bf0b31e3fb22e4df83dcde7

SHA1
19471a6e0a93cac9fb827f4f57d6aa8d861bbb22

SHA256
46012ac47e8bec2469e10c95f9c8035846b6bfcbc260669e10f939b2e1277f83

SHA512
43dd6ad61a2d6051a86303b51b228b3aecde579569ac3f71bc947510861a85acb3d6216eaa85ae1777a7a7f15acf7a7faca6371591b33a5cd16c0841c50ad3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yLjWtYDwI6K.bat
Filesize
201B

MD5
7c3d9d978b57bb129ebc8c3b5161d6f2

SHA1
e87fb42cee1f681202dcc529ad510a271b3220f8

SHA256
d7c859edba28ef2b9795d4e00a57439da81ad80eb923a117b6bd4e0a7a8d0625

SHA512
d1a95e33f6ecc02e5c3243d3d031a97ed467d001cb43e6150b85c1dd12e06ce687049e157af80601b453c8fd7874437d3b749fb3da1428bf1126735ea961b3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bs5YEjTLZneL.bat
Filesize
201B

MD5
1f8ef404fe39baefc508e0612987ce63

SHA1
aea67e99458c73807608311c20345cdd309360ee

SHA256
771fd518c8289ff595ea2a83336129f3cda918b43f4762ace2ef647f3685f39c

SHA512
102d9fe168edbfa435186bf486d8a70214a0ed7902ab11c7c176b2623fe0f22683a0b11ff79a2fd434446817e92bb0460b8e52d33207bbda21f1a788f551af34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGPkjA6BjLXe.bat
Filesize
201B

MD5
398e26ae218a35ca7123b823d608b03a

SHA1
8bc4cf202c90287f9fb994eb5e17c730ef90f879

SHA256
0a9425f790eaa299c960cdc564e52230799ad29c9f58800c30033a182c8c4598

SHA512
53500c0be54f0da2a5bae35f6efab0fad5edc6a6bf748d6b44fd7051afca1ff0bf8afb4eedf67a16f91fe69391ae9430dc990889e634bfe9ce90777646eab306

Download Submit
C:\Users\Admin\AppData\Local\Temp\L3AO7Qw5Qgyh.bat
Filesize
201B

MD5
8ab1e9af66b8ee373f91bc34772107d3

SHA1
6651d2c32e0dcafc2e3e9dd71053c9a41905cadb

SHA256
731284e3c817051781a88ad0c578553980c707e368d029f6933a6e8372c0703e

SHA512
99ae01baa96cc63b761d864e4868ae9798da361de77548d2b5b8ce91d063be78a0af563b52097b200be29eebb9c6d55d809a4ed99444cf64f3926ed1d7043b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkbieogfG6Fc.bat
Filesize
201B

MD5
d493b891e4e1e00329ce8e4043c29920

SHA1
07799cd3786b2ab7c2f1984add65e020a1d40ef5

SHA256
85d1f85cc696ed5677946a962c9320e3b194870a781726f7b36c5028c772149e

SHA512
8198d93f9a7d5c298be3612271967c8757b843e8e4123adf8bd136d57f302a2547ce5f3c8ada41231c2346649d8408b0f98ddd8c72b27019aaabb3759017d22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RpLb7QF9t4sR.bat
Filesize
201B

MD5
28c8e48b3f10cc05b872b328ec3a4090

SHA1
8163cd8bfb7ba2af4ea4205ef970a9815a7f973e

SHA256
4d008f344dcda366b435a786375f993c959185ccd0a4fc929f01b551adfb84d0

SHA512
898af757bcd5c759f5fcaa4ecba6d33ddcd3c04f9fc6da499212db8bce4ae829ef9da5370147aecbc83d69ea5f0dd0af25bcab64a23100d62d1b639ab62b3e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WllFsDzOAtaf.bat
Filesize
201B

MD5
7161e101632510675b8d829cbb4c31c1

SHA1
0eb90c12978035e488565a7c7fa3292cc1816066

SHA256
fb851485558ca1ecd04ee894255ae28a7cd11620748b4adaaefd6f453dfed142

SHA512
a3b5530cf0b64e9b04aedbc67f9a4bc0086cdc3d8d885170add827b5cca296750a8aac49d1bf80aec48b888402676d8ff060125e2323506803d03d42de639feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y3z9Pch4ROF2.bat
Filesize
201B

MD5
fae7593f576d4bdcca02c2d8dbce5ed0

SHA1
4829af8acaa18fb3a98e06163f83b9cbb8c21f01

SHA256
b72002906360901df3cd5a013e55f62b58cb86414be2b585ad096229f2c6ed06

SHA512
1c478419d7a9f623906e6896f09e7d5371e7ee867dd4508c92e3419d9ffaa890e7c7953a683ff9f010ffdff0d6506db4094f84c5f8c65e4c97f4c27c57bd3c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aDACgDEy6RWc.bat
Filesize
201B

MD5
392ed492bb61c0fcaa4d038f2c8e17a8

SHA1
b93aba54714062824cc581729b1911c26de497ce

SHA256
800bd5d5afa5ccdd6051363abef6ac41bb24434540ddbf2869b97a71d8757e91

SHA512
02644347c7580e95c1aeae583bb962b5f371826db4d75d75847e839fd5db1d7f3b6f73432ecb3f542e2c29e385f5f81f66d3f3b5f81d5b4679e5084e94223e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck3ZspJSnxec.bat
Filesize
201B

MD5
64eaf65424e08a0c1b41860247db8762

SHA1
7da5bd501eaef1c46a0a27e2a5d675b40148edae

SHA256
e916003df0a103e813538a2c18cde52cd756384c46ec4ba129f7245dcb3ba8bf

SHA512
0f9793265c629394e115ebb4f914c0d142267d5121c6a3677451cc96287c0494c33d5934fb871c7b3d671b2f692e78298b3d54a5f7d56d9012536429e6c94947

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFKXQWvR3zd0.bat
Filesize
201B

MD5
e4d355b2602c031570b6e1e8fbf4684d

SHA1
d9b206398a2231aab01a0cd3098365d3cd03447e

SHA256
c9b3f3108615b8243cd29688c42cd82c4d2d3ec4365a96f5829730a5ae461b37

SHA512
bcab4e4a9799f4fedd109e7d1280ba5edfbacd71b74bd8f3f679afde6368712669b5706e78f6682549983a72e8ee1a426a02a52406e695de2040f69ddce4d3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqWQIceH5inA.bat
Filesize
201B

MD5
d4421b35add5d4f598c9f924c24bf007

SHA1
2f74a3f408379b693b08d124fee85318321647c3

SHA256
b2fea81ceda886c83c860776331e3033b626d34eed5cdcd8a4011467ab35b188

SHA512
b3a1d9f53b5de0949872df6dfa4aaf6605c1f8f66dc7debb87ad14ebc3409f60d3c69eae3208cc7e22effcaf27af98124c486efeb0503e432f335bc8bf8684b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwQfhiyOULQJ.bat
Filesize
201B

MD5
078bb659027573655df44d7c1b2e354a

SHA1
72e1cda0d5bacf4c179ffd838c7cac019d3c9f5e

SHA256
b338f0d856794e26d063feb1a953652cf1bfaf8e37a50612f4dd69551f4db511

SHA512
33a203c8db35447502f7103ebcfc33ca7f80de777b0457ce22b84228e53fe188c25ffb8aed9626619f24162ddb02537f41e11926a2f884639600be1b418eaffb

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/636-44-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/1332-132-0x00000000000F0000-0x0000000000414000-memory.dmp

Filesize
3.1MB

Download
memory/1672-33-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/1896-66-0x00000000012C0000-0x00000000015E4000-memory.dmp

Filesize
3.1MB

Download
memory/1948-110-0x00000000011C0000-0x00000000014E4000-memory.dmp

Filesize
3.1MB

Download
memory/1992-143-0x0000000000820000-0x0000000000B44000-memory.dmp

Filesize
3.1MB

Download
memory/2164-155-0x00000000009A0000-0x0000000000CC4000-memory.dmp

Filesize
3.1MB

Download
memory/2348-9-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2348-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-1-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download
memory/2400-10-0x00000000011D0000-0x00000000014F4000-memory.dmp

Filesize
3.1MB

Download
memory/2400-8-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-11-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-21-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-99-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/3004-167-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download