quasar | cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22eded04f63ee8412924d986e3a522f.exe
Size

3.1MB
MD5

e22eded04f63ee8412924d986e3a522f
SHA1

ca0b817a54f1401b43b412013c0a948a03155619
SHA256

cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db
SHA512

6ae9c8cf956939a15b3c6fdc40b905f0d5bb03e665309d0a15e3956f9912bd491087ad8cabbacd0dd7e0a2e50fca1af2f055805c8748105c43afc5bff85ba89e
SSDEEP

49152:Dv6I22SsaNYfdPBldt698dBcjHa++PJH1LoGdDTTHHB72eh2NT:Dv322SsaNYfdPBldt6+dBcjHa++Pz

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-44550.portmap.host:44550

Mutex

ed30a1b2-d1a0-4e30-a860-b77fa3f71c40

Attributes

encryption_key
49F9D3CAD835E70C60B54E401E356C16B3822AE8
install_name
Opera GX.exe
log_directory
Logs
reconnect_delay
1000
startup_key
OperaVPN
subdirectory
common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/2064-1-0x00000000002E0000-0x0000000000604000-memory.dmp family_quasar
C:\Program Files\Common Files\Opera GX.exe family_quasar

resource	yara_rule
behavioral2/memory/2064-1-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
C:\Program Files\Common Files\Opera GX.exe	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Opera GX.exe

Executes dropped EXE 9 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3312 Opera GX.exe
2192 Opera GX.exe
532 Opera GX.exe
4960 Opera GX.exe
4872 Opera GX.exe
2936 Opera GX.exe
228 Opera GX.exe
1388 Opera GX.exe
372 Opera GX.exe

pid	process
3312	Opera GX.exe
2192	Opera GX.exe
532	Opera GX.exe
4960	Opera GX.exe
4872	Opera GX.exe
2936	Opera GX.exe
228	Opera GX.exe
1388	Opera GX.exe
372	Opera GX.exe

Drops file in Program Files directory 21 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exee22eded04f63ee8412924d986e3a522f.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	ioc	process
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File created	C:\Program Files\common Files\Opera GX.exe	e22eded04f63ee8412924d986e3a522f.exe
File opened for modification	C:\Program Files\common Files	e22eded04f63ee8412924d986e3a522f.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	e22eded04f63ee8412924d986e3a522f.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files\Opera GX.exe	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe
File opened for modification	C:\Program Files\common Files	Opera GX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

372 PING.EXE
2288 PING.EXE
4848 PING.EXE
4700 PING.EXE
2344 PING.EXE
3260 PING.EXE
5088 PING.EXE
4728 PING.EXE
2020 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3252 schtasks.exe
3464 schtasks.exe
856 schtasks.exe
528 schtasks.exe
1556 schtasks.exe
2396 schtasks.exe
1844 schtasks.exe
764 schtasks.exe
3700 schtasks.exe
4952 schtasks.exe

pid	process
372	PING.EXE
2288	PING.EXE
4848	PING.EXE
4700	PING.EXE
2344	PING.EXE
3260	PING.EXE
5088	PING.EXE
4728	PING.EXE
2020	PING.EXE

pid	process
3252	schtasks.exe
3464	schtasks.exe
856	schtasks.exe
528	schtasks.exe
1556	schtasks.exe
2396	schtasks.exe
1844	schtasks.exe
764	schtasks.exe
3700	schtasks.exe
4952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

e22eded04f63ee8412924d986e3a522f.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

description	pid	process
Token: SeDebugPrivilege	2064	e22eded04f63ee8412924d986e3a522f.exe
Token: SeDebugPrivilege	3312	Opera GX.exe
Token: SeDebugPrivilege	2192	Opera GX.exe
Token: SeDebugPrivilege	532	Opera GX.exe
Token: SeDebugPrivilege	4960	Opera GX.exe
Token: SeDebugPrivilege	4872	Opera GX.exe
Token: SeDebugPrivilege	2936	Opera GX.exe
Token: SeDebugPrivilege	228	Opera GX.exe
Token: SeDebugPrivilege	1388	Opera GX.exe
Token: SeDebugPrivilege	372	Opera GX.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3312 Opera GX.exe
2192 Opera GX.exe
532 Opera GX.exe
4960 Opera GX.exe
4872 Opera GX.exe
2936 Opera GX.exe
228 Opera GX.exe
1388 Opera GX.exe
372 Opera GX.exe
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3312 Opera GX.exe
2192 Opera GX.exe
532 Opera GX.exe
4960 Opera GX.exe
4872 Opera GX.exe
2936 Opera GX.exe
228 Opera GX.exe
1388 Opera GX.exe
372 Opera GX.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Opera GX.exeOpera GX.exeOpera GX.exeOpera GX.exeOpera GX.exe

pid process

3312 Opera GX.exe
2936 Opera GX.exe
228 Opera GX.exe
1388 Opera GX.exe
372 Opera GX.exe

pid	process
3312	Opera GX.exe
2192	Opera GX.exe
532	Opera GX.exe
4960	Opera GX.exe
4872	Opera GX.exe
2936	Opera GX.exe
228	Opera GX.exe
1388	Opera GX.exe
372	Opera GX.exe

pid	process
3312	Opera GX.exe
2192	Opera GX.exe
532	Opera GX.exe
4960	Opera GX.exe
4872	Opera GX.exe
2936	Opera GX.exe
228	Opera GX.exe
1388	Opera GX.exe
372	Opera GX.exe

pid	process
3312	Opera GX.exe
2936	Opera GX.exe
228	Opera GX.exe
1388	Opera GX.exe
372	Opera GX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e22eded04f63ee8412924d986e3a522f.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exeOpera GX.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 764	2064	e22eded04f63ee8412924d986e3a522f.exe	schtasks.exe
PID 2064 wrote to memory of 764	2064	e22eded04f63ee8412924d986e3a522f.exe	schtasks.exe
PID 2064 wrote to memory of 3312	2064	e22eded04f63ee8412924d986e3a522f.exe	Opera GX.exe
PID 2064 wrote to memory of 3312	2064	e22eded04f63ee8412924d986e3a522f.exe	Opera GX.exe
PID 3312 wrote to memory of 3700	3312	Opera GX.exe	schtasks.exe
PID 3312 wrote to memory of 3700	3312	Opera GX.exe	schtasks.exe
PID 3312 wrote to memory of 2232	3312	Opera GX.exe	cmd.exe
PID 3312 wrote to memory of 2232	3312	Opera GX.exe	cmd.exe
PID 2232 wrote to memory of 1764	2232	cmd.exe	chcp.com
PID 2232 wrote to memory of 1764	2232	cmd.exe	chcp.com
PID 2232 wrote to memory of 2344	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 2344	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 2192	2232	cmd.exe	Opera GX.exe
PID 2232 wrote to memory of 2192	2232	cmd.exe	Opera GX.exe
PID 2192 wrote to memory of 3252	2192	Opera GX.exe	schtasks.exe
PID 2192 wrote to memory of 3252	2192	Opera GX.exe	schtasks.exe
PID 2192 wrote to memory of 4992	2192	Opera GX.exe	cmd.exe
PID 2192 wrote to memory of 4992	2192	Opera GX.exe	cmd.exe
PID 4992 wrote to memory of 2888	4992	cmd.exe	chcp.com
PID 4992 wrote to memory of 2888	4992	cmd.exe	chcp.com
PID 4992 wrote to memory of 3260	4992	cmd.exe	PING.EXE
PID 4992 wrote to memory of 3260	4992	cmd.exe	PING.EXE
PID 4992 wrote to memory of 532	4992	cmd.exe	Opera GX.exe
PID 4992 wrote to memory of 532	4992	cmd.exe	Opera GX.exe
PID 532 wrote to memory of 3464	532	Opera GX.exe	schtasks.exe
PID 532 wrote to memory of 3464	532	Opera GX.exe	schtasks.exe
PID 532 wrote to memory of 4548	532	Opera GX.exe	cmd.exe
PID 532 wrote to memory of 4548	532	Opera GX.exe	cmd.exe
PID 4548 wrote to memory of 4852	4548	cmd.exe	chcp.com
PID 4548 wrote to memory of 4852	4548	cmd.exe	chcp.com
PID 4548 wrote to memory of 372	4548	cmd.exe	PING.EXE
PID 4548 wrote to memory of 372	4548	cmd.exe	PING.EXE
PID 4548 wrote to memory of 4960	4548	cmd.exe	Opera GX.exe
PID 4548 wrote to memory of 4960	4548	cmd.exe	Opera GX.exe
PID 4960 wrote to memory of 856	4960	Opera GX.exe	schtasks.exe
PID 4960 wrote to memory of 856	4960	Opera GX.exe	schtasks.exe
PID 4960 wrote to memory of 3368	4960	Opera GX.exe	cmd.exe
PID 4960 wrote to memory of 3368	4960	Opera GX.exe	cmd.exe
PID 3368 wrote to memory of 4984	3368	cmd.exe	chcp.com
PID 3368 wrote to memory of 4984	3368	cmd.exe	chcp.com
PID 3368 wrote to memory of 2288	3368	cmd.exe	PING.EXE
PID 3368 wrote to memory of 2288	3368	cmd.exe	PING.EXE
PID 3368 wrote to memory of 4872	3368	cmd.exe	Opera GX.exe
PID 3368 wrote to memory of 4872	3368	cmd.exe	Opera GX.exe
PID 4872 wrote to memory of 528	4872	Opera GX.exe	schtasks.exe
PID 4872 wrote to memory of 528	4872	Opera GX.exe	schtasks.exe
PID 4872 wrote to memory of 920	4872	Opera GX.exe	cmd.exe
PID 4872 wrote to memory of 920	4872	Opera GX.exe	cmd.exe
PID 920 wrote to memory of 2284	920	cmd.exe	chcp.com
PID 920 wrote to memory of 2284	920	cmd.exe	chcp.com
PID 920 wrote to memory of 5088	920	cmd.exe	PING.EXE
PID 920 wrote to memory of 5088	920	cmd.exe	PING.EXE
PID 920 wrote to memory of 2936	920	cmd.exe	Opera GX.exe
PID 920 wrote to memory of 2936	920	cmd.exe	Opera GX.exe
PID 2936 wrote to memory of 1556	2936	Opera GX.exe	schtasks.exe
PID 2936 wrote to memory of 1556	2936	Opera GX.exe	schtasks.exe
PID 2936 wrote to memory of 1792	2936	Opera GX.exe	cmd.exe
PID 2936 wrote to memory of 1792	2936	Opera GX.exe	cmd.exe
PID 1792 wrote to memory of 2252	1792	cmd.exe	chcp.com
PID 1792 wrote to memory of 2252	1792	cmd.exe	chcp.com
PID 1792 wrote to memory of 4728	1792	cmd.exe	PING.EXE
PID 1792 wrote to memory of 4728	1792	cmd.exe	PING.EXE
PID 1792 wrote to memory of 228	1792	cmd.exe	Opera GX.exe
PID 1792 wrote to memory of 228	1792	cmd.exe	Opera GX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e22eded04f63ee8412924d986e3a522f.exe
"C:\Users\Admin\AppData\Local\Temp\e22eded04f63ee8412924d986e3a522f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K9t0daJ5wpbO.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1764

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2344

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\exqgJhr7vT0G.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2888

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3260

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKi1Le4V0iJV.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4852

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:372

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VhtzWkPvBaJm.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4984

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2288

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQb9CnoJ4ASV.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2284

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:5088

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nRcMA0tdG9mL.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2252

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4728

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:228

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r2TsLsrfif7M.bat" "
15⤵
PID:3724

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:4724

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2020

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UfmMz986WuIQ.bat" "
17⤵
PID:4160

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:5016

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4848

C:\Program Files\common Files\Opera GX.exe
"C:\Program Files\common Files\Opera GX.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OperaVPN" /sc ONLOGON /tr "C:\Program Files\common Files\Opera GX.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\flgX1Xnd5o8s.bat" "
19⤵
PID:4004

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Opera GX.exe
Filesize
3.1MB

MD5
e22eded04f63ee8412924d986e3a522f

SHA1
ca0b817a54f1401b43b412013c0a948a03155619

SHA256
cbc58336a25eddf588be0b4c90fa9dd0267e545489b14c53505a53125a1a49db

SHA512
6ae9c8cf956939a15b3c6fdc40b905f0d5bb03e665309d0a15e3956f9912bd491087ad8cabbacd0dd7e0a2e50fca1af2f055805c8748105c43afc5bff85ba89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Opera GX.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKi1Le4V0iJV.bat
Filesize
201B

MD5
61f146d1fd032f02f46d7137ed30208e

SHA1
65a7787cb9f993427005ced1b0f60112b53ca1bc

SHA256
e21ec9fa286ed8ba07cfd2a5a61712abb23579b75ff16e88c467878d170f7595

SHA512
cd856224ca0cfce4b142b322813a8742af449d82f49ceee08ff0591ebdf96285d7d089022b8d882640bae5c0f4863a65b38bf6bfec15caf1f3f642e600a33ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9t0daJ5wpbO.bat
Filesize
201B

MD5
5eee50447584e164237d9825e4bd5e67

SHA1
2a3dc45cc8d7522f3c14408924fa99648c390de4

SHA256
3ac9f7bf64bcde3a65f85618f233d4e9618fb7d88cd5fa695ba286885fee4cc2

SHA512
0c81a536cd178923fa5562375509dc736512e870a52f8e9d29d8bf6eeeb2c311be44389cb6bbe624c6f025feea43d499e09d2e2e1de192b386f4b5fde155d771

Download Submit
C:\Users\Admin\AppData\Local\Temp\UfmMz986WuIQ.bat
Filesize
201B

MD5
7c6473179b65694904594400574386d6

SHA1
3fd6894a031ecea12f61f3ffc0ca6f44b9f57299

SHA256
93adee0c58d98fb8d946ee5168772ca4c437477106d27cb9870570ad8b5da831

SHA512
47a4c2744db5119ba25f0b3cce644fe8c065b46e0a584d1d5f07fc15fb6cb2b9f997b11d72f0140b7c17c2b3f2e6914249632b8cc3bdcd51830c5950295b9544

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhtzWkPvBaJm.bat
Filesize
201B

MD5
3c5d346321c0318c7cdde40e3337699e

SHA1
fd287de7cd295ed34e470c384c7c8c97ff36b815

SHA256
1d349542f5f1cf1d8f1f439714f7b786e6bb7a52678bd78c6b5a5ce0aa2cbbbf

SHA512
62288c35f21b5f56d99abc84ad2c38c893091591dc34fc355ef032d75544ca31198752efa7c755575f2463a835b5d409ece140cd4a84c71286511912312a4f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\exqgJhr7vT0G.bat
Filesize
201B

MD5
e79c5e960df66a50d37cedd3ae114b0f

SHA1
f2db254c1fde56bcdae036d8df1d559237e4363b

SHA256
93611e0f891ea2d4d18e4d72d89a037bac3ced97eb2f9690cee47e93afbca843

SHA512
b9b9658c9cd884b1f88165b737b5cbe9d3175d0941d6184086c14b0023e4b0fef78520dc09919215a29806081bed60342a0c25b666caffe811efa0fb36e3c462

Download Submit
C:\Users\Admin\AppData\Local\Temp\flgX1Xnd5o8s.bat
Filesize
201B

MD5
38ac0a4077b155f64019cbf2c0d813b3

SHA1
504eded1570a3a5f989a8b195d8e0fc408051474

SHA256
5418d3fcb4a79227be41484dfcb57d3ff2d1685b7cddae22828527f1742da713

SHA512
d7ed3ba8cc1422cdb3d8ca98fd0df63609f8980c5b1157f5941b82ca9f471e8accf2ed586f10e06d19b99c53630883f4cad4de09600034947346050c819c73ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nRcMA0tdG9mL.bat
Filesize
201B

MD5
2c76c50450f2668b1ba8c605dc9d59ed

SHA1
44be76a60e5a4701240888907e9d4036451ed364

SHA256
c6ac46e4d2327d67f2e2ba3043b3bcd3b9b293e91f938344d7a76419adb3f5c9

SHA512
63e9d5802f5effeb06ba3b9a9b8fe6d4273a2d74ff7a496e0cd1f1061b1a01c35e5a490c7f60f75b4c6ca8658a3c7a4641870de72e199a0962ffe5d03faf23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2TsLsrfif7M.bat
Filesize
201B

MD5
b8e3c00c9ceb41a80a04345a7bfab2fd

SHA1
087786b40467a3e400b2039b38b30622082dc385

SHA256
74a7ee7761bede9e7b9c9f24e99a63de165e2b1f880e8e16df83b6ae8a6010a7

SHA512
81b34ded980aade8faefa2a5b4decf9fa84dc7ed52752882771b7742bacf6f70d2fcced47e9f394353f0085bd944f5801fbd5338bfbbe6e61002fabc408b222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQb9CnoJ4ASV.bat
Filesize
201B

MD5
5c23f2eb024411962d4d3aef0d927643

SHA1
955726987e6d2ed8400e1069b3dcf5bc46fe936e

SHA256
03097e1ee4c203c0e41f4233675a6e1ca8c973580b995ed7c81a8437f0d234fc

SHA512
a783a21ff1f5d9496c6a8be83586702497347149d77be9a0e6e8c1362540c563abb9832118e35044867c9ca44001b697103637c861f02815c19e49219ee6ad71

Download Submit
memory/2064-0-0x00007FFE770A3000-0x00007FFE770A5000-memory.dmp

Filesize
8KB

Download
memory/2064-10-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

Filesize
10.8MB

Download
memory/2064-2-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

Filesize
10.8MB

Download
memory/2064-1-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/3312-18-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

Filesize
10.8MB

Download
memory/3312-13-0x000000001E170000-0x000000001E222000-memory.dmp

Filesize
712KB

Download
memory/3312-12-0x000000001E060000-0x000000001E0B0000-memory.dmp

Filesize
320KB

Download
memory/3312-11-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

Filesize
10.8MB

Download
memory/3312-9-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

Filesize
10.8MB

Download