quasar | 1c041ceec32a88f14ba0705059598af65206ab7a61abff23b012b95928890d59

Analysis

max time kernel
89s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 09:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

OperaSetup.exe
Size

6.1MB
MD5

187340d0966252e19cd25234908be33d
SHA1

47d9e8f4be1f2cb8dc9e979ce17344b2a906de4e
SHA256

1c041ceec32a88f14ba0705059598af65206ab7a61abff23b012b95928890d59
SHA512

7f63b5567ef65b3aa98331f27699b3f88f0ed3f793567427998770d185a80714b1a74d3ea6492ab3456df2f1f59c498032d07eaa41751c3cd29e02dbd8e90853
SSDEEP

98304:gGh5ziNlRUaub+MPDrc/c+NmXnKyFrsqC4HIs2iTa2UUePNlcF134zJM70TR16r:g3NlqaubXgUCqCmjmMii

Score

10^/10

quasar opera spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

1.0

Botnet

Opera

RomaPro28937723-49554.portmap.io:49554

Mutex

dbdeb9e2-1d62-453a-8c06-8a6bf4be3071

Attributes

encryption_key
8A2A7B58F2803115FF796E733C7311493928333B
install_name
launcher.exe
log_directory
Opera Logs
reconnect_delay
3000
startup_key
Opera Launcher
subdirectory
Opera Software

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral3/memory/4792-134-0x0000000000220000-0x0000000000836000-memory.dmp	family_quasar
behavioral3/files/0x0007000000023225-162.dat	family_quasar
behavioral3/files/0x0007000000023225-169.dat	family_quasar
behavioral3/files/0x0007000000023225-170.dat	family_quasar
behavioral3/memory/1528-174-0x00000000001B0000-0x00000000004F0000-memory.dmp	family_quasar
behavioral3/files/0x000600000002324c-212.dat	family_quasar
behavioral3/files/0x000600000002324c-211.dat	family_quasar

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1056	OperaSetup.exe
1528	opera.exe
4948	OperaSetup.exe
3816	OperaSetup.exe
4688	launcher.exe
2636	Assistant_100.0.4815.21_Setup.exe_sfx.exe
212	assistant_installer.exe
1292	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
1056	OperaSetup.exe
4948	OperaSetup.exe
3816	OperaSetup.exe
212	assistant_installer.exe
212	assistant_installer.exe
1292	assistant_installer.exe
1292	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0006000000023230-152.dat	upx
behavioral3/files/0x0006000000023230-157.dat	upx
behavioral3/memory/1056-160-0x0000000000C10000-0x000000000113B000-memory.dmp	upx
behavioral3/files/0x0006000000023230-173.dat	upx
behavioral3/memory/4948-182-0x0000000000C10000-0x000000000113B000-memory.dmp	upx
behavioral3/files/0x0006000000023230-186.dat	upx
behavioral3/files/0x0006000000023243-189.dat	upx
behavioral3/memory/3816-195-0x0000000000D20000-0x000000000124B000-memory.dmp	upx
behavioral3/memory/3816-190-0x0000000000D20000-0x000000000124B000-memory.dmp	upx
behavioral3/memory/1056-219-0x0000000000C10000-0x000000000113B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4632	schtasks.exe
2844	schtasks.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2484	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	opera.exe
Token: SeDebugPrivilege	4688	launcher.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1056	OperaSetup.exe
4688	launcher.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1056	4792	OperaSetup.exe	92
PID 4792 wrote to memory of 1056	4792	OperaSetup.exe	92
PID 4792 wrote to memory of 1056	4792	OperaSetup.exe	92
PID 4792 wrote to memory of 1528	4792	OperaSetup.exe	93
PID 4792 wrote to memory of 1528	4792	OperaSetup.exe	93
PID 1056 wrote to memory of 4948	1056	OperaSetup.exe	95
PID 1056 wrote to memory of 4948	1056	OperaSetup.exe	95
PID 1056 wrote to memory of 4948	1056	OperaSetup.exe	95
PID 1056 wrote to memory of 3816	1056	OperaSetup.exe	96
PID 1056 wrote to memory of 3816	1056	OperaSetup.exe	96
PID 1056 wrote to memory of 3816	1056	OperaSetup.exe	96
PID 1528 wrote to memory of 4632	1528	opera.exe	100
PID 1528 wrote to memory of 4632	1528	opera.exe	100
PID 1528 wrote to memory of 4688	1528	opera.exe	102
PID 1528 wrote to memory of 4688	1528	opera.exe	102
PID 4688 wrote to memory of 2844	4688	launcher.exe	104
PID 4688 wrote to memory of 2844	4688	launcher.exe	104
PID 1056 wrote to memory of 2636	1056	OperaSetup.exe	106
PID 1056 wrote to memory of 2636	1056	OperaSetup.exe	106
PID 1056 wrote to memory of 2636	1056	OperaSetup.exe	106
PID 1056 wrote to memory of 212	1056	OperaSetup.exe	108
PID 1056 wrote to memory of 212	1056	OperaSetup.exe	108
PID 1056 wrote to memory of 212	1056	OperaSetup.exe	108
PID 212 wrote to memory of 1292	212	assistant_installer.exe	109
PID 212 wrote to memory of 1292	212	assistant_installer.exe	109
PID 212 wrote to memory of 1292	212	assistant_installer.exe	109
PID 4688 wrote to memory of 3276	4688	launcher.exe	112
PID 4688 wrote to memory of 3276	4688	launcher.exe	112
PID 4688 wrote to memory of 1012	4688	launcher.exe	114
PID 4688 wrote to memory of 1012	4688	launcher.exe	114
PID 1012 wrote to memory of 3392	1012	cmd.exe	116
PID 1012 wrote to memory of 3392	1012	cmd.exe	116
PID 1012 wrote to memory of 2484	1012	cmd.exe	117
PID 1012 wrote to memory of 2484	1012	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe
  "C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.76 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2f4,0x7009d178,0x7009d188,0x7009d194
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x104e8a0,0x104e8b0,0x104e8bc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1292
- C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe
  "C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4632
- - C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe
    "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2844
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /delete /tn "Opera Launcher" /f
      4⤵
      PID:3276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGBVmb6YAx7v.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3392
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\additional_file0.tmp

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
0d88834a56d914983a2fe03d6c8c7a83

SHA1
e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35

SHA256
e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53

SHA512
95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
0d88834a56d914983a2fe03d6c8c7a83

SHA1
e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35

SHA256
e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53

SHA512
95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\dbgcore.DLL

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\dbgcore.dll

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\dbgcore.dll

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308020907081\opera_package

Filesize
90.9MB

MD5
8f2518c16c95940448da142c6c02027d

SHA1
5f9a4e6f5977ab1114f6ecf1cdb3c2f9bfc48079

SHA256
8cfa8195c716e3e317308c69c4f3091abfc1ee98b8ca78db2e7ef6ca95c0ee62

SHA512
e6e38b3001f6ae50e32993140456e0c8102bb4119649f9cb9527192324850dd09bd98af507c1041b4095cb95d674166e6a6422e233d300e895f8d697cadaf5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308020907072381056.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308020907079254948.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308020907085663816.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308020907085663816.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGBVmb6YAx7v.bat

Filesize
221B

MD5
07caa99f84582ea35065d841de829eb9

SHA1
74bf4aa5a8d7f41d372ba60d42ed6f794e122450

SHA256
b0a8006e3f34507a58075a021a137a075ece9d10b4f848c9c8c19ebcaf3c6099

SHA512
cec1e5fc4af65a6a5d4392809e052846a4a545f545d5ff680e7bd03a18dd2a5141b582847e4680545710a84153cfc0cdb96f7c6884d1e454171e7c8a1ccefbb7

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
9d27986e92662b4267c9018414fa741d

SHA1
b718e142c120ea5ccf81b3de5c1bcfae9f3c6a8f

SHA256
9bb8dc1a23aa5dbe6a1d20e4407020c802102bf08d09aa3b6701082ed03fa1c2

SHA512
375cf9e3b6978e26cb6729e3fe1b73f531ac39665df6526fe3e7f6ffcc6f1f100fdf2521ea487f4369f3c25d67f19aaea55f9eac6519968555d9d445d5f0873a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
9d27986e92662b4267c9018414fa741d

SHA1
b718e142c120ea5ccf81b3de5c1bcfae9f3c6a8f

SHA256
9bb8dc1a23aa5dbe6a1d20e4407020c802102bf08d09aa3b6701082ed03fa1c2

SHA512
375cf9e3b6978e26cb6729e3fe1b73f531ac39665df6526fe3e7f6ffcc6f1f100fdf2521ea487f4369f3c25d67f19aaea55f9eac6519968555d9d445d5f0873a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe

Filesize
3.2MB

MD5
53d988fd134e127b6c285d6ba799cb35

SHA1
1b4b5db46a2d4764b1d8e96c845df97d7d0fb3c2

SHA256
f42af11e64e132b7000228eb69c8a85b5eb9100114a5e6a51c493550923d6b90

SHA512
a4b5eabfdeb5d8c26ac4ac96125ffee0b34b007f447db52973c4596ca857dcd06821d46d58846681fdf8b959ea7b326aa52afe66f4d4a65aae00be822046785b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe

Filesize
3.2MB

MD5
53d988fd134e127b6c285d6ba799cb35

SHA1
1b4b5db46a2d4764b1d8e96c845df97d7d0fb3c2

SHA256
f42af11e64e132b7000228eb69c8a85b5eb9100114a5e6a51c493550923d6b90

SHA512
a4b5eabfdeb5d8c26ac4ac96125ffee0b34b007f447db52973c4596ca857dcd06821d46d58846681fdf8b959ea7b326aa52afe66f4d4a65aae00be822046785b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
53d988fd134e127b6c285d6ba799cb35

SHA1
1b4b5db46a2d4764b1d8e96c845df97d7d0fb3c2

SHA256
f42af11e64e132b7000228eb69c8a85b5eb9100114a5e6a51c493550923d6b90

SHA512
a4b5eabfdeb5d8c26ac4ac96125ffee0b34b007f447db52973c4596ca857dcd06821d46d58846681fdf8b959ea7b326aa52afe66f4d4a65aae00be822046785b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
53d988fd134e127b6c285d6ba799cb35

SHA1
1b4b5db46a2d4764b1d8e96c845df97d7d0fb3c2

SHA256
f42af11e64e132b7000228eb69c8a85b5eb9100114a5e6a51c493550923d6b90

SHA512
a4b5eabfdeb5d8c26ac4ac96125ffee0b34b007f447db52973c4596ca857dcd06821d46d58846681fdf8b959ea7b326aa52afe66f4d4a65aae00be822046785b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
53d988fd134e127b6c285d6ba799cb35

SHA1
1b4b5db46a2d4764b1d8e96c845df97d7d0fb3c2

SHA256
f42af11e64e132b7000228eb69c8a85b5eb9100114a5e6a51c493550923d6b90

SHA512
a4b5eabfdeb5d8c26ac4ac96125ffee0b34b007f447db52973c4596ca857dcd06821d46d58846681fdf8b959ea7b326aa52afe66f4d4a65aae00be822046785b

Download Submit
memory/1056-219-0x0000000000C10000-0x000000000113B000-memory.dmp

Filesize
5.2MB

Download
memory/1056-160-0x0000000000C10000-0x000000000113B000-memory.dmp

Filesize
5.2MB

Download
memory/1528-174-0x00000000001B0000-0x00000000004F0000-memory.dmp

Filesize
3.2MB

Download
memory/1528-179-0x00007FFB530F0000-0x00007FFB53BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1528-215-0x00007FFB530F0000-0x00007FFB53BB1000-memory.dmp

Filesize
10.8MB

Download
memory/1528-181-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/3816-190-0x0000000000D20000-0x000000000124B000-memory.dmp

Filesize
5.2MB

Download
memory/3816-195-0x0000000000D20000-0x000000000124B000-memory.dmp

Filesize
5.2MB

Download
memory/4688-247-0x000000001BE80000-0x000000001BEBC000-memory.dmp

Filesize
240KB

Download
memory/4688-214-0x00007FFB530F0000-0x00007FFB53BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4688-246-0x000000001BD10000-0x000000001BD22000-memory.dmp

Filesize
72KB

Download
memory/4688-227-0x000000001C690000-0x000000001C742000-memory.dmp

Filesize
712KB

Download
memory/4688-294-0x00007FFB530F0000-0x00007FFB53BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4688-225-0x000000001BCA0000-0x000000001BCF0000-memory.dmp

Filesize
320KB

Download
memory/4688-295-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/4688-310-0x00007FFB530F0000-0x00007FFB53BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4688-222-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/4792-180-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4792-139-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/4792-138-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4792-137-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/4792-136-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/4792-135-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/4792-140-0x0000000005400000-0x0000000005456000-memory.dmp

Filesize
344KB

Download
memory/4792-133-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4792-134-0x0000000000220000-0x0000000000836000-memory.dmp

Filesize
6.1MB

Download
memory/4948-182-0x0000000000C10000-0x000000000113B000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads