quasar | 8281d71efcdc4a31140455be8ea5bfe040064cc2d2b68ef1722ed65ce9e937de

Analysis

max time kernel
327s
max time network
329s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
04/08/2023, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaSetup.exe
Size

6.1MB
MD5

0ce4fdaf85397833c486de4cee4bab26
SHA1

a80b5273a340e0ebc95ce8e1a643f7fc0347153c
SHA256

8281d71efcdc4a31140455be8ea5bfe040064cc2d2b68ef1722ed65ce9e937de
SHA512

d05f607ffc2cf6876022fce6c09fbf6b70c17a46a57c6fc29bf06784d0b2aaee9c2f27dbcb0ecb096d4af7d724f9d8553008e112095a7b252d7a0334fc3d99ac
SSDEEP

98304:BGh5ziNlRUaub+MPDrc/c+NmXnKyFrsqCRHIs2iTa2UUePNlcF134zJM7ts4J6:B3NlqaubXgUCqCdjmMJJ

Score

10^/10

quasar opera spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

1.0

Botnet

Opera

RomaPro28937723-49554.portmap.io:49554

Mutex

dbdeb9e2-1d62-453a-8c06-8a6bf4be3071

Attributes

encryption_key
8A2A7B58F2803115FF796E733C7311493928333B
install_name
launcher.exe
log_directory
Opera Logs
reconnect_delay
3000
startup_key
Opera Launcher
subdirectory
Opera Software

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/4268-118-0x0000000000BD0000-0x00000000011E6000-memory.dmp	family_quasar
behavioral1/files/0x000600000001afe1-141.dat	family_quasar
behavioral1/files/0x000600000001afe1-140.dat	family_quasar
behavioral1/memory/2608-144-0x0000000000330000-0x0000000000670000-memory.dmp	family_quasar
behavioral1/files/0x000600000001aff7-177.dat	family_quasar
behavioral1/files/0x000600000001aff7-178.dat	family_quasar
behavioral1/files/0x000600000001aff7-180.dat	family_quasar

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
4548	OperaSetup.exe
2608	opera.exe
2200	OperaSetup.exe
4288	OperaSetup.exe
4560	launcher.exe
3432	Assistant_100.0.4815.21_Setup.exe_sfx.exe
2500	assistant_installer.exe
3532	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
4548	OperaSetup.exe
2200	OperaSetup.exe
4288	OperaSetup.exe
2500	assistant_installer.exe
2500	assistant_installer.exe
3532	assistant_installer.exe
3532	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001afe5-135.dat	upx
behavioral1/memory/4548-138-0x0000000001390000-0x00000000018BB000-memory.dmp	upx
behavioral1/files/0x000600000001afe5-147.dat	upx
behavioral1/memory/2200-152-0x0000000001390000-0x00000000018BB000-memory.dmp	upx
behavioral1/files/0x000600000001afe5-158.dat	upx
behavioral1/files/0x000600000001aff4-161.dat	upx
behavioral1/memory/4288-166-0x0000000001350000-0x000000000187B000-memory.dmp	upx
behavioral1/files/0x000600000001aff4-159.dat	upx
behavioral1/memory/4548-186-0x0000000001390000-0x00000000018BB000-memory.dmp	upx
behavioral1/memory/2200-189-0x0000000001390000-0x00000000018BB000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5088	schtasks.exe
3908	schtasks.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4788	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	opera.exe
Token: SeDebugPrivilege	4560	launcher.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4548	OperaSetup.exe
4560	launcher.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4548	4268	OperaSetup.exe	69
PID 4268 wrote to memory of 4548	4268	OperaSetup.exe	69
PID 4268 wrote to memory of 4548	4268	OperaSetup.exe	69
PID 4268 wrote to memory of 2608	4268	OperaSetup.exe	70
PID 4268 wrote to memory of 2608	4268	OperaSetup.exe	70
PID 4548 wrote to memory of 2200	4548	OperaSetup.exe	71
PID 4548 wrote to memory of 2200	4548	OperaSetup.exe	71
PID 4548 wrote to memory of 2200	4548	OperaSetup.exe	71
PID 4548 wrote to memory of 4288	4548	OperaSetup.exe	72
PID 4548 wrote to memory of 4288	4548	OperaSetup.exe	72
PID 4548 wrote to memory of 4288	4548	OperaSetup.exe	72
PID 2608 wrote to memory of 5088	2608	opera.exe	73
PID 2608 wrote to memory of 5088	2608	opera.exe	73
PID 2608 wrote to memory of 4560	2608	opera.exe	75
PID 2608 wrote to memory of 4560	2608	opera.exe	75
PID 4560 wrote to memory of 3908	4560	launcher.exe	76
PID 4560 wrote to memory of 3908	4560	launcher.exe	76
PID 4548 wrote to memory of 3432	4548	OperaSetup.exe	78
PID 4548 wrote to memory of 3432	4548	OperaSetup.exe	78
PID 4548 wrote to memory of 3432	4548	OperaSetup.exe	78
PID 4548 wrote to memory of 2500	4548	OperaSetup.exe	79
PID 4548 wrote to memory of 2500	4548	OperaSetup.exe	79
PID 4548 wrote to memory of 2500	4548	OperaSetup.exe	79
PID 2500 wrote to memory of 3532	2500	assistant_installer.exe	80
PID 2500 wrote to memory of 3532	2500	assistant_installer.exe	80
PID 2500 wrote to memory of 3532	2500	assistant_installer.exe	80
PID 4560 wrote to memory of 4532	4560	launcher.exe	84
PID 4560 wrote to memory of 4532	4560	launcher.exe	84
PID 4560 wrote to memory of 356	4560	launcher.exe	86
PID 4560 wrote to memory of 356	4560	launcher.exe	86
PID 356 wrote to memory of 1132	356	cmd.exe	88
PID 356 wrote to memory of 1132	356	cmd.exe	88
PID 356 wrote to memory of 4788	356	cmd.exe	89
PID 356 wrote to memory of 4788	356	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe
  "C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.76 --initial-client-data=0x2c0,0x2c4,0x2c8,0x2bc,0x2cc,0x6e5fd178,0x6e5fd188,0x6e5fd194
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    PID:3432
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x154e8a0,0x154e8b0,0x154e8bc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3532
- C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe
  "C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:5088
- - C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe
    "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3908
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /delete /tn "Opera Launcher" /f
      4⤵
      PID:4532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1OXKCy23SNYd.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:356
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1132
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4788

C:\Windows\system32\winver.exe
"C:\Windows\system32\winver.exe"
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\additional_file0.tmp

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
0d88834a56d914983a2fe03d6c8c7a83

SHA1
e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35

SHA256
e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53

SHA512
95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
0d88834a56d914983a2fe03d6c8c7a83

SHA1
e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35

SHA256
e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53

SHA512
95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\dbgcore.DLL

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\opera_package

Filesize
90.9MB

MD5
33bb7a0a54316f44045f9593a6bda1d9

SHA1
00b6868bef9bcad51f459b87b9f18fb7950bc9af

SHA256
67e265f9611b3c2e8362cf6ab0860f7f2ebddad2f67d82cf9e4f9c0b4050337d

SHA512
9deadaf19bda5e9680a91de6aaf423c1944d919c7fdabd181dc1e693523e1558e8fb892498a49d867b310e8b865ada68c67d37ba64464c2d39d3280505599895

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OXKCy23SNYd.bat

Filesize
221B

MD5
f9e96531da0ba04b93e177a2c98bf019

SHA1
82e1f5999768ef0643f67fbd1449cd5e94798b2c

SHA256
27491eb7a50eec1d72b2a9bd29149d858e9be5a51b393f29b6fce55cec48c4b8

SHA512
a3da5dfd64464d570498d65e59c26f90710cc69407c5577f11fed0168803ed784480833d8e9e088b63c254254aec1d3f327e6cfa9ba14535183e9a1d4a3acd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308040933500714288.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
95ae87259068bb792ac619253bb68dc1

SHA1
27d67a944a0d19615805f5507e948744a1b9f2b2

SHA256
f5e5222ed939967324143764a2311c1c55632054cc9eb401637c01ef43adee26

SHA512
e8c5ce33664070cb4deea2ac9ceb08b268d1d644b8ac7c55476133b2655ac091a20234fb120ddd2ab940ca3345ffb90202bf874fe38f747b73a862351f551fea

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
95ae87259068bb792ac619253bb68dc1

SHA1
27d67a944a0d19615805f5507e948744a1b9f2b2

SHA256
f5e5222ed939967324143764a2311c1c55632054cc9eb401637c01ef43adee26

SHA512
e8c5ce33664070cb4deea2ac9ceb08b268d1d644b8ac7c55476133b2655ac091a20234fb120ddd2ab940ca3345ffb90202bf874fe38f747b73a862351f551fea

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\dbgcore.dll

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\dbgcore.dll

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933501\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2308040933476244548.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2308040933494882200.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2308040933500714288.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
memory/2200-189-0x0000000001390000-0x00000000018BB000-memory.dmp

Filesize
5.2MB

Download
memory/2200-152-0x0000000001390000-0x00000000018BB000-memory.dmp

Filesize
5.2MB

Download
memory/2608-144-0x0000000000330000-0x0000000000670000-memory.dmp

Filesize
3.2MB

Download
memory/2608-145-0x00007FFE35C00000-0x00007FFE365EC000-memory.dmp

Filesize
9.9MB

Download
memory/2608-154-0x000000001B300000-0x000000001B310000-memory.dmp

Filesize
64KB

Download
memory/2608-182-0x00007FFE35C00000-0x00007FFE365EC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-121-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/4268-122-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/4268-118-0x0000000000BD0000-0x00000000011E6000-memory.dmp

Filesize
6.1MB

Download
memory/4268-119-0x0000000005A10000-0x0000000005AAC000-memory.dmp

Filesize
624KB

Download
memory/4268-120-0x0000000005FB0000-0x00000000064AE000-memory.dmp

Filesize
5.0MB

Download
memory/4268-153-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/4268-124-0x0000000005CA0000-0x0000000005CF6000-memory.dmp

Filesize
344KB

Download
memory/4268-123-0x0000000005AC0000-0x0000000005ACA000-memory.dmp

Filesize
40KB

Download
memory/4268-117-0x0000000073220000-0x000000007390E000-memory.dmp

Filesize
6.9MB

Download
memory/4288-166-0x0000000001350000-0x000000000187B000-memory.dmp

Filesize
5.2MB

Download
memory/4548-138-0x0000000001390000-0x00000000018BB000-memory.dmp

Filesize
5.2MB

Download
memory/4548-186-0x0000000001390000-0x00000000018BB000-memory.dmp

Filesize
5.2MB

Download
memory/4560-181-0x00007FFE35C00000-0x00007FFE365EC000-memory.dmp

Filesize
9.9MB

Download
memory/4560-183-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download
memory/4560-194-0x00007FFE35C00000-0x00007FFE365EC000-memory.dmp

Filesize
9.9MB

Download
memory/4560-184-0x000000001B330000-0x000000001B380000-memory.dmp

Filesize
320KB

Download
memory/4560-185-0x000000001BBE0000-0x000000001BC92000-memory.dmp

Filesize
712KB

Download
memory/4560-273-0x000000001B380000-0x000000001B392000-memory.dmp

Filesize
72KB

Download
memory/4560-274-0x000000001BB60000-0x000000001BB9E000-memory.dmp

Filesize
248KB

Download
memory/4560-313-0x000000001D710000-0x000000001DC36000-memory.dmp

Filesize
5.1MB

Download
memory/4560-340-0x00007FFE35C00000-0x00007FFE365EC000-memory.dmp

Filesize
9.9MB

Download
memory/4560-196-0x000000001B510000-0x000000001B520000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads