quasar | 8281d71efcdc4a31140455be8ea5bfe040064cc2d2b68ef1722ed65ce9e937de

Analysis

max time kernel
328s
max time network
335s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaSetup.exe
Size

6.1MB
MD5

0ce4fdaf85397833c486de4cee4bab26
SHA1

a80b5273a340e0ebc95ce8e1a643f7fc0347153c
SHA256

8281d71efcdc4a31140455be8ea5bfe040064cc2d2b68ef1722ed65ce9e937de
SHA512

d05f607ffc2cf6876022fce6c09fbf6b70c17a46a57c6fc29bf06784d0b2aaee9c2f27dbcb0ecb096d4af7d724f9d8553008e112095a7b252d7a0334fc3d99ac
SSDEEP

98304:BGh5ziNlRUaub+MPDrc/c+NmXnKyFrsqCRHIs2iTa2UUePNlcF134zJM7ts4J6:B3NlqaubXgUCqCdjmMJJ

Score

10^/10

quasar opera spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

1.0

Botnet

Opera

RomaPro28937723-49554.portmap.io:49554

Mutex

dbdeb9e2-1d62-453a-8c06-8a6bf4be3071

Attributes

encryption_key
8A2A7B58F2803115FF796E733C7311493928333B
install_name
launcher.exe
log_directory
Opera Logs
reconnect_delay
3000
startup_key
Opera Launcher
subdirectory
Opera Software

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral2/memory/5096-134-0x0000000000E30000-0x0000000001446000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023122-161.dat	family_quasar
behavioral2/files/0x0009000000023122-171.dat	family_quasar
behavioral2/files/0x0009000000023122-170.dat	family_quasar
behavioral2/memory/2872-184-0x0000000000D30000-0x0000000001070000-memory.dmp	family_quasar
behavioral2/files/0x000600000002323a-205.dat	family_quasar
behavioral2/files/0x000600000002323a-206.dat	family_quasar

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
984	OperaSetup.exe
2872	opera.exe
4316	OperaSetup.exe
5104	OperaSetup.exe
2984	launcher.exe
4500	Assistant_100.0.4815.21_Setup.exe_sfx.exe
1408	assistant_installer.exe
4088	assistant_installer.exe

Loads dropped DLL 7 IoCs

pid	Process
984	OperaSetup.exe
4316	OperaSetup.exe
5104	OperaSetup.exe
1408	assistant_installer.exe
1408	assistant_installer.exe
4088	assistant_installer.exe
4088	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023222-152.dat	upx
behavioral2/files/0x0006000000023222-157.dat	upx
behavioral2/memory/984-165-0x0000000000E10000-0x000000000133B000-memory.dmp	upx
behavioral2/files/0x0006000000023222-173.dat	upx
behavioral2/memory/4316-182-0x0000000000E10000-0x000000000133B000-memory.dmp	upx
behavioral2/files/0x0006000000023222-180.dat	upx
behavioral2/files/0x0006000000023236-186.dat	upx
behavioral2/memory/5104-194-0x00000000004C0000-0x00000000009EB000-memory.dmp	upx
behavioral2/memory/984-215-0x0000000000E10000-0x000000000133B000-memory.dmp	upx
behavioral2/memory/4316-217-0x0000000000E10000-0x000000000133B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1232	schtasks.exe
3060	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4488	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	opera.exe
Token: SeDebugPrivilege	2984	launcher.exe
Token: SeDebugPrivilege	1936	firefox.exe
Token: SeDebugPrivilege	1936	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
984	OperaSetup.exe
2984	launcher.exe
1936	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 984	5096	OperaSetup.exe	90
PID 5096 wrote to memory of 984	5096	OperaSetup.exe	90
PID 5096 wrote to memory of 984	5096	OperaSetup.exe	90
PID 5096 wrote to memory of 2872	5096	OperaSetup.exe	91
PID 5096 wrote to memory of 2872	5096	OperaSetup.exe	91
PID 984 wrote to memory of 4316	984	OperaSetup.exe	92
PID 984 wrote to memory of 4316	984	OperaSetup.exe	92
PID 984 wrote to memory of 4316	984	OperaSetup.exe	92
PID 984 wrote to memory of 5104	984	OperaSetup.exe	95
PID 984 wrote to memory of 5104	984	OperaSetup.exe	95
PID 984 wrote to memory of 5104	984	OperaSetup.exe	95
PID 2872 wrote to memory of 1232	2872	opera.exe	97
PID 2872 wrote to memory of 1232	2872	opera.exe	97
PID 2872 wrote to memory of 2984	2872	opera.exe	99
PID 2872 wrote to memory of 2984	2872	opera.exe	99
PID 2984 wrote to memory of 3060	2984	launcher.exe	102
PID 2984 wrote to memory of 3060	2984	launcher.exe	102
PID 984 wrote to memory of 4500	984	OperaSetup.exe	105
PID 984 wrote to memory of 4500	984	OperaSetup.exe	105
PID 984 wrote to memory of 4500	984	OperaSetup.exe	105
PID 984 wrote to memory of 1408	984	OperaSetup.exe	106
PID 984 wrote to memory of 1408	984	OperaSetup.exe	106
PID 984 wrote to memory of 1408	984	OperaSetup.exe	106
PID 1408 wrote to memory of 4088	1408	assistant_installer.exe	107
PID 1408 wrote to memory of 4088	1408	assistant_installer.exe	107
PID 1408 wrote to memory of 4088	1408	assistant_installer.exe	107
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 4724 wrote to memory of 1936	4724	firefox.exe	126
PID 1936 wrote to memory of 3760	1936	firefox.exe	127
PID 1936 wrote to memory of 3760	1936	firefox.exe	127
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128
PID 1936 wrote to memory of 1320	1936	firefox.exe	128

C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe
  "C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.76 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2cc,0x2f0,0x7042d178,0x7042d188,0x7042d194
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=100.0.4815.21 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xaae8a0,0xaae8b0,0xaae8bc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4088
- C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe
  "C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1232
- - C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe
    "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3060
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /delete /tn "Opera Launcher" /f
      4⤵
      PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imAqhh8lncCd.bat" "
      4⤵
      PID:5008
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:256
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.0.380843779\311359669" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1792 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb8f8561-aeda-4660-9bc9-0f4922bc1713} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 1960 21754505758 gpu
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.1.564403238\925622566" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6c18149-87f2-4f14-91a0-8aeb9b9fbca3} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 2360 21752e3a358 socket
    3⤵
    PID:1320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.2.620329278\800572548" -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 3156 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27e8cd89-6511-41bb-9e49-f84aed85a46c} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 2996 217574ab658 tab
    3⤵
    PID:2868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.3.1065811694\268930943" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dec419a-8fa3-4ade-adea-db2093f63424} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 3464 21755aacb58 tab
    3⤵
    PID:4916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.4.2109473740\1735010769" -childID 3 -isForBrowser -prefsHandle 3972 -prefMapHandle 3960 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21261839-f40a-4110-95c2-ad1d69623831} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 3988 21746a62b58 tab
    3⤵
    PID:3956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.5.305226264\1457826357" -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5156 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85803263-b216-45ac-9e76-56fbfcdedcc4} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 5176 21746a2e758 tab
    3⤵
    PID:4484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.7.604075024\864286751" -childID 6 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b851745-754a-446f-8ab2-699b83323237} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 5496 21759b2db58 tab
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.6.563429185\1128363492" -childID 5 -isForBrowser -prefsHandle 5136 -prefMapHandle 5160 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e868a67d-37a7-489f-90cf-560a8904840e} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 5312 21759798858 tab
    3⤵
    PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
147KB

MD5
2b61eed840b5797d93cc9ed492e18024

SHA1
8f402ba4676120da0474fd6b39e6df6de31596d1

SHA256
e004ce2ef6db274409cbaf07e97c4a74313e04b9a4209908508145e3a42df262

SHA512
c47def40984e1d974beceaadfbed27be5e37b095926b1f995b5ad12dfa48a781b31bc17c0f348944e803e01dee46eaccdead28b4731708225b233d8ef43bf5e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\cache2\entries\70DBE5F90BD35EEC6D4A07D16DB46EC38E379124

Filesize
13KB

MD5
c46d32df238774c8cfa9b1baf8f68d0e

SHA1
c79e890543d02d9f2d6134f3126f3201d0298bf6

SHA256
2018307c057b4246bb56c0ca363e1e8a6234003afb62b7e00f84300a45556010

SHA512
ea240359c98827813c5f044b222938290502e1ffbae44da7a51c3bd66aebf73402a7e819a73ddf3da3f21abba47ee8ecd54fa379132fa755658423a483509193

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Opera Software\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

Filesize
2.7MB

MD5
27ddbd45631c889147790b6d77d97719

SHA1
acfdc5911e4454bfce9ca76e4bbd24057b505a05

SHA256
cfcf70165dae47335062c5e6a608877aa8ad1f4914de614af92f6165952febba

SHA512
234aeebe010a161ca7de36957b9c190ed1db0d49bd5a37d508053c478e34af3c83d057ba9408535fd252517aea48a5423705de914c7ad382bfbfdc62cd34a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

Filesize
2.4MB

MD5
79ef7e63ffe3005c8edacaa49e997bdc

SHA1
9a236cb584c86c0d047ce55cdda4576dd40b027e

SHA256
388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1

SHA512
59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
0d88834a56d914983a2fe03d6c8c7a83

SHA1
e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35

SHA256
e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53

SHA512
95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
0d88834a56d914983a2fe03d6c8c7a83

SHA1
e1ecd04c3610fe5f9df9bb747ee4754ccbdddb35

SHA256
e61426a4c8d7d18d497e7ae7db69c470bae545a630e2d27eada917135fc65f53

SHA512
95233cbcc81838b16825ab7bd52981d99ae4ec27c91fcd5285bff5c4e6fcea43f4a0c78617c0b9404fb69d6d83871b32f0ed6c58ca62e73e41cd999b813c3fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\dbgcore.DLL

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\dbgcore.dll

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\dbgcore.dll

Filesize
166KB

MD5
15a2bc75539a13167028a3d2940bf40a

SHA1
1aed6d2855b26aa7a8fb06d690a89da3fc8eca86

SHA256
07465dffa02c99d11dcd0a81ab7cea1fc97ef6666f37b2fd10592c1c463bf693

SHA512
141d44339fb706971a0b481e1987a0a0eb71e63d485404548ff7443ddf744a8b6a5f869c33e49141b974cdaf17e0a654785c8ddac789c2fb821ba0a8b72dea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\assistant\dbghelp.dll

Filesize
1.7MB

MD5
2215b082f5128ab5e3f28219f9c4118a

SHA1
20c6e3294a5b8ebbebb55fc0e025afff33c3834d

SHA256
98593b37dfe911eea2fee3014fb1b5460c73433b73dc211d063701353441706d

SHA512
3e1249a0b4baad228045f4869273821f97a0cd108bc9385478e562e91830f6bc369810d6f4021c6e04e79b9ec0f4088056f4998950af46f6ab50366522aa887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202308040933521\opera_package

Filesize
90.9MB

MD5
33bb7a0a54316f44045f9593a6bda1d9

SHA1
00b6868bef9bcad51f459b87b9f18fb7950bc9af

SHA256
67e265f9611b3c2e8362cf6ab0860f7f2ebddad2f67d82cf9e4f9c0b4050337d

SHA512
9deadaf19bda5e9680a91de6aaf423c1944d919c7fdabd181dc1e693523e1558e8fb892498a49d867b310e8b865ada68c67d37ba64464c2d39d3280505599895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_230804093350347984.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308040933506754316.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308040933517855104.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2308040933517855104.dll

Filesize
4.5MB

MD5
d457c7babc8cb0909303e5a46e70eeb2

SHA1
912fb82d1e6b7489b8b41e1f80f4a991fe9db2a8

SHA256
1f4a482f829847a57e663101cda02443aead44b1eab9fdc3f1da6b3015643160

SHA512
6a335fffb02fe06fc4ecf81d091e5ea9c10225427cb4ca70da5fadba17c2223507afd6de9b6b073c4ad05c0554d42a02e4b9980f20bd01e17328c46847275e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\imAqhh8lncCd.bat

Filesize
221B

MD5
e164079986c20965096b2099e2ae9ee2

SHA1
e05740107eca9c3dc021db9699a652e1b0935bac

SHA256
4a428bea88edb3effc5184abb5d810488761f509a376dacab31c2ce5ca032bd4

SHA512
11b01b1a87d44d636d35409404d2c98bc8b818dc6ab3cda72fbbc8dbf64e4236c8135bac9f51905367d4b7a19a41e97024cc4f3de202985930976fb3cd77961b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs-1.js

Filesize
9KB

MD5
a0f6d88b3deebc0cde03aaa67e8812f1

SHA1
bf69782963606b4b587f7a6770f8b2f31e32b1af

SHA256
1be802de1740f4d0e7a4ea7d8a1ff3fcfdb2b9068436e9d1707eac02e5312527

SHA512
5c9e341ce71cdf25f78317cfe2cbd84781e7075cd56dcb49880febbd9e420210f24dc811a3af9d1854380051f362638200ae6aee5995fbbe5b75c5a7bcc283ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs-1.js

Filesize
8KB

MD5
0990574c971688b209cd667f2e4c3c28

SHA1
4ecd861a5951041823e6f1f6c13ec761fdeb67c1

SHA256
83f237f0d5753390f874ea3fdc555274976cc8ea6935afefffa16acc5e70862f

SHA512
dba15a62098683b713800038bfb9e441a92ec208d1d2554de980204e058c2706180962cb686760aeb38e3181fb797f4a47da8f9e92e653d14634cf524984693a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs.js

Filesize
6KB

MD5
ee9539e0980e72f346e6a8381a83e18a

SHA1
c4719d92c32f28a431cafb24d7854d5ebb1805b8

SHA256
3b1da88695bb4d06a16e4c07034b7b7042fc145a0c77d1679548b631938a8d0d

SHA512
799b3abf2832a5c448a0c9e222d150f5231097268664a7b71f40bf0ddde25c0e7e09e94de1122843f3e53ade174d1cb7fdb164d187b636b29e020cc3871e5de4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
695f282dc09440b1b9c57ff0deab8e8b

SHA1
d69549127f9b9214b395bfa25443bb9725fb244d

SHA256
f7fa93bc734e3b5c597eba2877bafaf9d2ecf4182588da05702de07a6c4caf83

SHA512
1ab34499e7f2bb63361ff6312ec110d30e78a9c8a75c894eb37b941bbf3a2f6176ee8e12b05b95f613bff1f7efb53810bb3ea3e13026210d1f007e71b466c373

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
aae8c684bb21af3613ff196d9f259e82

SHA1
5898f8901fc6edcb881b9bcebf62a3bc434c4236

SHA256
3ec0bc02ef7a76d497a7644b068ff4b2033d804917f73c549faff03fc9a17e11

SHA512
eeef50f03de4639dddb8a3bb37084ca914c86199923ddf58947daa2414dbb52c78235cae0c2bc02862dcfcbcc4bd14e6345505665f63b9a7af3564bff21a3691

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
aae8c684bb21af3613ff196d9f259e82

SHA1
5898f8901fc6edcb881b9bcebf62a3bc434c4236

SHA256
3ec0bc02ef7a76d497a7644b068ff4b2033d804917f73c549faff03fc9a17e11

SHA512
eeef50f03de4639dddb8a3bb37084ca914c86199923ddf58947daa2414dbb52c78235cae0c2bc02862dcfcbcc4bd14e6345505665f63b9a7af3564bff21a3691

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\opera.exe

Filesize
3.2MB

MD5
18b3ba2684f3877241c411f5d244b78d

SHA1
4bd4960d34749d9ae8926e85972eb442738832bc

SHA256
006c64797f36d3c1d9e7fb6db3604438eea2543b8c8eb0bd6995b270249d1516

SHA512
51f501ad2239a462d7a1c689130aec4b5ce249125c1c61d5098729f22ba823ccfbc3f841dc0467d0752111e3523ec188a5346982e5572741a90f23a6cdde780b

Download Submit
memory/984-215-0x0000000000E10000-0x000000000133B000-memory.dmp

Filesize
5.2MB

Download
memory/984-165-0x0000000000E10000-0x000000000133B000-memory.dmp

Filesize
5.2MB

Download
memory/2872-191-0x00007FF99AA10000-0x00007FF99B4D1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-220-0x00007FF99AA10000-0x00007FF99B4D1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-193-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/2872-184-0x0000000000D30000-0x0000000001070000-memory.dmp

Filesize
3.2MB

Download
memory/2984-208-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/2984-219-0x000000001C720000-0x000000001C7D2000-memory.dmp

Filesize
712KB

Download
memory/2984-251-0x000000001C6E0000-0x000000001C71C000-memory.dmp

Filesize
240KB

Download
memory/2984-250-0x000000001C680000-0x000000001C692000-memory.dmp

Filesize
72KB

Download
memory/2984-218-0x000000001C610000-0x000000001C660000-memory.dmp

Filesize
320KB

Download
memory/2984-245-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/2984-207-0x00007FF99AA10000-0x00007FF99B4D1000-memory.dmp

Filesize
10.8MB

Download
memory/2984-227-0x00007FF99AA10000-0x00007FF99B4D1000-memory.dmp

Filesize
10.8MB

Download
memory/2984-2248-0x00007FF99AA10000-0x00007FF99B4D1000-memory.dmp

Filesize
10.8MB

Download
memory/4316-217-0x0000000000E10000-0x000000000133B000-memory.dmp

Filesize
5.2MB

Download
memory/4316-182-0x0000000000E10000-0x000000000133B000-memory.dmp

Filesize
5.2MB

Download
memory/5096-134-0x0000000000E30000-0x0000000001446000-memory.dmp

Filesize
6.1MB

Download
memory/5096-135-0x0000000005C90000-0x0000000005D2C000-memory.dmp

Filesize
624KB

Download
memory/5096-133-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/5096-136-0x0000000006360000-0x0000000006904000-memory.dmp

Filesize
5.6MB

Download
memory/5096-137-0x0000000005E50000-0x0000000005EE2000-memory.dmp

Filesize
584KB

Download
memory/5096-138-0x0000000005C70000-0x0000000005C80000-memory.dmp

Filesize
64KB

Download
memory/5096-187-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/5096-139-0x0000000005DB0000-0x0000000005DBA000-memory.dmp

Filesize
40KB

Download
memory/5096-140-0x0000000005FE0000-0x0000000006036000-memory.dmp

Filesize
344KB

Download
memory/5104-194-0x00000000004C0000-0x00000000009EB000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads