General Info

File name

infected.zip

Full analysis
https://app.any.run/tasks/d59f9005-1a55-41e3-893f-2e4c4057b1a5
Verdict
Malicious activity
Analysis date
2/11/2019, 11:12:30
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

adware

installcore

pup

addrop

loader

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

0176354afd84a1f7eb1653a1528c25be

SHA1

753ced9cfb88385a32f38552dd4c475b11dbd3af

SHA256

92582e3305fbdc2fb9e0f261118d47de269484d122538cb9f9e5e387aca94842

SSDEEP

49152:RAGGJoL9xgvLdRrKxZE93Ig7NXg8l2ouetiOrz/tcF:RUJU9xgzdRrKxZYv7NQ8lOehtM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • OperaSetup.exe (PID: 1416)
  • OperaSetup.exe (PID: 2892)
  • OperaSetup.exe (PID: 2680)
  • OperaSetup.exe (PID: 3384)
  • OperaSetup.exe (PID: 4016)
Application was dropped or rewritten from another process
  • OperaSetup.exe (PID: 1416)
  • OperaSetup.exe (PID: 2892)
  • JavaSetup_0896841932.exe (PID: 3748)
  • OperaSetup.exe (PID: 2680)
  • OperaSetup.exe (PID: 3384)
  • OperaSetup.exe (PID: 4016)
  • JavaSetup_0896841932.exe (PID: 2532)
Loads the Task Scheduler COM API
  • JavaSetup_0896841932.exe (PID: 3748)
Downloads executable files from the Internet
  • JavaSetup_0896841932.exe (PID: 3748)
Connects to CnC server
  • JavaSetup_0896841932.exe (PID: 3748)
INSTALLCORE was detected
  • JavaSetup_0896841932.exe (PID: 3748)
Creates a software uninstall entry
  • JavaSetup_0896841932.exe (PID: 3748)
Creates files in the user directory
  • JavaSetup_0896841932.exe (PID: 3748)
  • OperaSetup.exe (PID: 2892)
Executable content was dropped or overwritten
  • OperaSetup.exe (PID: 2680)
  • OperaSetup.exe (PID: 2892)
  • OperaSetup.exe (PID: 3384)
  • JavaSetup_0896841932.exe (PID: 3748)
  • OperaSetup.exe (PID: 4016)
  • WinRAR.exe (PID: 2996)
Application launched itself
  • OperaSetup.exe (PID: 4016)
  • JavaSetup_0896841932.exe (PID: 2532)
Starts itself from another location
  • OperaSetup.exe (PID: 4016)
Reads the date of Windows installation
  • JavaSetup_0896841932.exe (PID: 3748)
Reads CPU info
  • JavaSetup_0896841932.exe (PID: 3748)
Reads internet explorer settings
  • JavaSetup_0896841932.exe (PID: 3748)
Reads Environment values
  • JavaSetup_0896841932.exe (PID: 3748)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0003
ZipCompression:
Unknown (99)
ZipModifyDate:
2019:02:11 10:07:24
ZipCRC:
0x0b4ac002
ZipCompressedSize:
2453001
ZipUncompressedSize:
2478622
ZipFileName:
JavaSetup_0896841932.exe

Screenshots

Processes

Total processes
42
Monitored processes
8
Malicious processes
3
Suspicious processes
4

Behavior graph

+
start download and start winrar.exe javasetup_0896841932.exe no specs #INSTALLCORE javasetup_0896841932.exe operasetup.exe operasetup.exe operasetup.exe no specs operasetup.exe operasetup.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2996
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\infected.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2532
CMD
"C:\Users\admin\Desktop\JavaSetup_0896841932.exe"
Path
C:\Users\admin\Desktop\JavaSetup_0896841932.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Rosot
Description
Hefefedele Setup
Version
Modules
Image
c:\users\admin\desktop\javasetup_0896841932.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\version.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll

PID
3748
CMD
"C:\Users\admin\Desktop\JavaSetup_0896841932.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl
Path
C:\Users\admin\Desktop\JavaSetup_0896841932.exe
Indicators
Parent process
JavaSetup_0896841932.exe
User
admin
Integrity Level
HIGH
Version:
Company
Rosot
Description
Hefefedele Setup
Version
Modules
Image
c:\users\admin\desktop\javasetup_0896841932.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\version.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\sxs.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\propsys.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dxtrans.dll
c:\windows\system32\atl.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dxtmsft.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\in65ce18fa\operasetup.exe
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
4016
CMD
"C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe" --silent --allusers=0
Path
C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe
Indicators
Parent process
JavaSetup_0896841932.exe
User
admin
Integrity Level
HIGH
Version:
Company
Opera Software
Description
Opera Installer
Version
58.0.3135.53
Modules
Image
c:\users\admin\appdata\local\temp\in65ce18fa\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\opera_installer_1902111013153934016.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\users\admin\appdata\local\temp\opera installer\operasetup.exe
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll

PID
2892
CMD
C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=58.0.3135.53 --initial-client-data=0xd8,0xe0,0xe4,0xdc,0xe8,0x6d3ba8e0,0x6d3ba8f0,0x6d3ba8fc
Path
C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe
Indicators
Parent process
OperaSetup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Opera Software
Description
Opera Installer
Version
58.0.3135.53
Modules
Image
c:\users\admin\appdata\local\temp\in65ce18fa\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\opera_installer_1902111013155342892.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptbase.dll

PID
1416
CMD
"C:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exe" --version
Path
C:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exe
Indicators
No indicators
Parent process
OperaSetup.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\opera installer\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\opera_installer_1902111013157371416.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll

PID
3384
CMD
"C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe" --backend --install --import-browser-data=1 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Program Files\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --startmenushortcut=1 --desktopshortcut=1 --quicklaunchshortcut=1 --pintotaskbar=1 --server-tracking-data=server_tracking_data --initial-pid=4016 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\Opera Installer\opera_package_20190211101315" --session-guid=26366f84-dfa6-44f6-888e-6f2e6605b364 --server-tracking-blob="MTYzMGI0NGNmNzJhYjY5NmRlZGFjYTQ3YjVhOTRiYmQwZGU2ZTg4NDAxM2FlNTNlNjAwMzJhYjE4YzA2ZjdhZjp7ImNvdW50cnkiOiJBVCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1wYmMmdXRtX3NvdXJjZT1haXMmdXRtX2NhbXBhaWduPV9DUlRfbmMmdXRtX2lkPTl1TnBacmE0T0clMkJ6dWprYXM3NU1IYkM4T1d5bCUyQldrdnZyZzlhcnE2UDJxeXV6MXFzTG82YTdxOUt6VGw3R2dwdnNWOVB2SHJUeW5zJTJGWDQlMkI4YXh1S2VDNVAyYXh1RFZ0czd3JTJGYjd1eSUyRms0QUFBQ0RpZzFiIiwidGltZXN0YW1wIjoiMTU0OTg3OTk5NC4yOTQzIiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMTsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wOyAuTkVUNC4wQzsgLk5FVDQuMEUpIiwidXRtIjp7ImNhbXBhaWduIjoiX0NSVF9uYyIsImlkIjoiOXVOcFpyYTRPRyt6dWprYXM3NU1IYkM4T1d5bCtXa3Z2cmc5YXJxNlAycXl1ejFxc0xvNmE3cTlLelRsN0dncHZzVjlQdkhyVHlucy9YNCs4YXh1S2VDNVAyYXh1RFZ0czd3L2I3dXkvazRBQUFDRGlnMWIiLCJtZWRpdW0iOiJwYmMiLCJzb3VyY2UiOiJhaXMifSwidXVpZCI6IjIxMTQ0YTg3LTFjMTktNDgwNi04YzRlLWU2OGVkOTA4MDcwZiJ9 " --silent --wait-for-package --initial-proc-handle=D802000000000000
Path
C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe
Indicators
Parent process
OperaSetup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Opera Software
Description
Opera Installer
Version
58.0.3135.53
Modules
Image
c:\users\admin\appdata\local\temp\in65ce18fa\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\opera_installer_1902111013158783384.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
2680
CMD
C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=58.0.3135.53 --initial-client-data=0xdc,0xec,0xf0,0xe8,0xf4,0x6cdba8e0,0x6cdba8f0,0x6cdba8fc
Path
C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe
Indicators
Parent process
OperaSetup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Opera Software
Description
Opera Installer
Version
58.0.3135.53
Modules
Image
c:\users\admin\appdata\local\temp\in65ce18fa\operasetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\opera_installer_1902111013160342680.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\wininet.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
1092
Read events
1000
Write events
92
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2996
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\infected.zip
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000860102000000000039000000B40200000000000001000000
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000008801030000000000160000002A0000000000000002000000
2996
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000009A0103000000000016000000640000000000000003000000
2532
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2532
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3748
JavaSetup_0896841932.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3748
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3748
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASAPI32
EnableFileTracing
0
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASAPI32
EnableConsoleTracing
0
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASAPI32
FileTracingMask
4294901760
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASAPI32
ConsoleTracingMask
4294901760
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASAPI32
MaxFileSize
1048576
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASAPI32
FileDirectory
%windir%\tracing
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASMANCS
EnableFileTracing
0
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASMANCS
EnableConsoleTracing
0
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASMANCS
FileTracingMask
4294901760
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASMANCS
ConsoleTracingMask
4294901760
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASMANCS
MaxFileSize
1048576
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\JavaSetup_0896841932_RASMANCS
FileDirectory
%windir%\tracing
3748
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3748
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Name
JavaSetup_0896841932.exe
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
ID
708992537
3748
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\ProductSetup\Uninstall\0W1T1C0T1M2Y1G1Q1P1C
uninstall
0W1T1C0T1M2Y1G1Q1P1C
3748
JavaSetup_0896841932.exe
write
HKEY_CURRENT_USER\Software\ProductSetup\Uninstall\0W1T1C0T1M2Y1G1Q1P1C
Info
cmd /c start /wait wscript "C:\Users\admin\AppData\Roaming\WarThunder\osutils.vbs" /df:"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder" /dt:"WarThunder0" /dt:"WarThunder1" /dt:"WarThunder2" /dt:"WarThunder3" /item:"C:\Users\admin\Desktop\WarThunder.lnk" /loc:"all" /path:"C:\Users\admin\AppData\Roaming\" /prod:"WarThunder" /run:"second"
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WarThunder
DisplayName
WarThunder
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WarThunder
UninstallString
cmd /c start /wait wscript "C:\Users\admin\AppData\Roaming\WarThunder\osutils.vbs" /df:"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder" /dt:"WarThunder0" /dt:"WarThunder1" /dt:"WarThunder2" /dt:"WarThunder3" /item:"C:\Users\admin\Desktop\WarThunder.lnk" /loc:"all" /path:"C:\Users\admin\AppData\Roaming\" /prod:"WarThunder" /run:"second"
3748
JavaSetup_0896841932.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WarThunder
DisplayIcon
C:\Users\admin\AppData\Roaming\WarThunder\wt.ico
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASAPI32
EnableFileTracing
0
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASAPI32
EnableConsoleTracing
0
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASAPI32
FileTracingMask
4294901760
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASAPI32
ConsoleTracingMask
4294901760
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASAPI32
MaxFileSize
1048576
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASAPI32
FileDirectory
%windir%\tracing
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASMANCS
EnableFileTracing
0
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASMANCS
EnableConsoleTracing
0
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASMANCS
FileTracingMask
4294901760
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASMANCS
ConsoleTracingMask
4294901760
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASMANCS
MaxFileSize
1048576
4016
OperaSetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OperaSetup_RASMANCS
FileDirectory
%windir%\tracing
4016
OperaSetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
4016
OperaSetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
4016
OperaSetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4016
OperaSetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4016
OperaSetup.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3384
OperaSetup.exe
write
HKEY_CURRENT_USER\Software\Opera Software
Last Stable Install Path
C:\Program Files\Opera\

Files activity

Executable files
6
Suspicious files
12
Text files
90
Unknown types
1

Dropped files

PID
Process
Filename
Type
2996
WinRAR.exe
C:\Users\admin\Desktop\JavaSetup_0896841932.exe
executable
MD5: 8d293b2903f23c149fbe02dad15009bc
SHA256: 5dc087db22ae1ebadcb5b65675f2132691353471cc17a6cf94102db4d0cbf75a
3384
OperaSetup.exe
C:\Users\admin\AppData\Local\Temp\Opera_installer_1902111013158783384.dll
executable
MD5: 4f458563ccb143ff7f3bbcc57bb43067
SHA256: 9bc8a1b8429f516c7ea42743eee33ae30b8e5138867303f101b7b9e343772470
2892
OperaSetup.exe
C:\Users\admin\AppData\Local\Temp\Opera_installer_1902111013155342892.dll
executable
MD5: 4f458563ccb143ff7f3bbcc57bb43067
SHA256: 9bc8a1b8429f516c7ea42743eee33ae30b8e5138867303f101b7b9e343772470
4016
OperaSetup.exe
C:\Users\admin\AppData\Local\Temp\Opera_installer_1902111013153934016.dll
executable
MD5: 4f458563ccb143ff7f3bbcc57bb43067
SHA256: 9bc8a1b8429f516c7ea42743eee33ae30b8e5138867303f101b7b9e343772470
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\OperaSetup.exe
executable
MD5: 3afa8c397877dec2b32d2c755f8f14e6
SHA256: 0c469735947d8b4c29a4681413e0c4c0e028c7ba0e4883d3e6f6cdfc846bb48d
2680
OperaSetup.exe
C:\Users\admin\AppData\Local\Temp\Opera_installer_1902111013160342680.dll
executable
MD5: 4f458563ccb143ff7f3bbcc57bb43067
SHA256: 9bc8a1b8429f516c7ea42743eee33ae30b8e5138867303f101b7b9e343772470
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\72DD5D8A_stp.dat.part
binary
MD5: 85cd1882ee5378317e0fc3cb996f3460
SHA256: 0328f8b4480fd2b8fa406bff563f8f17e329b5fff7761f4c74f7de0680757e0d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\72DD5D8A_stp.dat.tmp
––
MD5:  ––
SHA256:  ––
3384
OperaSetup.exe
C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
binary
MD5: 054412e09813120d172a4c19a6073de0
SHA256: b67990ec0c569d6881df279cc921515c4aa7408e195f1cbd43456b73714e2c21
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Roaming\WarThunder\osutils.vbs
text
MD5: a3fc9218aabeae331e10195f1565fc7c
SHA256: 624281ec5dadce93ea9650c5d8cbca236c04d8848b663978bdaea06d22574614
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Roaming\WarThunder\wt.ico
image
MD5: e86cbbab2c5c172ff46db67011e79913
SHA256: 32cb0dbf88128039d2775600f7ca194943c2e1548e091d5447822679fe13529f
1416
OperaSetup.exe
C:\Users\admin\AppData\Local\Temp\Opera_installer_1902111013157371416.dll
––
MD5:  ––
SHA256:  ––
4016
OperaSetup.exe
C:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exe
––
MD5:  ––
SHA256:  ––
4016
OperaSetup.exe
C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
binary
MD5: 054412e09813120d172a4c19a6073de0
SHA256: b67990ec0c569d6881df279cc921515c4aa7408e195f1cbd43456b73714e2c21
2892
OperaSetup.exe
C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
binary
MD5: 054412e09813120d172a4c19a6073de0
SHA256: b67990ec0c569d6881df279cc921515c4aa7408e195f1cbd43456b73714e2c21
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\3F7E17E2_stp\body.png
image
MD5: cadeb29c432f44a7425e2ee096beed28
SHA256: 7524fd59af11f4b3fb691aae9027349823faa9544dbf46f671a41ce28bf6d62c
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\3F7E17E2_stp\wt.ico
image
MD5: e86cbbab2c5c172ff46db67011e79913
SHA256: 32cb0dbf88128039d2775600f7ca194943c2e1548e091d5447822679fe13529f
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\3F7E17E2_stp\logo.png
image
MD5: 7678c0851836cdb094fe7240a275bc67
SHA256: f517432929eef95588d29d4d7051985e0ade5b2489478fd8a39cc5ea386cdec6
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\72DD5D8A_stp\run.vbs
text
MD5: 955baa3656581c015669ecfc2ec0be1c
SHA256: e200fea6dc4155445445fb36e48a1956cc2999c126d90e5fdaac9711164cb7ba
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\72DD5D8A_stp\osutils.vbs
text
MD5: a3fc9218aabeae331e10195f1565fc7c
SHA256: 624281ec5dadce93ea9650c5d8cbca236c04d8848b663978bdaea06d22574614
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\3F7E17E2_stp.dat.part
binary
MD5: b50181429d76f820e92b3c4514af9dbd
SHA256: d54a70624642d2e2169c84eab44f57ea98770ff6dd9f1e9d1483204c668f2c7d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\3F7E17E2_stp.dat
binary
MD5: 12987335419ccac096766047e1f4a9cd
SHA256: 5d09fb5731ef1d78185221afdfc827f55b700eab436fde60f78f549b8d1606b3
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\3F7E17E2_stp.dat.tmp
––
MD5:  ––
SHA256:  ––
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\72DD5D8A_stp.dat
binary
MD5: ac905fcf33e18cbbb37dc4a6ece849c2
SHA256: 168656b0a807e5fa2c016d637c0c02d83753919ac5a8f493895e9dddce1a916c
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\7B84BE11_stp.dat.tmp
––
MD5:  ––
SHA256:  ––
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\7B84BE11_stp.exe
––
MD5:  ––
SHA256:  ––
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\7B84BE11_stp.dat
––
MD5:  ––
SHA256:  ––
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\in65CE18FA\7B84BE11_stp.dat.part
––
MD5:  ––
SHA256:  ––
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\b2_win_clean[1].png
image
MD5: c3abf64e98119c18c15f0cd68fd4ea06
SHA256: 540e6856bf7485eb209966f0c11d92e6bb6747f2924861cfe7d22f5545907c13
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\icon3[1].png
image
MD5: 4ff19890aeb97c685a46820eae3bff58
SHA256: 69f3e7034b3396dcf072c361a24e3476ea4d35e36ab5905e58d0e8b6c291fe65
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\BG[1].jpg
image
MD5: d4337f9e3cdbb54bd455a9b749954a87
SHA256: 073418db2d5a8fdfc8e29d1ad19090d58064322c3b088757cb2fae616054ea6d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\icon2[1].png
image
MD5: beead83fb83e1f91904352dab6508338
SHA256: 59e22060f7d08432f02828f9fc86f0d72192bc3611a1bb5f6537ffec2cedfde4
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\icon1[1].png
image
MD5: a4d65a1fd06d6db37b726b71ba575121
SHA256: 633b6332755a485cbd36c29cf0514607f67b1b20d6411ea815a75ce3907e4529
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\java_32[1].png
image
MD5: 09aa76cfae1d7dbee60c06591eb3cfd6
SHA256: 6cde950bb1e6de06aacede0312797d90535ae6a58271af30c85b4e26ff2c356b
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\bootstrap_28208.html
html
MD5: 1ea9e5b417811379e874ad4870d5c51a
SHA256: f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\0024BA09.log
––
MD5:  ––
SHA256:  ––
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\PL.locale
html
MD5: 046b1fc0aa9cd9abef9a8d1ee29fb927
SHA256: a2d2ce2cc729376b315da94473302626454958d9735e2a7ae31a05f0071a254d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\ZH.locale
html
MD5: cc082b45534269d826bff6176baa2e75
SHA256: 8b1a08d8ab3866589e0b24e4a4f8956b1fb449a6aae95ee989df384bf456b639
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\SV.locale
html
MD5: 9da3638f03477853dc45a1ed920f44b3
SHA256: 93468bd86f252512332c74596df279407dc51d09a0daa55e8afd72feda22ebe1
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\TR.locale
html
MD5: 10a28c21aed1c8dd29a013c8c27f6c0e
SHA256: 08efa70c2d2c46698d04b329948249ec5e6d0234d679ac439e2927136166e113
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\PT.locale
html
MD5: b981d53cd7fda7c41409500bb3f782ce
SHA256: 72e2c4327ea77db2a503f3193193846c31815253ab62d00883df938a15624836
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\RU.locale
html
MD5: c367d0f485e99911c403656d7d89437f
SHA256: e655dcabffa39a404a721d8181b095bd0f6df1e711bdaa0e0712dbadc9e6f5a6
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\JA.locale
html
MD5: da66d8cb0406515d68846b90397fe7d9
SHA256: fd88848532d1d82dd36892d091f60426c7d87921d28e1d6bf940b003798037f2
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\ES.locale
html
MD5: c5020e8da151ed4d2bf7234370613c92
SHA256: 3c6c5540c57c716445dda988e9567a0eceab1f5111e0b90edae680fd91246770
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\NO.locale
html
MD5: 5a7f277e5750166366eeccaf79b37aac
SHA256: e39fe08db2b9df6ebfe863b5908f4c9c5e9b1044fc4a21f5d37f956a204aab51
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\IT.locale
html
MD5: 5ee6c31d2acb63cc5fe5fc8026efd6a6
SHA256: ebbbe2ba2a537e07317ac5f670495cc97c392cd50ae8b2e5d3d2ef1cd8d33fe6
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\FR.locale
html
MD5: 8bc8348ceea88adacc5ef9594f6245d3
SHA256: 7f5f2df1aa5fd9da7329b488a0cce96ded2c10f181b05b99b18cd60f28e8bb2d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\FI.locale
html
MD5: 011c30464b91de448fd96bdcaec97139
SHA256: 1bfd38b32f7a2cce8fe180b17e225c700cc5f43e6be813f22c66770a5dab89ab
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\KO.locale
html
MD5: 13fdaddb090f4dff626c41dba73c2935
SHA256: efe7af25cdd1d07c764319610d6aef32e08ee458a7e3d94d5b0ef77c4bfb6921
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\ID.locale
html
MD5: 1e20905a5aeb7d2af2597add7e7a1270
SHA256: cf8b5829030b285ca9778adfcd8dc0c0319a6d32162c925aea47103a578f97cd
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\NL.locale
html
MD5: ff17696c7b8021fe881e80ebe1ef7d77
SHA256: 3a3091657a5a2fcba60f281e315fc169075a2f288b0342a5ceeb1f2ef49ddde3
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\CS.locale
html
MD5: a0599d7170ef86fb710c32cdb7459ee3
SHA256: ae5e3ea6e7546e8fcf0aef49224ab3608ff1bf51d4baa31ee61b169be3149501
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\libs\localAssests\icc\icc_v5_8.cis
binary
MD5: d3275dae3b2da9508907b2e97cd72712
SHA256: 9ae11521ced6ba7905386fbbc151c039eb056140d57413103ec0d164e94b9d03
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\EL.locale
html
MD5: 8ade8795c1f0769113831a9ade24e0b2
SHA256: 839d4ecb95f0c873f35daacb463a020126d1ba8d44a40eec6126f8559e014810
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\DE.locale
html
MD5: eea99c8ecda0251b8c190d28ed51ffb9
SHA256: 7a5c1b112bd180aa0af4cf3d0f659aa7927bb8a6ec8931d3c4f7ef009a403083
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\libs\localAssests\icut\icut_v2_2.cis
binary
MD5: 6eea368901ea5a93df886508c3fdfb6d
SHA256: 6e7d76f573135648243b15da732272e8e6f0c8948834ec88ac9f9f13045cae8e
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\EN.locale
html
MD5: 4fadb787fa8b32325c6bde64e2e43afd
SHA256: df40df458685e92f2b046a02a0c9c8aa73d96f7757a462ead21e7004701f3fdc
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\locale\DA.locale
html
MD5: 928fbf73a7dbfab58c1e188842206a89
SHA256: 504435f9e40e0ad123f367759a1ab5bf9b64c1605605e55d9db706a7a0091ff0
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Quick_Specs.png
image
MD5: 07cd59b954e8495ad6cd6a7c11d2de86
SHA256: 6e6b964fd79b4a3461f128e2ed145b9b641d108b8616695f36387661cae995bb
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Regular_Button_Right.png
image
MD5: 670bbcd28971e2d04c45a9f4c16328ff
SHA256: 28b34975ec9894642087286569a9d95091ba7e0100cbf1114ad2b12eeef19b5e
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Resume_Button.png
image
MD5: 9d31583bcfad58a6b9ddeaf44549a5e6
SHA256: e466a2db2f755d9eb68619439af37ff4e45559b7a3f476e226ab2a11aeadae1a
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Progress.png
image
MD5: 04b45069bc9843d14e9f9caa644aae1a
SHA256: 5654476149b7a84dd4d08046d35180567b01e8d87e270d96b12ed40649ec8736
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Pause_Button.png
image
MD5: 84b37cb510f50c8fea812eb308d3f03f
SHA256: 7bf800336671204de36b7d1f6ceffdff830040f51d21bc44f220f68d72cf492b
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\ProgressBar.png
image
MD5: 48fa7919b2d348dd9ce343c9ab22b299
SHA256: d52573953ec429e4f9c6ba6567d2b0d0832925b63c8517210f3ab9b380a11bbc
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Regular_Button_Left.png
image
MD5: bf86b34a94c6839ee091d0d804172ec8
SHA256: 02b3aa2605e4d4acc915dd0e17db3cdfe6bb2295858c64bb2c40cff76041abd7
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Regular_Button_Middle.png
image
MD5: 10e5234fb776f556b51ee63ab0d77791
SHA256: a9b3eb314462cc9c794902da437b7841064d0d55dbb55ad3d4aaa89bf08f139b
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\sponsored.png
image
MD5: e3758d529f93fee4807f5ea95fbc1a6c
SHA256: 8d46eb0c60043dcb7d79ab3d0525148fc901764620c02e4b9c5dd8b0e9026303
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Loader.gif
image
MD5: afc685139a108e33bd945d5a3ff64122
SHA256: 4d70f45a9c69d8ce2e630214c1b2871454d631ccf9d88976470170d0e106acbc
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Grey_Button.png
image
MD5: 3e21c454ad120482f2099ce4c44982ec
SHA256: 1ba3bcb175afb99570cb331f8dc88306c7fe14a424a7311e8ccbca5285d51079
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Color_Button.png
image
MD5: 3e21c454ad120482f2099ce4c44982ec
SHA256: 1ba3bcb175afb99570cb331f8dc88306c7fe14a424a7311e8ccbca5285d51079
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Color_Button_Hover.png
image
MD5: 198593ed7fda78677ebcf6e2576b4bdd
SHA256: 2ce222b53057f8489cf72b71f24fc2fc0f8743569119bf8e57acb1a0595c988c
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Dots.png
image
MD5: 2e5b2a15d1a3956dee90907c01f33045
SHA256: 030b83b07692fd72ad414780dcc5d1374dfefcd9223a720f7e5c8f51eccf802a
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Icon_Generic.png
image
MD5: a35aeb077ffa7ffb4382c639743d29cc
SHA256: dccfb478e6097086d886b5a01d120bf511b381982b0975e0c65eab3846e4234d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Grey_Button_Hover.png
image
MD5: 198593ed7fda78677ebcf6e2576b4bdd
SHA256: 2ce222b53057f8489cf72b71f24fc2fc0f8743569119bf8e57acb1a0595c988c
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Finish_Check.png
image
MD5: ad5d4e4130a63adb186504f4639fbde9
SHA256: eae44a71cc09c4657b1071e8a78a62fe30a84e520fd46a59df72a728da05bb59
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\images\progress-bg2.png
image
MD5: b582d9a67bfe77d523ba825fd0b9dae3
SHA256: ab4eeb3ea1eef4e84cb61eccb0ba0998b32108d70b3902df3619f4d9393f74c3
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Blue_Button_Right.png
image
MD5: e9acea4d13b5cfeb7cb81f3cd6ce60d0
SHA256: 4309899661ae4c7c313f531b387ce7ff0844a9c7a1509446dfcf0ae64752f681
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\BG.png
image
MD5: 43fa697a120df14a695bb41a12d0ece8
SHA256: 95ed32d9182b61655760a862f863484b2b7801c3df1faa7ac8d2d432609aae51
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Close.png
image
MD5: c222a4f3d309721c0898606960120266
SHA256: f638cc042b7ade6f43f2faf0077e020137562e559178396b7e975db39ac13df6
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\images\progress-bg.png
image
MD5: e9f12f92a9eeb8ebe911080721446687
SHA256: c1cf449536bc2778e27348e45f0f53d04c284109199fb7a9af7a61016b91f8bc
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Blue_Button_Left.png
image
MD5: a5b6fc528cafff63429c92590557f4e5
SHA256: 59c6d6acb82424d7495c79cbc0dd3feda28616857a8bd8ba1212a6d0169b5766
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\images\progress-bg-corner.png
image
MD5: 608f1f20cd6ca9936eaa7e8c14f366be
SHA256: 86b6e6826bcde2955d64d4600a4e01693522c1fddf156ce31c4ba45b3653a7bd
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Close_Hover.png
image
MD5: f5bdb3cabdc15580d97fa94aa3397c08
SHA256: b28db98f2a6b06b6783b8fca6aabdcb89234d5bd4306fa71711988dba1fc71ea
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\images\Blue_Button_Middle.png
image
MD5: d27bd30b9c4858b41df31d950f84366a
SHA256: f70751acc483291dca2336921f995a9e518592b40094f0d29397ac9445751b80
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\_checkbox.scss
text
MD5: 64773c6b0e3413c81aebc46cce8c9318
SHA256: b09504c1bf0486d3ec46500592b178a3a6c39284672af8815c3687cc3d29560d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\images\button-bg.png
image
MD5: 98b1de48dfa64dc2aa1e52facfbee3b0
SHA256: 2693930c474fe640e2fe8d6ef98abe2ecd303d2392c3d8b2e006e8942ba8f534
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_z-index.scss
text
MD5: 76a55c9ab774e449c10487624ac3f45e
SHA256: 176c81a57205a8496a0a472bdead1de1350beb5fc03ea339703c65d2a29a0b93
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\_progress-bar.scss
text
MD5: 0dce8b2d152948a7c134bfb98cb09522
SHA256: 2d92f324b5e52b412057b5a7cc428665ee5205d07022c681e99b631d20a5137e
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\_button.scss
text
MD5: cfe3a6bdd0517296eb8217d40a7acb4f
SHA256: 2ee3a84389a7073946f77e3a5c3780caa17e1656e65a953dc0d8b91b89209060
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\sdk-ui\_browse.scss
text
MD5: 6009d6e864f60aea980a9df94c1f7e1c
SHA256: 5ef48a8c8c3771b4f233314d50dd3b5afdcd99dd4b74a9745c8fe7b22207056d
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_width-height.scss
text
MD5: dd8af246e3a767aeb684a8272fc7c2c9
SHA256: 86d060bfd279cf4e9cbbaa9a3f444da99339f247af0c9d9e85b109a31474bdd9
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_float.scss
text
MD5: bc5eb91b59a99e0fc439e02f80319975
SHA256: eaf9d36e3e75177e64090ac71c6fcf9bb6465cd21f5c0a5ccb05666033609da8
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_display.scss
text
MD5: 7fc18252c6212f1ebb349b5f7f429217
SHA256: 1b1f774d3b163c1ba9c86cad87d4b594fba588a364132121f8a234f149816429
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_visibility.scss
text
MD5: 02061aea75eac76fff1d2a8e9607d64c
SHA256: f32292cf3212f83814c985aa82f0f8a0e8dada0aee81cd7401aa3aac08e45bc0
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_lists.scss
text
MD5: bda575f11636073d71b86b89c94c6e42
SHA256: b15b8db0368e31991fbe43c121409484562e20fb9599b5b3828e3093217de163
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_positions.scss
text
MD5: d70ee316e26374f839174916490e937e
SHA256: 3affbaeb6f57451faf94ca9cbcab2504ef75df0e8570aa7be99dd52c9cecb8e7
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_typography.scss
text
MD5: 0d6e99087615172921e0383b0bce87d2
SHA256: a94bd2fb6595faea527116d8d8ee090ff74e89216ef3c9260f5f0b5bfa330e0e
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_margin.scss
text
MD5: e83d43d06045e990e910e494aebae8ae
SHA256: 15484f9e0794f7526e5671615bcdbb436dc7f53012387821d2163ce59fa5e84b
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_padding.scss
text
MD5: 839ce4bba9e717524487b58757ea63da
SHA256: 54c64f48133908b48ed7c739a95b9edca865b3a89bdaa34d29973652c3648ede
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_clearfix.scss
text
MD5: add166bc071472dc105f4734d2dcf0e2
SHA256: 75ebe8b4a4cbbac0eb4de35b60972452b4526c56eefb5186dd40a92c70773377
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_colors.scss
text
MD5: 2da278fbb61e370e0cc9f548e8154e1c
SHA256: 857a73fc1da7cf54525048aa60ec9e2f07328ee1d718a66e3b17186170bb5b5b
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\_helpers.scss
text
MD5: 5f158dbbd9fc4594a2f6c13854501916
SHA256: bf12b79f67f1cb9988797f7d81f6f504c8dfe0f0435482e64819a140dbc8da14
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\_functions.scss
text
MD5: 8f7259de64f6ddf352bf461f44d34a81
SHA256: 80edc9d67172bc830d68d33f4547735fb072cadf3ef25aab37a10b50db87a069
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_align.scss
text
MD5: bbbbd243f9525acc7dc6077010627409
SHA256: 1f11b5f53e0aa7da1a1559a1a5cdd52bf03119ea74e5091462461c550e9288db
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_backgrounds.scss
text
MD5: 6092a3768f84cfbc6e5c52301f5b63ea
SHA256: 8a22a3285f3c7d82aa1a4273bdd62729da241723507c1ecd5d2fd0a24c12e23b
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\main.scss
text
MD5: 809ff7028b1952fdaede53e407a7df93
SHA256: de6c3dd2be22340b3e95e14ae7ff6611cfacd7b9a7b134f536254c48fd3c5df6
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_border.scss
text
MD5: 681fb7eb197e8e7ebd89f828d1181fd6
SHA256: 51e8afa69ed6d92eb82f71939b0b8fd34ef23faecee457698238e5a4f28df984
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\helpers\_border-radius.scss
text
MD5: 6bdf3fd89410e39d33f8137e04ad4a16
SHA256: 2c6b98cb19c3e3a0e37472767c53df213243ae92bc80ef9a7f5baa17f7b6fa31
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\swAgent.css
text
MD5: 2543e3af757c7d7c8a26c7cf57795f60
SHA256: c38892a06c8f50c6386ed794af4f1ea3e1897ad5f0c7e19594d9ea7b20cfb3f1
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\_variables.scss
text
MD5: 07922410c30f0117cbc3c140f14aea88
SHA256: af1999b49c03f5dcbb19466466fac2d8172c684c0ff18931b85a8d0a06332c73
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\main.css
text
MD5: 2dba8638120788c9e3af6d447181b2f1
SHA256: 8089c6915b14118c19498cbce306220cf009eafffadb6818fa130dfe6128f8a8
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\form.bmp.Mask
binary
MD5: d2fc989f9c2043cd32332ec0fad69c70
SHA256: 27dd029405cbfb0c3bf8bac517be5db9aa83e981b1dc2bd5c5d6c549fa514101
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\ie6_main.scss
text
MD5: d10348d17adf8a90670696728f54562d
SHA256: e8a3d15cf32009b01b9145b6e62ff6caa9c2981f81ce063578c73c7adff08dfc
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\csshover3.htc
html
MD5: 52fa0da50bf4b27ee625c80d36c67941
SHA256: e37e99ddfc73ac7ba774e23736b2ef429d9a0cb8c906453c75b14c029bdd5493
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\inH24065465801\css\ie6_main.css
text
MD5: ad234e6a62580f62019c78b2a718de00
SHA256: c4f2684f16c8e4553cc29c604a2f505399039638a34e652a7a1acdeb157a0861
3748
JavaSetup_0896841932.exe
C:\Users\admin\AppData\Local\Temp\0024B892.log
––
MD5:  ––
SHA256:  ––
3748
JavaSetup_0896841932.exe
C:\Users\admin\Desktop\WarThunder.lnk
lnk
MD5: 89db559b8befbb89ddac1b1ed1e9ca2a
SHA256: e0ecf16ad78fe1d6c4304c257aec9a1aab74269baf1509e1dcb212784d484512

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
25
TCP/UDP connections
17
DNS requests
10
Threats
9

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3748 JavaSetup_0896841932.exe POST 200 52.214.73.247:80 http://www2.tepat-teku.com/ IE
binary
––
––
malicious
3748 JavaSetup_0896841932.exe POST 200 52.212.157.66:80 http://cloud.tepat-teku.com/?xoh=0 IE
binary
text
malicious
3748 JavaSetup_0896841932.exe GET 200 46.166.187.59:80 http://cdn.tepat-teku.com/app/softjug/java_32.png NL
image
suspicious
3748 JavaSetup_0896841932.exe POST 200 52.214.73.247:80 http://www2.tepat-teku.com/ IE
binary
––
––
malicious
3748 JavaSetup_0896841932.exe POST 200 52.214.236.246:80 http://server.tepat-teku.com/ IE
binary
binary
malicious
3748 JavaSetup_0896841932.exe GET 200 185.59.222.146:80 http://img.tepat-teku.com/img/Nuhududanew/BG.jpg NL
image
suspicious
3748 JavaSetup_0896841932.exe GET 200 185.59.222.146:80 http://img.tepat-teku.com/img/Rowabobeso/icon1.png NL
image
suspicious
3748 JavaSetup_0896841932.exe GET 200 185.59.222.146:80 http://img.tepat-teku.com/img/Rowabobeso/icon2.png NL
image
suspicious
3748 JavaSetup_0896841932.exe GET 200 185.59.222.146:80 http://img.tepat-teku.com/img/Rowabobeso/icon3.png NL
image
suspicious
3748 JavaSetup_0896841932.exe GET 200 185.59.222.146:80 http://img.tepat-teku.com/img/Rowabobeso/b2_win_clean.png NL
image
suspicious
3748 JavaSetup_0896841932.exe POST 200 52.214.73.247:80 http://www2.tepat-teku.com/ IE
binary
––
––
malicious
3748 JavaSetup_0896841932.exe HEAD 200 46.166.187.59:80 http://cdn.tepat-teku.com/ofr/Nuhududanew/Nuhududanew_09Jan17.cis NL
image
suspicious
3748 JavaSetup_0896841932.exe HEAD 200 199.201.110.78:80 http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe US
––
––
malicious
3748 JavaSetup_0896841932.exe HEAD 200 185.26.182.112:80 http://net.geo.opera.com/opera/stable?utm_medium=pbc&utm_source=ais&utm_campaign=_CRT_nc&utm_id=9uNpZra4OG%2Bzujkas75MHbC8OWyl%2BWkvvrg9arq6P2qyuz1qsLo6a7q9KzTl7GgpvsV9PvHrTyns%2FX4%2B8axuKeC5P2axuDVts7w%2Fb7uy%2Fk4AAACDig1b unknown
––
––
whitelisted
3748 JavaSetup_0896841932.exe GET 200 192.96.201.162:80 http://remote.tepat-teku.com/ofr/Nuhududanew/Nuhududanew_09Jan17.cis US
binary
suspicious
3748 JavaSetup_0896841932.exe GET 200 185.26.182.112:80 http://net.geo.opera.com/opera/stable?utm_medium=pbc&utm_source=ais&utm_campaign=_CRT_nc&utm_id=9uNpZra4OG%2Bzujkas75MHbC8OWyl%2BWkvvrg9arq6P2qyuz1qsLo6a7q9KzTl7GgpvsV9PvHrTyns%2FX4%2B8axuKeC5P2axuDVts7w%2Fb7uy%2Fk4AAACDig1b unknown
executable
whitelisted
3748 JavaSetup_0896841932.exe GET –– 199.201.110.78:80 http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe US
––
––
malicious
3748 JavaSetup_0896841932.exe POST 200 52.214.73.247:80 http://www2.tepat-teku.com/ IE
binary
––
––
malicious
3748 JavaSetup_0896841932.exe POST 200 52.214.73.247:80 http://www2.tepat-teku.com/ IE
binary
––
––
malicious
3748 JavaSetup_0896841932.exe GET –– 199.201.110.78:80 http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe US
––
––
malicious
3748 JavaSetup_0896841932.exe HEAD 200 46.166.187.59:80 http://cdn.tepat-teku.com/ofr/Solululadul/osutils.cis NL
––
––
suspicious
3748 JavaSetup_0896841932.exe GET 200 192.96.201.162:80 http://remote.tepat-teku.com/ofr/Solululadul/osutils.cis US
binary
suspicious
3748 JavaSetup_0896841932.exe POST 200 52.214.73.247:80 http://www2.tepat-teku.com/ IE
binary
––
––
malicious
3748 JavaSetup_0896841932.exe GET –– 199.201.110.78:80 http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe US
––
––
malicious
3748 JavaSetup_0896841932.exe GET –– 199.201.110.78:80 http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe US
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3748 JavaSetup_0896841932.exe 52.214.73.247:80 Amazon.com, Inc. IE malicious
3748 JavaSetup_0896841932.exe 52.212.157.66:80 Amazon.com, Inc. IE malicious
3748 JavaSetup_0896841932.exe 46.166.187.59:80 NForce Entertainment B.V. NL malicious
3748 JavaSetup_0896841932.exe 52.214.236.246:80 Amazon.com, Inc. IE malicious
3748 JavaSetup_0896841932.exe 185.59.222.146:80 Datacamp Limited NL malicious
3748 JavaSetup_0896841932.exe 199.201.110.78:80 Namecheap, Inc. US suspicious
3748 JavaSetup_0896841932.exe 185.26.182.112:80 Opera Software AS –– suspicious
3748 JavaSetup_0896841932.exe 192.96.201.162:80 Leaseweb USA, Inc. US suspicious
4016 OperaSetup.exe 185.26.182.95:443 Opera Software AS –– unknown
4016 OperaSetup.exe 82.145.217.121:443 Opera Software AS –– unknown

DNS requests

Domain IP Reputation
www2.tepat-teku.com 52.214.73.247
54.194.149.175
malicious
cloud.tepat-teku.com 52.212.157.66
52.209.116.64
34.251.155.7
malicious
cdn.tepat-teku.com 46.166.187.59
suspicious
server.tepat-teku.com 52.214.236.246
52.31.245.195
52.31.54.204
malicious
img.tepat-teku.com 185.59.222.146
suspicious
cdnus.laboratoryconecpttoday.com 199.201.110.78
malicious
net.geo.opera.com 185.26.182.112
185.26.182.111
whitelisted
remote.tepat-teku.com 192.96.201.162
suspicious
autoupdate.geo.opera.com 185.26.182.95
185.26.182.105
whitelisted
desktop-netinstaller-sub.osp.opera.software 82.145.217.121
whitelisted

Threats

PID Process Class Message
3748 JavaSetup_0896841932.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3748 JavaSetup_0896841932.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3748 JavaSetup_0896841932.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
3748 JavaSetup_0896841932.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3748 JavaSetup_0896841932.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3748 JavaSetup_0896841932.exe Misc activity ET INFO EXE - Served Attached HTTP
3748 JavaSetup_0896841932.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP

2 ETPRO signatures available at the full report

Debug output strings

No debug info.