General Info

File name

amsi.exe

Full analysis
https://app.any.run/tasks/9a520342-8348-40c4-9d89-fc070ea56845
Verdict
Malicious activity
Analysis date
6/12/2019, 00:33:35
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

40c06c854e8d7f93d1e174fdc7abf8bc

SHA1

d45b97e06ffdff3068f43f7695f3eaae439b27a4

SHA256

ac2b263a850b69c01b2dfc8544b5196d3fc947f5e96d389a341ddc6cee4e077e

SSDEEP

3072:8kiTRuLfL4RsuqUXNWOCWih8pnkNPR++ExeAK2oTgtcn0uxF5Rgex6MBRh/Do2k:HiTRuLgTNZ7u92Ogt4dx3dxpnhQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads the Task Scheduler COM API
  • mmc.exe (PID: 1520)
  • svchost.exe (PID: 2392)
Application was dropped or rewritten from another process
  • wwjaykqgbjn.exe (PID: 2280)
  • wwjaykqgbjn.exe (PID: 1496)
Uses SVCHOST.EXE for hidden code execution
  • amsi.exe (PID: 3436)
  • wwjaykqgbjn.exe (PID: 2280)
Application launched itself
  • amsi.exe (PID: 3376)
  • wwjaykqgbjn.exe (PID: 1496)
Executable content was dropped or overwritten
  • svchost.exe (PID: 2392)
Executed via Task Scheduler
  • wwjaykqgbjn.exe (PID: 1496)
Creates files in the program directory
  • svchost.exe (PID: 2392)
Creates files in the user directory
  • opera.exe (PID: 3972)
Manual execution by user
  • opera.exe (PID: 3972)
  • mmc.exe (PID: 2576)
  • mmc.exe (PID: 1520)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:01:17 14:52:52+01:00
PEType:
PE32
LinkerVersion:
12
CodeSize:
83456
InitializedDataSize:
245248
UninitializedDataSize:
null
EntryPoint:
0x71c9
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
17-Jan-2018 13:52:52
Debug artifacts
C:\bije.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
17-Jan-2018 13:52:52
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x0003E000 0x0000D3AC 0x0000C600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.99381
.rdata 0x00016000 0x0000747C 0x00007600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.74176
.data 0x0001E000 0x0001F120 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.59959
.rsrc 0x0004C000 0x00007898 0x00007A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.14073
.reloc 0x00054000 0x00001434 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.33793
Resources
1

2

3

4

5

6

7

8

22

23

24

116

754

Imports
    KERNEL32.dll

    ADVAPI32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
43
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

+
start amsi.exe no specs amsi.exe no specs svchost.exe mmc.exe no specs mmc.exe wwjaykqgbjn.exe no specs wwjaykqgbjn.exe no specs svchost.exe no specs opera.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3376
CMD
"C:\Users\admin\AppData\Local\Temp\amsi.exe"
Path
C:\Users\admin\AppData\Local\Temp\amsi.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\amsi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll

PID
3436
CMD
"C:\Users\admin\AppData\Local\Temp\amsi.exe" -q=2416788192
Path
C:\Users\admin\AppData\Local\Temp\amsi.exe
Indicators
No indicators
Parent process
amsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\amsi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll

PID
2392
CMD
C:\Windows\system32\svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
amsi.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
2576
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll

PID
1520
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mmcbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\duser.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\dui70.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmcndmgr.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\version.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\apphelp.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\sxs.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mmcex\6d4bacfd54e8f79763945bee5a50711d\mmcex.ni.dll
c:\windows\assembly\gac_msil\mmcfxcommon\3.0.0.0__31bf3856ad364e35\mmcfxcommon.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mmcfxcommon\18e41c018ceff36c2512d12f570f0be7\mmcfxcommon.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.managemen#\630257a0b042768c2e3104a36559c1a9\microsoft.managementconsole.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\taskscheduler\99797e9500ed7bfa6b06063e7f017313\taskscheduler.ni.dll
c:\windows\assembly\gac_msil\miguicontrols\1.0.0.0__31bf3856ad364e35\miguicontrols.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\miguicontrols\569e273efda8306ec7e22143d5285476\miguicontrols.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\custommarshalers\bf7e7494e75e32979c7824a07570a8a9\custommarshalers.ni.dll
c:\windows\assembly\gac_32\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\riched20.dll

PID
1496
CMD
C:\ProgramData\{C654A916-CA16-4424-BE78-3EE7C63190B2}\{4654A917-CA17-4424-BE79-3EE7CA3190B2}\wwjaykqgbjn.exe
Path
C:\ProgramData\{C654A916-CA16-4424-BE78-3EE7C63190B2}\{4654A917-CA17-4424-BE79-3EE7CA3190B2}\wwjaykqgbjn.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\programdata\{c654a916-ca16-4424-be78-3ee7c63190b2}\{4654a917-ca17-4424-be79-3ee7ca3190b2}\wwjaykqgbjn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll

PID
2280
CMD
C:\ProgramData\{C654A916-CA16-4424-BE78-3EE7C63190B2}\{4654A917-CA17-4424-BE79-3EE7CA3190B2}\wwjaykqgbjn.exe -q=2416793153
Path
C:\ProgramData\{C654A916-CA16-4424-BE78-3EE7C63190B2}\{4654A917-CA17-4424-BE79-3EE7CA3190B2}\wwjaykqgbjn.exe
Indicators
No indicators
Parent process
wwjaykqgbjn.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\programdata\{c654a916-ca16-4424-be78-3ee7c63190b2}\{4654a917-ca17-4424-be79-3ee7ca3190b2}\wwjaykqgbjn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll

PID
536
CMD
C:\Windows\system32\svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
No indicators
Parent process
wwjaykqgbjn.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\advapi32.dll

PID
3972
CMD
"C:\Program Files\Opera\opera.exe"
Path
C:\Program Files\Opera\opera.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Opera Software
Description
Opera Internet Browser
Version
1748
Modules
Image
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\opera\opera.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\devenum.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\quartz.dll
c:\program files\adobe\acrobat reader dc\reader\browser\nppdf32.dll
c:\windows\system32\macromed\flash\npswf32_26_0_0_131.dll
c:\program files\java\jre1.8.0_92\bin\dtplugin\npdeployjava1.dll
c:\program files\java\jre1.8.0_92\bin\plugin2\npjp2.dll
c:\progra~1\micros~1\office14\npauthz.dll
c:\progra~1\micros~1\office14\npspwrap.dll
c:\program files\google\update\1.3.33.23\npgoogleupdate3.dll
c:\program files\videolan\vlc\npvlc.dll
c:\program files\adobe\acrobat reader dc\reader\air\nppdf32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\userenv.dll

Registry activity

Total events
268
Read events
208
Write events
60
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1520
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
HelpTopic
C:\Windows\Help\taskscheduler.chm
1520
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
LinkedHelpTopics
C:\Windows\Help\taskscheduler.chm
3972
opera.exe
write
HKEY_CURRENT_USER\Software\Opera Software
Last CommandLine v2
C:\Program Files\Opera\opera.exe
3972
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US

Files activity

Executable files
1
Suspicious files
44
Text files
65
Unknown types
23

Dropped files

PID
Process
Filename
Type
2392
svchost.exe
C:\ProgramData\{C654A916-CA16-4424-BE78-3EE7C63190B2}\{4654A917-CA17-4424-BE79-3EE7CA3190B2}\wwjaykqgbjn.exe
executable
MD5: 0cc1f6d39b87d45e4041ffa75e760fc0
SHA256: 6708af60d0c50282409d6a30c05542e3fc4d7f5931145eb2f1a36b0d3de16e5e
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000I.tmp
woff
MD5: 3ccbd41bfd4962b57199a8fcfbcbde66
SHA256: 0634f735018d63980fb935914bd910ebd51ed5ed0a03c8811607aca0c2e7c532
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001S.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001W.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001T.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001O.tmp
image
MD5: fc94fb0c3ed8a8f909dbc7630a0987ff
SHA256: 2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001R.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001P.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001Q.tmp
image
MD5: fc94fb0c3ed8a8f909dbc7630a0987ff
SHA256: 2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001N.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001M.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001L.tmp
image
MD5: fc94fb0c3ed8a8f909dbc7630a0987ff
SHA256: 2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001J.tmp
image
MD5: d86d51b271309e77e67df6a51ae2957a
SHA256: 862d1f885fc6eb4b8467d8b8ebbac50ad0dfb908fd04f4d31a50695a1146eeb9
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001K.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00011.tmp
image
MD5: 587963103b9658e08d7e1d7ae272b598
SHA256: ecf5ee49e4b2b54fa23f63eec4795df6df1dd1e6a298b8b8bbf943f7f24ae2c5
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000Y.tmp
image
MD5: 19ba2c83bf1850c297d69a0536f21790
SHA256: 86dedf27263493deebc9d6d917ed042f2d6be7ad029fc280654a8264f2d8c321
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000W.tmp
image
MD5: 161abe11bd3004605065150793fad34d
SHA256: cc8694b29526846d5d5103ef18e5578bb4b709a32a915c4ac188dbafc9cb12e4
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00010.tmp
image
MD5: 35c3f9a70352e85feb40f395b23335af
SHA256: 90c8c7cc589684a499a0e181f80f6b644a16987e408e7217ae92f4d8cf4d1c23
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000X.tmp
image
MD5: 011e821aee2f3df26a99353ed27a9259
SHA256: 87ee30abae77b9dcc935c0fde218081ca8eb4c04bbb4f15311366cfb8c9b959b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001I.tmp
image
MD5: 707dee71df0f769200bc56d15dc5921e
SHA256: d12ae1bccc4d7dbe0d9f9c1219f850d612239fb2b635b3c4aa830569b2a547b6
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001I.tmp
image
MD5: 3c6dc0e234d6b5e1b7101976b4036819
SHA256: 61215eb642d5b517eff67801b4cd9ca0b22c19d164fc6f4ee9db523a6939423f
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001F.tmp
image
MD5: b6d65fcfe1a4f76029d3b30ff637da2f
SHA256: b84a8f80923065dc84ea384d5309022495c8dbde9f5f2a02c10949eeab730eb0
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001H.tmp
image
MD5: 8c60707421ffe0984be65112b193ea20
SHA256: a28f610e1b68ca13f3ccb112966d653443f17ed7b3fca144d944e27a5d5f6525
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001E.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001G.tmp
image
MD5: 96bac5a3b84af9d4ba09f3e558c49707
SHA256: 603fddf0c8f77b7c92cc697eaae4978ebef591a292f310cb5f305addb8ebb87b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001B.tmp
image
MD5: 1282932dd2b2c8a24e2d93c3b6e796de
SHA256: 596b7c84d21689a6dd2161c5010c334551dd394b20515d891cb29b0c7c27a833
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00019.tmp
image
MD5: 0fab2841a893e879653c05ae7fc1eb57
SHA256: 340c38df84aba6cd55267079695f75d97e19e448abe11021c6169b065e081c6f
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00016.tmp
compressed
MD5: 7c230622a87eb9e0ab6fa3b98f3d5f67
SHA256: 9e206fe6ea33049f795d30e757ff7634109e67f35a7343465d39452c27321cfc
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00012.tmp
compressed
MD5: e89084b668b65114372895fc2627a856
SHA256: 7850595e72db6b29554668d2611039b68a330fb281ffe20ab1655d6d3ee86bf9
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001A.tmp
image
MD5: 325472601571f31e1bf00674c368d335
SHA256: b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001D.tmp
html
MD5: 397fe6dd5f9cc1b469a36a3756840f97
SHA256: 1caccbc8805c3e3d23cab121670517132c43162ba578e65b5c478676d34fbe61
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00013.tmp
image
MD5: 860720ae53af878f0950a20ec283439f
SHA256: e49ac6a872c94e1d4919b4a79dbb92893a25cc34b2d0abcd1c770d26ee4c0f7e
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00017.tmp
compressed
MD5: fd8b04571ed27b57393675f6323d450d
SHA256: e487be4d970497ef33e6e0137550432096dc4f667ae091763aec72cfa061c7a5
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00018.tmp
image
MD5: fc94fb0c3ed8a8f909dbc7630a0987ff
SHA256: 2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00015.tmp
image
MD5: b55ee6f7c8afd003d4250e3799851cc0
SHA256: e2a25b10607a34b6c2467ba57f64e83bfc0c366a9a068e660f7eb794dd80cae9
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001C.tmp
compressed
MD5: ffdbeafe6d869e2285a9ded57f6ce3be
SHA256: f6ddc7e3f254a538009cc7a0f68f82df2deed74bf43c5c85f0a7fe87f042c07a
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00014.tmp
html
MD5: fcece5ce13467fdfa47d7ac4d2b90d9d
SHA256: 46763e698352f7d45b6bd340e9cd1a8a1c54a717e88085e9684e2c518c14f622
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00011.tmp
image
MD5: e3dc5a95fc270cb9ae1ca3597038a544
SHA256: f9be7ff165fbb2ff51715df71d5f5b77cdd035cd66a5932c395c8eb2cdb0591f
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000Z.tmp
image
MD5: 0eef8d20df23e00838ca5c5d96c4d0d0
SHA256: acae0855a7d4371daaf2449eac02277be314e9e1c7f0f4f33d6a2741b84e9bb6
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00010.tmp
image
MD5: dc02fb03b1575cea537f52851e0dd3f6
SHA256: 9c7274a1b8b2c026fb110fa3f22553b384bb607fe49e0f56052374bd33141aac
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000Z.tmp
image
MD5: 81539e2a32384a0f0f8e785ca4f42c0e
SHA256: 7dbb3b2f59ddfd89c8ed5f249059039193ba3c105bea49ac3e47ed3ec1879de6
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000T.tmp
image
MD5: 8bb62ee40bcf51da6e9dded7fba1598f
SHA256: 76acde70cf3f61b68c18720837ef9fee2c81a669a01b59b11658d1f41fcecf5f
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000Y.tmp
image
MD5: 56712abacb50678103ad8fd534d80e49
SHA256: cf041610a6324a68ac157eb9e31f2a634970fc169de60a880ca4b66fb44a8f0b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000X.tmp
image
MD5: b06703ef4787a164db2fedb7ad4cc25d
SHA256: f09d33bfc39584934dce37e8249d39840f2edc09b88fe388e82f7ee7f9a69f24
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000U.tmp
image
MD5: 1d2db5ce7e896b621891638b9d387ecc
SHA256: a1d9be5a4d1fdaa628fcc5dd116a09eceb98e3323b3f53cac59350df812710ce
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000S.tmp
image
MD5: 4e818fb75e371571b7423c86dc9abf6d
SHA256: 6c5d4b5ff58cb00fe187136fbe1d71a8c40332ebbb1504daa0c529cd05ab73ab
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000V.tmp
image
MD5: a243ad73348b1ce80bbb9f68fd4ab380
SHA256: 0ca811ffca16db2c89e28d916146e92f623ff90b8f117f2daed1723f1056ee4c
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000W.tmp
image
MD5: 7657ff86078c0f8484eabd374e0160b4
SHA256: 9ca0ce1e7765de1ffcdff37fd74b453bbc25da7394962bcf285131339c2ee688
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000V.tmp
image
MD5: 7eb252b692e8bd829a49064df549b16f
SHA256: 95868cefa58b4892f1aa21ed3f4fbd6be3e66ddd82f755e38e05fcf9eeb3da15
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000U.tmp
image
MD5: 63eb052c2ddc55ccc11f22ac963ae1ea
SHA256: 77db8ccf90597d604fd7ccc9e018f9838af92f845cb9afd974581726d03c3852
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000T.tmp
image
MD5: efcca657f5d28c52894f6b80ac3b427d
SHA256: cb2c901de33bf93dc4171a149bff5959e2b252fd2e7fd9e7d2f22a50ef342020
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000S.tmp
image
MD5: 1fe774ae74bf3524aca855ed0d989c9d
SHA256: 8c6a67f42fb8133ffda235fbd25feb5744876281dac4f86ad3a13a56a8b08de6
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
text
MD5: 582af149f93041ebd6df0d8929af5b28
SHA256: 9b9414722c21954003c22974ec203146079cc5641b3c44532a53e126a35a6f42
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprF929.tmp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000R.tmp
image
MD5: 26f7b4ed617fd6c7e58d647e2c9b4c6b
SHA256: 30315014d83119a6536348bcf4ce23e0fb14c48896d410dbb05399079d60c4ee
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000Q.tmp
image
MD5: 3e0956bd8c38c89e795716fa7861328b
SHA256: 21e0cd2616d413982ab578bb9ca2ef3f8cc1943b9669c6267cffb5eaf9423e10
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000P.000
ttf
MD5: 2311a6a757b73cde3095dcebc43049f9
SHA256: 9ce1fd7b12524a1ce63b20a6e4cf80268390a2dfc00cc43256750ae6c03dc1a6
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000P.tmp
woff
MD5: 8dd2b405b9cf60df6a28dd170169d02c
SHA256: 2567ed3a5f7756e4d8a6c6ad20e4b60b469d37be35c23b599e0a114e9e4b15df
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000O.tmp
ttf
MD5: 8f14509873c612c3b0538416cdc394c7
SHA256: 83e2f0e4029d90194a54326031f5975e12b199a0d61e443ecb25e2071baaa601
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000N.000
ttf
MD5: 33e09950c67688ccf52b55548d89bc1f
SHA256: 2ef00dad4e79118ff2ec85ce0c89b0a07ab0c5ff336c3b10e282d8521b6ba583
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000N.tmp
woff
MD5: d75a015348f9ad93466768092a250c58
SHA256: 843e2acc9a1650183252f047fbb871b2ec00c9fc766c443b2b5241a5e1cabc12
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001V.tmp
image
MD5: fc94fb0c3ed8a8f909dbc7630a0987ff
SHA256: 2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000M.tmp
woff
MD5: 84b1d9bb65b585d4b4a72ee9cefb2ac2
SHA256: f5d5c7cb2a10d13fc9b50d058f2af38fec0620b2b4a84e962c976274c396808f
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000M.000
ttf
MD5: 9c0b8f0da1786c617ba32f33af3e5ca4
SHA256: 700707eeba1d479661449f1cda5e90d3ff4df2e2ecb050328b9ca4edd8bada75
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000J.tmp
woff
MD5: fd786e1aedaba0667fbc7d2e1025e599
SHA256: ff0c24cf62a61458645531f76364d4a4640b4bb0c2f205ea0c42be149ebee3a2
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000L.tmp
woff
MD5: 81a5f64a75da2bc1d1b382a83235d1d9
SHA256: 870e727d0c17774e3f2c5b5e55b651325b82a060067c521252d3154245a7994b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000H.000
ttf
MD5: df0bad13b72489f23abed01ac28e0401
SHA256: 31a263e8225bb9ae0a7a8777f295158205e735e8a20ceb5f4911e44b2c0e78cf
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000J.000
ttf
MD5: 3aba63e040f3b3a6dad839d3da1babbc
SHA256: d0c9f25cf08216bb7e1047e27f453914add3841817729c33da24017404dd370a
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000L.000
ttf
MD5: 9042719adbd979dc010636c3702ef901
SHA256: d36d8fdc6acf4921408b67ec8f4360f680b420f083eef56c239e8b88c1c6a5c3
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000K.tmp
woff
MD5: c19f25fe27b2341bd1b1a13d9992dfe6
SHA256: de274ed8bc6be040e002be5ed706805212eac271adb5a254fd5a870e8bf6719d
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000K.000
ttf
MD5: d283c3f224a42882e697909fd5712cea
SHA256: 24ee756a505e30cf9d80ed17cbd62f5e5818b5c4d3978dbd1e419b440b5be14e
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000I.000
ttf
MD5: 57b695592f9cbfed6240277437886003
SHA256: dfe9bd5400c32d064d4982e11c80c69a029c9ff17fc6395cfc0c4c28a8dabac8
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000H.tmp
woff
MD5: 5a3fdd02dc4e99dfbecaa7c38280d3a5
SHA256: 0db8d041f87fd1f5817ca400df6133cf64251a2bfa0b78657fb1b8d0bd2c8473
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000E.tmp
woff
MD5: 0ffd6c9760dbd98b33b40cda7c5fe855
SHA256: 7884daf3965ea80ffd59a0c934a7817129106eddeeb480e09b9543737ace07dd
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000G.tmp
woff
MD5: 0e62218ac4e10c750107c310f81b2819
SHA256: 5392865e6c4b25b8aa88babdaf027d531748f63feae1f7c950d51bf5a08db9f0
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000E.000
ttf
MD5: 4b7e0c23022cd9da3d0bbd774bb00904
SHA256: f11dca6cea27c7aa8f26b604032d2538a73eb084f9c2b0c6f3689c9521251741
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000F.000
ttf
MD5: bfc6492af260162700100f172590e12a
SHA256: 67aa3666105655e9d45d84b8db83dd3af3367f7b4016abc86dff5aaf37066fad
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\assoc002\sesn\opr0000G.000
ttf
MD5: cd375914f604d842384f8108ec392be0
SHA256: dec7fe8fd825c1f552bfa5ea412da755eef676994a596b92eed698a74499e1e3
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000F.tmp
woff
MD5: 71c4b3129c1b036c625882343856515f
SHA256: 19d1f6a48c9933698d13bd598ba4800dec1192bf09ce9ca7abb490c88a9af5c0
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000A.tmp
compressed
MD5: 1ef2550f4dec6dc930996d4f3637872f
SHA256: 45edf6578523cd27d75ae646ab51a955d16c45a9361090d6e45b5c16fc0393ae
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000B.tmp
compressed
MD5: de3b80a188dea126f048efd118a038d8
SHA256: ebcf5dd6c179b68c4d8bcc700210208cbf3dde131f3c410948d8e204edb3adb1
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000D.tmp
compressed
MD5: 90d5e4fd7902990d701bd0f65959f6e7
SHA256: a24e0441ba87acf9b26baf907fe4146f07026a9c6674510efe970bc63ebbb7aa
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 0abfece3e69e027cb3305ae7948f1b9a
SHA256: 22f5af760d0611f680530494761528068f9af3ba3a1c778a6d299d505af34864
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0000C.tmp
compressed
MD5: c9d8f5f4ab0bea523ae9406fe91b3a95
SHA256: f5e4234cdadf93342428c482e12e6ca14947005abb96601d5f61f2f96512a368
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00008.tmp
compressed
MD5: ad08865327bfd4e47aa0d953afce77a7
SHA256: c0912a5621a0bc3b748cf280b5fa788e30277072eb3cc163c400c8d4fa1b238f
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00009.tmp
compressed
MD5: 8e54eaf12ff1dda3333eb59644c62c1a
SHA256: 166f2add8eb3a5b16caecda8c36e1c7a2a22a63acb5035897bc2cce7ede752c2
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprEB4D.tmp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00006.tmp
compressed
MD5: e5edf9050a9318675a7f5fbf4f065c3d
SHA256: 2195e8fffcbf75d92b26c3770c3252cd761bb0d5208dfde9dfc2f7f3f87d3aba
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00007.tmp
compressed
MD5: 954b6c65e676595d255a043a10d6dbae
SHA256: 726e21a1576b0fc5cc41e7fd0e9a68cf35b263e9c6161c44922b2de7b3432f6b
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00005.tmp
compressed
MD5: f0c6a7ece0e596df42b08b3693e4efd4
SHA256: a3096a1186ae725504df5c776c66a1ad1302c54d2ee230ae4963ce97cb8c4843
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\icons\https%3A%2F%2Fwww.chase.com%2Fetc%2Fdesigns%2Fchase-ux%2Ffavicon.png
image
MD5: 7733edc326d601bfe3a39b00f78b79f6
SHA256: 25064bce5a0f5080d1202b7186b8dda99d59999c3b75e0e7e74dbc7e7a7d9342
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\icons\www.chase.com.idx
text
MD5: 354e82e44cf47ad73df667af5fcd7e33
SHA256: c14e1d5667b865f57aa3e821df7ad870ac23aa61cd8f7dcd68fdcf7ac14f5608
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
text
MD5: 4e032a4d1fcf9dcc17ba639431b91dac
SHA256: ea46a1d5a79ae6ff49b24de8668a69a27bead50e2eb2fe78751fadade7853f14
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 60448714f6105909b7100f4400ff7613
SHA256: f007f00948a45a94be6c42bab2c643c2bedb4742ef9e768b8f0b1194ab8a0a05
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprCC5A.tmp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
text
MD5: 3f5281b948860e52fe0e440fa12be986
SHA256: dd343f8defafcf2e27b3ef50edb66a7821a4b219a0d326e1373355c02e5289af
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00004.tmp
compressed
MD5: a20c32724fb56f27c4988049a1cd67d1
SHA256: 541fc170d17166af5ac43443b03bd39e743b0f12871b912c59940b963b19ea98
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 3f5281b948860e52fe0e440fa12be986
SHA256: dd343f8defafcf2e27b3ef50edb66a7821a4b219a0d326e1373355c02e5289af
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprC082.tmp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 089bd4b9f0797c66e2f12fd1e40b156a
SHA256: a9689fd5cf4d10db415afac9397d71b91aa44b9553e1b7d8edd7133b89e64a44
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: d6e3c2ed2d42fa6720826d713bf02a12
SHA256: 17a80d0ff09fd6cfb25abace92fbc7361c6eb80f9c2b73ec85b5d6cece17cff7
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
xml
MD5: 4aa494d2a689de2365b6e3f814a86afc
SHA256: ce7c5d40aa13b68dfa3cc7460ee99dfab06db60ae2db2469397ec1aaf7e9294f
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00002.tmp
html
MD5: 7f077f1fce3d566040b0d69eb1f27d8f
SHA256: 487ad0d2cf075f4328a1adf57ef428759ad4e2c873a8ebd2ad9653990829c9cf
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00003.tmp
html
MD5: 8f2305e7b4e5700362112473fa1465e7
SHA256: 60d06383a31fefa60dff4e3abad3d4199f18fb1e5517bc8c0344114c1ccb23cf
3972
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms
binary
MD5: 9be9ccc710d3048cfd9bfa594a41206a
SHA256: 85766104413f074c4d5a44fe7a2472002a0b99dc59d4224db4cd1e19072d2903
3972
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF144def.TMP
binary
MD5: 9be9ccc710d3048cfd9bfa594a41206a
SHA256: 85766104413f074c4d5a44fe7a2472002a0b99dc59d4224db4cd1e19072d2903
3972
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JISF5RFBQ0THNILN9E23.temp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 7f5dcbf9f067f258078d5071195d5c51
SHA256: fec0be3946fe4780375cee50eb647bea4fb130af228e473fe442b39ff19d0492
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 6d8679c53b7a3290cf2df7c7e98dcb3f
SHA256: 08b07f39f63acbdd786e87f1835ece3a595732a9fc122cc0824210419ec32dfd
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 59761e989f564f76a3a4b778db7abcf1
SHA256: af879942d234d85c0ce75921dbdda50e2f6d135bd961f259106131751359052b
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
binary
MD5: 82f1a2b1176a5ecc457d32301e2ad833
SHA256: a783052804dd4c232be2ed3dc00c430cb67a20370890e235562ed2b27b5a602e
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: c6fa8676009cadc14f43eabd11449b0a
SHA256: 49984a9d756551cdbeeb98a5611dd9ddbbf65d8e1916b5df688aa48faa3d8663
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
xml
MD5: d9b4d5e52d815b0937c48cf13ecb6bed
SHA256: 9bb19aab3d01694f09464f3322a8a25d5ed2ddecf54de092670117c4f00ef104
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr42A6.tmp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
text
MD5: f8b1fcb365a27c2c9730d8b283a7f454
SHA256: a9b8edacf385f4775a6585703d82a1d0e66ad72b2cc6a1a56aad221e10fba1dd
3972
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr4266.tmp
––
MD5:  ––
SHA256:  ––
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\CACHEDIR.TAG
text
MD5: e717f92fa29ae97dbe4f6f5c04b7a3d9
SHA256: 5bbd5dcbf87fd8cd7544c522badf22a2951cf010ad9f25c40f9726f09ea2b552
3972
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr0001U.tmp
image
MD5: fc94fb0c3ed8a8f909dbc7630a0987ff
SHA256: 2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
12
TCP/UDP connections
49
DNS requests
21
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3972 opera.exe GET 200 93.184.220.29:80 http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl US
der
whitelisted
3972 opera.exe GET 200 172.217.18.206:80 http://clients1.google.com/complete/search?q=chas&client=opera-suggest-omnibox&hl=de US
text
whitelisted
3972 opera.exe GET 301 159.53.85.137:80 http://chase.com/ US
––
––
unknown
3972 opera.exe GET 400 185.26.182.112:80 http://sitecheck2.opera.com/?host=chase.com&hdn=Vu%2BzlKTnzN7rHs19Aeipxw== unknown
html
whitelisted
3972 opera.exe GET 200 104.121.24.251:80 http://ocsp.entrust.net/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQnuEQcScL%2FkljKed%2BRzpzFYOq9kwQUw%2FfQtSowra8NkSFwOVTdvIlwxzoCEQD9e1BR8AutbgAAAABUz5cI NL
der
whitelisted
3972 opera.exe GET –– 104.123.50.17:80 http://crl.entrust.net/g2ca.crl US
––
––
whitelisted
3972 opera.exe GET 200 104.121.24.251:80 http://ocsp.entrust.net/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQnuEQcScL%2FkljKed%2BRzpzFYOq9kwQUw%2FfQtSowra8NkSFwOVTdvIlwxzoCEQD9e1BR8AutbgAAAABUz5cI NL
der
whitelisted
3972 opera.exe GET 200 104.123.50.17:80 http://crl.entrust.net/g2ca.crl US
der
whitelisted
3972 opera.exe GET 200 104.121.24.251:80 http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQnuEQcScL%2FkljKed%2BRzpzFYOq9kwQUw%2FfQtSowra8NkSFwOVTdvIlwxzoCEEhX3tOSiXkaAAAAAFTPzbw%3D NL
der
whitelisted
3972 opera.exe GET 200 104.121.24.251:80 http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQnuEQcScL%2FkljKed%2BRzpzFYOq9kwQUw%2FfQtSowra8NkSFwOVTdvIlwxzoCEBy4c2rWq6eqAAAAAFTPYF4%3D NL
der
whitelisted
3972 opera.exe GET 200 216.58.201.227:80 http://crl.pki.goog/gsr2/gsr2.crl US
der
whitelisted
3972 opera.exe GET 200 216.58.201.227:80 http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDYVemzAwWFsVOgYEZWLA1k%3D US
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3972 opera.exe 185.26.182.93:443 Opera Software AS –– unknown
3972 opera.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
3972 opera.exe 172.217.18.206:80 Google Inc. US whitelisted
3972 opera.exe 159.53.85.137:80 JPMorgan Chase & Co. US unknown
3972 opera.exe 159.53.116.62:443 JPMorgan Chase & Co. US unknown
3972 opera.exe 185.26.182.112:80 Opera Software AS –– suspicious
3972 opera.exe 185.26.182.112:443 Opera Software AS –– suspicious
3972 opera.exe 104.121.24.251:80 Akamai Technologies, Inc. NL unknown
3972 opera.exe 104.123.50.17:80 Akamai Technologies, Inc. US unknown
3972 opera.exe 159.53.98.41:443 JPMorgan Chase & Co. US unknown
3972 opera.exe 159.53.119.16:443 JPMorgan Chase & Co. US unknown
3972 opera.exe 216.58.213.162:443 Google Inc. US whitelisted
3972 opera.exe 108.174.11.53:443 LinkedIn Corporation US unknown
3972 opera.exe 31.13.92.36:443 Facebook, Inc. IE whitelisted
3972 opera.exe 216.58.213.166:443 Google Inc. US whitelisted
3972 opera.exe 104.244.42.67:443 Twitter Inc. US unknown
3972 opera.exe 34.95.92.78:443 US malicious
–– –– 216.58.201.227:80 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
certs.opera.com 185.26.182.93
whitelisted
crl4.digicert.com 93.184.220.29
whitelisted
clients1.google.com 172.217.18.206
whitelisted
chase.com 159.53.85.137
unknown
sitecheck2.opera.com 185.26.182.112
whitelisted
www.chase.com 159.53.116.62
unknown
ocsp.entrust.net 104.121.24.251
whitelisted
crl.entrust.net 104.123.50.17
whitelisted
sites.chase.com 159.53.98.41
unknown
rf15.chase.com 159.53.119.16
unknown
googleads.g.doubleclick.net 216.58.213.162
whitelisted
rc.rlcdn.com 34.95.92.78
malicious
analytics.twitter.com 104.244.42.67
whitelisted
www.facebook.com 31.13.92.36
whitelisted
ad.doubleclick.net 216.58.213.166
whitelisted
dc.ads.linkedin.com 108.174.11.53
whitelisted
crl.pki.goog 216.58.201.227
whitelisted
ocsp.pki.goog 216.58.201.227
whitelisted
p.rfihub.com 193.0.160.129
whitelisted
ocsp.digicert.com 93.184.220.29
whitelisted

Threats

No threats detected.

Debug output strings

Process Message
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn