Edit tour
Windows
Analysis Report
SecuriteInfo.com.Adware.Elemental.22.22509.21519.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Adware.Elemental.22.22509.21519.exe |
| Analysis ID: | 1544572 |
| MD5: | 2a3b7cf9d36c8e04db084638fd066ad5 |
| SHA1: | 6e25322226e38e6e921cfacb631556cf66dd5b06 |
| SHA256: | 1e5bc37886c1983546bcd39efce0d4bd05b88f57da45686b48a375676c43bc4e |
| Tags: | exe |
| Infos: |   |
 | |
Detection
| Score: | 34 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Compliance
| Score: | 49 |
| Range: | 0 - 100 |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Contains functionality to register a low level keyboard hook
Found direct / indirect Syscall (likely to bypass EDR)
Installs a global event hook (focus changed)
Adds / modifies Windows certificates
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Tries to disable installed Antivirus / HIPS / PFW
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
query blbeacon for getting browser version
Classification
- System is w10x64
SecuriteInfo.com.Adware.Elemental.22.22509.21519.exe (PID: 3896 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Adware.Ele mental.22. 22509.2151 9.exe" MD5: 2A3B7CF9D36C8E04DB084638FD066AD5) 
OperaGXInstaller.exe (PID: 4508 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\OperaG XInstaller \OperaGXIn staller.ex e" --silen t --alluse rs=0 MD5: 8A3BD58257B48475AE9B793F522E5759) - setup.exe (PID: 3928 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7zSC91E 97EB\setup .exe --sil ent --allu sers=0 --s erver-trac king-blob= YzNjYzBkNz BjNDk4NTlk M2U3YTIzOT I2N2M2ZGIy MjU0OGQ2OW MxY2Y5YjZk MTY4MGI3OT JjMTc3ZDI3 MGZkMjp7Im NvdW50cnki OiJVUyIsIm VkaXRpb24i OiJzdGQtMi IsImluc3Rh bGxlcl9uYW 1lIjoiT3Bl cmFHWFNldH VwLmV4ZSIs InByb2R1Y3 QiOiJvcGVy YV9neCIsIn F1ZXJ5Ijoi L29wZXJhX2 d4L3N0YWJs ZS9lZGl0aW 9uL3N0ZC0y Lz91dG1fc2 91cmNlPU9G VCZ1dG1fbW VkaXVtPXBi JnV0bV9jYW 1wYWlnbj1v Z3gmdXRtX2 NvbnRlbnQ9 b2d4aV8zND QyMCIsInRp bWVzdGFtcC I6IjE3MzAy MTI2MjMuNT k2OCIsInVz ZXJhZ2VudC I6Ik1vemls bGEvNC4wIC hjb21wYXRp YmxlOyBNU0 lFIDcuMDsg V2luZG93cy BOVCA2LjI7 IFdpbjY0Oy B4NjQ7IFRy aWRlbnQvNy 4wOyAuTkVU NC4wQzsgLk 5FVDQuMEU7 IC5ORVQgQ0 xSIDIuMC41 MDcyNzsgLk 5FVCBDTFIg My4wLjMwNz I5OyAuTkVU IENMUiAzLj UuMzA3Mjkp IiwidXRtIj p7ImNhbXBh aWduIjoib2 d4IiwiY29u dGVudCI6Im 9neGlfMzQ0 MjAiLCJtZW RpdW0iOiJw YiIsInNvdX JjZSI6Ik9G VCJ9LCJ1dW lkIjoiOWVk N2VlMTktY2 FmYi00MTZk LTliNzQtMW I1ZGNkMDQw NWZiIn0= MD5: A910474AAD1EEA96921D359E1763D2FD) - setup.exe (PID: 6972 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7zSC91E 97EB\setup .exe --typ e=crashpad -handler / prefetch:4 --monitor -self-anno tation=pty pe=crashpa d-handler "--databas e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra GX Stab le\Crash R eports" "- -crash-cou nt-file=C: \Users\use r\AppData\ Roaming\Op era Softwa re\Opera G X Stable\c rash_count .txt" --ur l=https:// crashstats -collector -2.opera.c om/ --anno tation=cha nnel=Stabl e --annota tion=plat= Win32 --an notation=p rod=OperaD esktopGX - -annotatio n=ver=114. 0.5282.123 --initial -client-da ta=0x32c,0 x330,0x334 ,0x318,0x3 38,0x6c998 c5c,0x6c99 8c68,0x6c9 98c74 MD5: A910474AAD1EEA96921D359E1763D2FD) - setup.exe (PID: 7164 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera GX Installer Temp\setup .exe" --ve rsion MD5: A910474AAD1EEA96921D359E1763D2FD) - setup.exe (PID: 2788 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\7zSC91 E97EB\setu p.exe" --b ackend --i nstall --i mport-brow ser-data=0 --enable- stats=1 -- enable-ins taller-sta ts=1 --con sent-given =0 --gener al-interes ts=0 --gen eral-locat ion=0 --pe rsonalized -content=0 --persona lized-ads= 0 --vought _browser=0 --launcho pera=1 --i nstallfold er="C:\Use rs\user\Ap pData\Loca l\Programs \Opera GX" --profile -folder -- language=e n-GB --sin gleprofile =0 --copyo nly=0 --al lusers=0 - -setdefaul tbrowser=1 --pintota skbar=1 -- pintostart menu=1 --r un-at-star tup=1 --se rver-track ing-data=s erver_trac king_data --initial- pid=3928 - -package-d ir-prefix= "C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera GX Installer Temp\opera _package_2 0241029103 712" --ses sion-guid= 50fea559-f 106-47bc-9 a77-433543 5774ab --s erver-trac king-blob= NTA0MmFkMj JhOTRhYTI0 MTZkOWU1Nm NhMTJiZWQ1 NWVhNTUyZj hhZGMwMDUy YmM1ZGQzZj I4NDNjMzQw NmFjNTp7Im NvdW50cnki OiJVUyIsIm VkaXRpb24i OiJzdGQtMi IsImluc3Rh bGxlcl9uYW 1lIjoiT3Bl cmFHWFNldH VwLmV4ZSIs InByb2R1Y3 QiOnsibmFt ZSI6Im9wZX JhX2d4In0s InF1ZXJ5Ij oiL29wZXJh X2d4L3N0YW JsZS9lZGl0 aW9uL3N0ZC 0yLz91dG1f c291cmNlPU 9GVCZ1dG1f bWVkaXVtPX BiJnV0bV9j YW1wYWlnbj 1vZ3gmdXRt X2NvbnRlbn Q9b2d4aV8z NDQyMCIsIn N5c3RlbSI6 eyJwbGF0Zm 9ybSI6eyJh cmNoIjoieD g2XzY0Iiwi b3BzeXMiOi JXaW5kb3dz Iiwib3BzeX MtdmVyc2lv biI6IjEwIi wicGFja2Fn ZSI6IkVYRS J9fSwidGlt ZXN0YW1wIj oiMTczMDIx MjYyMy41OT Y4IiwidXNl cmFnZW50Ij oiTW96aWxs YS80LjAgKG NvbXBhdGli bGU7IE1TSU UgNy4wOyBX aW5kb3dzIE 5UIDYuMjsg V2luNjQ7IH g2NDsgVHJp ZGVudC83Lj A7IC5ORVQ0 LjBDOyAuTk VUNC4wRTsg Lk5FVCBDTF IgMi4wLjUw NzI3OyAuTk VUIENMUiAz LjAuMzA3Mj k7IC5ORVQg Q0xSIDMuNS 4zMDcyOSki LCJ1dG0iOn siY2FtcGFp Z24iOiJvZ3 giLCJjb250 ZW50Ijoib2 d4aV8zNDQy MCIsIm1lZG l1bSI6InBi Iiwic291cm NlIjoiT0ZU In0sInV1aW QiOiI5ZWQ3 ZWUxOS1jYW ZiLTQxNmQt OWI3NC0xYj VkY2QwNDA1 ZmIifQ== - -silent -- desktopsho rtcut=1 -- wait-for-p ackage --i nitial-pro c-handle=2 C060000000 00000 MD5: A910474AAD1EEA96921D359E1763D2FD) - setup.exe (PID: 712 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\7zSC91E 97EB\setup .exe --typ e=crashpad -handler / prefetch:4 --monitor -self-anno tation=pty pe=crashpa d-handler "--databas e=C:\Users \user\AppD ata\Roamin g\Opera So ftware\Ope ra GX Stab le\Crash R eports" "- -crash-cou nt-file=C: \Users\use r\AppData\ Roaming\Op era Softwa re\Opera G X Stable\c rash_count .txt" --ur l=https:// crashstats -collector -2.opera.c om/ --anno tation=cha nnel=Stabl e --annota tion=plat= Win32 --an notation=p rod=OperaD esktopGX - -annotatio n=ver=114. 0.5282.123 --initial -client-da ta=0x33c,0 x340,0x344 ,0x308,0x3 18,0x6baf8 c5c,0x6baf 8c68,0x6ba f8c74 MD5: A910474AAD1EEA96921D359E1763D2FD) - installer.exe (PID: 6856 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Op era GX\114 .0.5282.12 3\installe r.exe" --b ackend --i nitial-pid =3928 --in stall --im port-brows er-data=0 --enable-s tats=1 --e nable-inst aller-stat s=1 --cons ent-given= 0 --genera l-interest s=0 --gene ral-locati on=0 --per sonalized- content=0 --personal ized-ads=0 --vought_ browser=0 --launchop era=1 --in stallfolde r="C:\User s\user\App Data\Local \Programs\ Opera GX" --profile- folder --l anguage=en -GB --sing leprofile= 0 --copyon ly=0 --all users=0 -- setdefault browser=1 --pintotas kbar=1 --p intostartm enu=1 --ru n-at-start up=1 --ser ver-tracki ng-data=se rver_track ing_data - -package-d ir="C:\Use rs\user\Ap pData\Loca l\Temp\.op era\Opera GX Install er Temp\op era_packag e_20241029 1037121" - -session-g uid=50fea5 59-f106-47 bc-9a77-43 35435774ab --server- tracking-b lob=NTA0Mm FkMjJhOTRh YTI0MTZkOW U1NmNhMTJi ZWQ1NWVhNT UyZjhhZGMw MDUyYmM1ZG QzZjI4NDNj MzQwNmFjNT p7ImNvdW50 cnkiOiJVUy IsImVkaXRp b24iOiJzdG QtMiIsImlu c3RhbGxlcl 9uYW1lIjoi T3BlcmFHWF NldHVwLmV4 ZSIsInByb2 R1Y3QiOnsi bmFtZSI6Im 9wZXJhX2d4 In0sInF1ZX J5IjoiL29w ZXJhX2d4L3 N0YWJsZS9l ZGl0aW9uL3 N0ZC0yLz91 dG1fc291cm NlPU9GVCZ1 dG1fbWVkaX VtPXBiJnV0 bV9jYW1wYW lnbj1vZ3gm dXRtX2Nvbn RlbnQ9b2d4 aV8zNDQyMC IsInN5c3Rl bSI6eyJwbG F0Zm9ybSI6 eyJhcmNoIj oieDg2XzY0 Iiwib3BzeX MiOiJXaW5k b3dzIiwib3 BzeXMtdmVy c2lvbiI6Ij EwIiwicGFj a2FnZSI6Ik VYRSJ9fSwi dGltZXN0YW 1wIjoiMTcz MDIxMjYyMy 41OTY4Iiwi dXNlcmFnZW 50IjoiTW96 aWxsYS80Lj AgKGNvbXBh dGlibGU7IE 1TSUUgNy4w OyBXaW5kb3 dzIE5UIDYu MjsgV2luNj Q7IHg2NDsg VHJpZGVudC 83LjA7IC5O RVQ0LjBDOy AuTkVUNC4w RTsgLk5FVC BDTFIgMi4w LjUwNzI3Oy AuTkVUIENM UiAzLjAuMz A3Mjk7IC5O RVQgQ0xSID MuNS4zMDcy OSkiLCJ1dG 0iOnsiY2Ft cGFpZ24iOi JvZ3giLCJj b250ZW50Ij oib2d4aV8z NDQyMCIsIm 1lZGl1bSI6 InBiIiwic2 91cmNlIjoi T0ZUIn0sIn V1aWQiOiI5 ZWQ3ZWUxOS 1jYWZiLTQx NmQtOWI3NC 0xYjVkY2Qw NDA1ZmIifQ == --silen t --deskto pshortcut= 1 --instal l-subfolde r=114.0.52 82.123 MD5: E169C65773E40654455624EADD122953) - installer.exe (PID: 6684 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Op era GX\114 .0.5282.12 3\installe r.exe" --t ype=crashp ad-handler /prefetch :4 --monit or-self-an notation=p type=crash pad-handle r "--datab ase=C:\Use rs\user\Ap pData\Roam ing\Opera Software\O pera GX St able\Crash Reports" "--crash-c ount-file= C:\Users\u ser\AppDat a\Roaming\ Opera Soft ware\Opera GX Stable \crash_cou nt.txt" -- url=https: //crashsta ts-collect or-2.opera .com/ --an notation=c hannel=Sta ble --anno tation=pla t=Win64 -- annotation =prod=Oper aDesktopGX --annotat ion=ver=11 4.0.5282.1 23 --initi al-client- data=0x250 ,0x254,0x2 7c,0x258,0 x280,0x7ff d94469e20, 0x7ffd9446 9e2c,0x7ff d94469e38 MD5: E169C65773E40654455624EADD122953) 
explorer.exe (PID: 4004 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) 
opera.exe (PID: 508 cmdline: "C:\Users\ user\AppDa ta\Local\P rograms\Op era GX\ope ra.exe" -- start-maxi mized --lo wered-brow ser MD5: 94851594215654A9EFCE5F3C3830A9C1) 
EwdhIsAfAL.exe (PID: 2760 cmdline: "C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 2420 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 1548 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 2532 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 6636 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 3552 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 4160 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 1460 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - opera.exe (PID: 5112 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Op era GX\ope ra.exe" -- start-maxi mized MD5: 94851594215654A9EFCE5F3C3830A9C1) 
opera_crashreporter.exe (PID: 5004 cmdline: "C:\Users\ user\AppDa ta\Local\P rograms\Op era GX\114 .0.5282.12 3\opera_cr ashreporte r.exe" --t ype=crashp ad-handler /prefetch :4 --monit or-self-an notation=p type=crash pad-handle r "--datab ase=C:\Use rs\user\Ap pData\Roam ing\Opera Software\O pera GX St able\Crash Reports" "--crash-c ount-file= C:\Users\u ser\AppDat a\Roaming\ Opera Soft ware\Opera GX Stable \crash_cou nt.txt" -- url=https: //crashsta ts-collect or-2.opera .com/ --an notation=c hannel=Sta ble --anno tation=pla t=Win64 -- annotation =prod=Oper aDesktopGX --annotat ion=ver=11 4.0.5282.1 23 --initi al-client- data=0x1dc ,0x1e0,0x1 e4,0x1d8,0 x1e8,0x7ff d92de1388, 0x7ffd92de 1398,0x7ff d92de13a8 MD5: F2FDAF82F5AA813C34BF1E4065AF7CFA) - EwdhIsAfAL.exe (PID: 4156 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 5724 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 3800 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 524 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 3200 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 380 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - EwdhIsAfAL.exe (PID: 5668 cmdline:
"C:\Progra m Files (x 86)\mudjfN bYLVXpdJfo mFaPTueznQ oHFrCdzndu aLVartLUUI SpHuHZ\Ewd hIsAfAL.ex e" MD5: 32B8AD6ECA9094891E792631BAEA9717) - Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 5172 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera GX Installer Temp\opera _package_2 0241029103 7121\assis tant\Opera _GX_assist ant_73.0.3 856.382_Se tup.exe_sf x.exe" MD5: E9A2209B61F4BE34F25069A6E54AFFEA) - assistant_installer.exe (PID: 5768 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera GX Installer Temp\opera _package_2 0241029103 7121\assis tant\assis tant_insta ller.exe" --version MD5: 4C8FBED0044DA34AD25F781C3D117A66) - assistant_installer.exe (PID: 6672 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\.opera \Opera GX Installer Temp\opera _package_2 0241029103 7121\assis tant\assis tant_insta ller.exe" --type=cra shpad-hand ler /prefe tch:7 --mo nitor-self -annotatio n=ptype=cr ashpad-han dler "--da tabase=C:\ Users\user \AppData\R oaming\Ope ra Softwar e\Opera GX Stable\Cr ash Report s" "--cras h-count-fi le=C:\User s\user\App Data\Roami ng\Opera S oftware\Op era GX Sta ble\crash_ count.txt" --url=htt ps://crash stats-coll ector.oper a.com/coll ector/subm it --annot ation=chan nel=Stable --annotat ion=plat=W in32 --ann otation=pr od=OperaDe sktopGX -- annotation =ver=73.0. 3856.382 - -initial-c lient-data =0x270,0x2 74,0x278,0 x24c,0x27c ,0x3a4f48, 0x3a4f58,0 x3a4f64 MD5: 4C8FBED0044DA34AD25F781C3D117A66)
- opera_autoupdate.exe (PID: 5728 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Op era GX\aut oupdate\op era_autoup date.exe" --schedule dtask --by passlaunch er 0 MD5: 84762F0101AE1F06BCB76F70A0308FD0) - opera_autoupdate.exe (PID: 6264 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Op era GX\aut oupdate\op era_autoup date.exe" --type=cra shpad-hand ler /prefe tch:4 --mo nitor-self -annotatio n=ptype=cr ashpad-han dler "--da tabase=C:\ Users\user \AppData\R oaming\Ope ra Softwar e\Opera GX Stable\Cr ash Report s" "--cras h-count-fi le=C:\User s\user\App Data\Roami ng\Opera S oftware\Op era GX Sta ble\crash_ count.txt" --url=htt ps://crash stats-coll ector-2.op era.com/ - -annotatio n=channel= Stable --a nnotation= plat=Win64 --annotat ion=prod=O peraDeskto pGX --anno tation=ver =114.0.528 2.123 --in itial-clie nt-data=0x 230,0x234, 0x238,0x22 c,0x208,0x 7ff79d2f67 3c,0x7ff79 d2f6748,0x 7ff79d2f67 58 MD5: 84762F0101AE1F06BCB76F70A0308FD0)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| ironshell_php | Semi-Auto-generated - file ironshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls |
|
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Binary or memory string: | memstr_d3e9229a-c | |
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | |||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
Compliance | |
|---|
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | |||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
| Source: | Registry value created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | |||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00007FF73CC59394 | |
| Source: | Code function: | 3_2_00D08D20 | |
| Source: | Code function: | 3_2_00D2FEEB | |
| Source: | Code function: | 12_2_004033B3 | |
| Source: | Code function: | 12_2_00402F12 | |
| Source: | Code function: | 13_2_00259120 | |
| Source: | Code function: | 13_2_002E9AE2 | |
| Source: | Code function: | 14_2_00259120 | |
| Source: | Code function: | 14_2_002E9AE2 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF73CC42FA0 | |
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | Code function: | 0_2_00007FF73CC42FA0 | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | |||