1992591e5ca7e56a5782c36eb97db43fe1642edacd58d2a02f84faf05d35ff95

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2023, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader_Installer (1).exe
Size

8.7MB
MD5

88a30b2e8b5399230ed0a714df175f64
SHA1

d95e2e2b3fd1ee86bca51f414c10c67b31364a73
SHA256

1992591e5ca7e56a5782c36eb97db43fe1642edacd58d2a02f84faf05d35ff95
SHA512

7d0747b05e6c3f1ff7e932b145bfff3374a5f393a3af38e6fccdbb532643b7f18add6b8aa453e6baacab68b6c484364021f28a4cb2a8933a614df82fe91ef1b6
SSDEEP

196608:IcF8dTQeVEY+NQFy9fw92Co4ohiLyJwHppz8DJu1Bb4WZXN:IcKd9S2y9492CojBJwHppYVuMWZd

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ExLoader_Installer (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	opera.exe

Executes dropped EXE 64 IoCs

pid	Process
4080	ExLoader_Installer.exe
1636	ExLoader.exe
4212	ExLoader.exe
3188	OperaSetup.exe
4300	OperaSetup.exe
4152	OperaSetup.exe
2280	OperaSetup.exe
3700	OperaSetup.exe
3056	_sfx.exe
1392	assistant_installer.exe
4568	assistant_installer.exe
4112	installer.exe
3288	installer.exe
1812	launcher.exe
5156	opera.exe
5184	opera_crashreporter.exe
5344	opera.exe
5360	opera.exe
5496	opera.exe
5520	opera_crashreporter.exe
5672	opera.exe
5688	opera.exe
5748	opera.exe
5900	opera.exe
5932	opera.exe
5960	opera.exe
6016	opera.exe
6064	opera.exe
6104	opera.exe
5368	opera.exe
5440	opera.exe
6200	opera.exe
6220	opera.exe
6240	opera.exe
6288	opera.exe
6364	opera.exe
6484	opera.exe
7000	launcher.exe
6984	opera.exe
7020	opera_autoupdate.exe
7032	opera.exe
7056	opera.exe
7064	opera_autoupdate.exe
7072	opera.exe
7164	opera.exe
5268	opera.exe
5340	opera.exe
5364	opera.exe
1744	opera.exe
6748	opera.exe
5128	opera.exe
6908	opera.exe
5460	opera.exe
5140	opera.exe
5228	opera.exe
4140	opera.exe
4544	opera.exe
836	opera.exe
4668	opera.exe
4872	opera.exe
4220	opera.exe
808	opera.exe
4104	opera.exe
4180	opera.exe

Loads dropped DLL 64 IoCs

pid	Process
4080	ExLoader_Installer.exe
4080	ExLoader_Installer.exe
4080	ExLoader_Installer.exe
4080	ExLoader_Installer.exe
1636	ExLoader.exe
1636	ExLoader.exe
1636	ExLoader.exe
1636	ExLoader.exe
1636	ExLoader.exe
4212	ExLoader.exe
4212	ExLoader.exe
4212	ExLoader.exe
4212	ExLoader.exe
4212	ExLoader.exe
3188	OperaSetup.exe
4300	OperaSetup.exe
4152	OperaSetup.exe
2280	OperaSetup.exe
3700	OperaSetup.exe
4112	installer.exe
3288	installer.exe
5156	opera.exe
5156	opera.exe
5344	opera.exe
5344	opera.exe
5360	opera.exe
5344	opera.exe
5344	opera.exe
5344	opera.exe
5344	opera.exe
5344	opera.exe
5360	opera.exe
5496	opera.exe
5496	opera.exe
5672	opera.exe
5672	opera.exe
5688	opera.exe
5672	opera.exe
5672	opera.exe
5672	opera.exe
5672	opera.exe
5672	opera.exe
5748	opera.exe
5688	opera.exe
5748	opera.exe
5900	opera.exe
5900	opera.exe
5932	opera.exe
5932	opera.exe
5960	opera.exe
5960	opera.exe
6016	opera.exe
6016	opera.exe
6064	opera.exe
6064	opera.exe
6104	opera.exe
6104	opera.exe
5368	opera.exe
5368	opera.exe
5440	opera.exe
5440	opera.exe
6200	opera.exe
6200	opera.exe
6220	opera.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe\""	installer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3188-242-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/4300-243-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/4152-247-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/2280-249-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/3700-251-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/2280-318-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/3188-319-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/4300-321-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral2/memory/3700-320-0x0000000000400000-0x0000000000947000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	opera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Stable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\launcher.exe"	opera.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	installer.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\Circe-Bold.ttf	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\games\-4.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sand_clock.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\games\-9.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\google.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\alphabetical-order.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\discord.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_bayonet.svg	ExLoader_Installer.exe
File created	C:\Program Files\scoped_dir5496_1583083835\reborn5.png	opera.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Star%20Wars.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\games\-11.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\games\730.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sun_outlined.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sort.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\other_items\decoy.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_knife_widowmaker.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\icudtl.dat	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\crab.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\mask.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\maximize.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\unsafe-shield.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\ghost_filled.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\other_items\molotov_ct.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_m4a1_silencer.svg	ExLoader_Installer.exe
File created	C:\Program Files\scoped_dir5496_1453944129\reborn5_dark.jpg	opera.exe
File opened for modification	C:\Program Files\ExLoader\ExLoader.zip	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\alternative_star_outlined.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\new_year_star_filled.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_usp_silencer.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\pumpkin.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\ranks_competitive\Legendary%20Eagle.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\games\440.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\ranks_competitive\Gold%20Nova%20I.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_knife_cord.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\user.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\grain.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Humans.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\download.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_nova.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\ranks_competitive\Unranked.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sort_rotate.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\minimize.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\flashed.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\ranks_competitive\Gold%20Nova%20III.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_scar20.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\games\-5.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\bin_sort.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\calendar.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\eye.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\sun_filled.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\other_items\molotov_t.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_famas.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Romantic.png	ExLoader_Installer.exe
File created	C:\Program Files\scoped_dir5496_1453944129\persona.ini	opera.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\scoped.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\ranks_competitive\Master%20Guardian%20Elite.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\skin_items\weapon_mp7.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\other_items\bomb.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\bell_outlined.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\close.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\games\570.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\icons\unknown-shield.svg	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\bomb.png	ExLoader_Installer.exe
File opened for modification	C:\Program Files\ExLoader\data\flutter_assets\resources\images\snow.webp	ExLoader_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	opera.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2004	tasklist.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	opera.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Applications\opera.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe\" \"%1\""	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\ddeexec\Topic\	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.htm\OpenWithProgids\OperaStable = "0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.pdf\OpenWithProgids\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.xhtml	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Applications\opera.exe\shell	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\ddeexec	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.opdownload\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.shtml\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Applications	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Applications\opera.exe	installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{93223B45-9735-43CB-BC0D-83FA8268532D}	opera.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\DefaultIcon	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe,0"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe\" -noautoupdate -- \"%1\""	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\ddeexec\Application	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.xht\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.xhtml\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.shtml\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.xht	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\ddeexec\Topic	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.html\OpenWithProgids\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.shtml	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\FriendlyTypeName = "Opera Web Document"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.opdownload	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe\""	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\command	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.opdownload\OpenWithProgIDs\OperaStable = "0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.xhtml\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Applications\opera.exe\shell\open\command	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Applications\opera.exe\shell\open	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.25\\notification_helper.exe"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\URL Protocol	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\ddeexec\	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\OperaStable\shell\open\ddeexec\Application\	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\.xht\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\WOW6432Node	installer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	OperaSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1264	powershell.exe
1264	powershell.exe
1064	powershell.exe
1064	powershell.exe
4752	msedge.exe
4752	msedge.exe
5008	msedge.exe
5008	msedge.exe
2380	identity_helper.exe
2380	identity_helper.exe
5496	opera.exe
5496	opera.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe
Token: SeCreatePagefilePrivilege	5496	opera.exe
Token: SeShutdownPrivilege	5496	opera.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
4112	installer.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
4080	ExLoader_Installer.exe
1636	ExLoader.exe
4212	ExLoader.exe
4212	ExLoader.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe
4112	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4080	4216	ExLoader_Installer (1).exe	80
PID 4216 wrote to memory of 4080	4216	ExLoader_Installer (1).exe	80
PID 4080 wrote to memory of 3300	4080	ExLoader_Installer.exe	92
PID 4080 wrote to memory of 3300	4080	ExLoader_Installer.exe	92
PID 3300 wrote to memory of 600	3300	cmd.exe	94
PID 3300 wrote to memory of 600	3300	cmd.exe	94
PID 4080 wrote to memory of 4692	4080	ExLoader_Installer.exe	95
PID 4080 wrote to memory of 4692	4080	ExLoader_Installer.exe	95
PID 4692 wrote to memory of 5056	4692	cmd.exe	97
PID 4692 wrote to memory of 5056	4692	cmd.exe	97
PID 4080 wrote to memory of 440	4080	ExLoader_Installer.exe	98
PID 4080 wrote to memory of 440	4080	ExLoader_Installer.exe	98
PID 440 wrote to memory of 4488	440	cmd.exe	100
PID 440 wrote to memory of 4488	440	cmd.exe	100
PID 4080 wrote to memory of 3460	4080	ExLoader_Installer.exe	101
PID 4080 wrote to memory of 3460	4080	ExLoader_Installer.exe	101
PID 4080 wrote to memory of 1264	4080	ExLoader_Installer.exe	104
PID 4080 wrote to memory of 1264	4080	ExLoader_Installer.exe	104
PID 1264 wrote to memory of 2004	1264	powershell.exe	106
PID 1264 wrote to memory of 2004	1264	powershell.exe	106
PID 4080 wrote to memory of 2096	4080	ExLoader_Installer.exe	107
PID 4080 wrote to memory of 2096	4080	ExLoader_Installer.exe	107
PID 2096 wrote to memory of 364	2096	cmd.exe	109
PID 2096 wrote to memory of 364	2096	cmd.exe	109
PID 4080 wrote to memory of 1064	4080	ExLoader_Installer.exe	110
PID 4080 wrote to memory of 1064	4080	ExLoader_Installer.exe	110
PID 4080 wrote to memory of 1636	4080	ExLoader_Installer.exe	114
PID 4080 wrote to memory of 1636	4080	ExLoader_Installer.exe	114
PID 4080 wrote to memory of 4900	4080	ExLoader_Installer.exe	115
PID 4080 wrote to memory of 4900	4080	ExLoader_Installer.exe	115
PID 4900 wrote to memory of 2868	4900	cmd.exe	116
PID 4900 wrote to memory of 2868	4900	cmd.exe	116
PID 4080 wrote to memory of 4208	4080	ExLoader_Installer.exe	118
PID 4080 wrote to memory of 4208	4080	ExLoader_Installer.exe	118
PID 4208 wrote to memory of 536	4208	cmd.exe	120
PID 4208 wrote to memory of 536	4208	cmd.exe	120
PID 1636 wrote to memory of 780	1636	ExLoader.exe	121
PID 1636 wrote to memory of 780	1636	ExLoader.exe	121
PID 780 wrote to memory of 4768	780	cmd.exe	125
PID 780 wrote to memory of 4768	780	cmd.exe	125
PID 1636 wrote to memory of 4020	1636	ExLoader.exe	126
PID 1636 wrote to memory of 4020	1636	ExLoader.exe	126
PID 4020 wrote to memory of 2772	4020	cmd.exe	127
PID 4020 wrote to memory of 2772	4020	cmd.exe	127
PID 4080 wrote to memory of 3188	4080	ExLoader_Installer.exe	129
PID 4080 wrote to memory of 3188	4080	ExLoader_Installer.exe	129
PID 4080 wrote to memory of 3188	4080	ExLoader_Installer.exe	129
PID 4212 wrote to memory of 364	4212	ExLoader.exe	130
PID 4212 wrote to memory of 364	4212	ExLoader.exe	130
PID 364 wrote to memory of 2224	364	cmd.exe	132
PID 364 wrote to memory of 2224	364	cmd.exe	132
PID 3188 wrote to memory of 4300	3188	OperaSetup.exe	133
PID 3188 wrote to memory of 4300	3188	OperaSetup.exe	133
PID 3188 wrote to memory of 4300	3188	OperaSetup.exe	133
PID 3188 wrote to memory of 4152	3188	OperaSetup.exe	134
PID 3188 wrote to memory of 4152	3188	OperaSetup.exe	134
PID 3188 wrote to memory of 4152	3188	OperaSetup.exe	134
PID 1636 wrote to memory of 5008	1636	ExLoader.exe	135
PID 1636 wrote to memory of 5008	1636	ExLoader.exe	135
PID 5008 wrote to memory of 1732	5008	msedge.exe	136
PID 5008 wrote to memory of 1732	5008	msedge.exe	136
PID 3188 wrote to memory of 2280	3188	OperaSetup.exe	137
PID 3188 wrote to memory of 2280	3188	OperaSetup.exe	137
PID 3188 wrote to memory of 2280	3188	OperaSetup.exe	137

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer (1).exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe query HKEY_CURRENT_USER\Software\Yandex\YandexBrowser /v last_startup_time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_CURRENT_USER\Software\Yandex\YandexBrowser /v last_startup_time
      4⤵
      PID:600
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe query "HKEY_CURRENT_USER\Software\Opera Software" /v "Last Stable Install Path"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query "HKEY_CURRENT_USER\Software\Opera Software" /v "Last Stable Install Path"
      4⤵
      PID:5056
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Opera Software" /v "Last Stable Install Path"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Opera Software" /v "Last Stable Install Path"
      4⤵
      PID:4488
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Opera Software" /v "Last Stable Install Path"
    3⤵
    PID:3460
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Opera Software" /v "Last Stable Install Path"
      4⤵
      PID:1320
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command C:\Windows\System32\tasklist.exe /FI "\"IMAGENAME" eq "exloader.exe\"" /FO CSV
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\System32\tasklist.exe
      "C:\Windows\System32\tasklist.exe" /FI "IMAGENAME eq exloader.exe" /FO CSV
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
      4⤵
      PID:364
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -command "$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut(\"C:\Users\Admin\Desktop\ExLoader.lnk\") $Shortcut.TargetPath = \"C:\Program Files\ExLoader\ExLoader.exe\" $Shortcut.Save()"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Program Files\ExLoader\ExLoader.exe
    "C:\Program Files\ExLoader\ExLoader.exe" -deletePreviousExLoader
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
        5⤵
        
        PID:4768
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        5⤵
        
        PID:2772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/o/oauth2/v2/auth?client_id=271686438760-tmrstjenhl84ugpc1gmq1q3rarashrre.apps.googleusercontent.com&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A49939&scope=email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&code_challenge=mERulRL7KtAeWn5AHTdw8YeMo3Met32VRtbwrK4x2ys&code_challenge_method=S256&state=yHr73sGjVsfDwW4TWKdO6bXl1_gGQ15J
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff547946f8,0x7fff54794708,0x7fff54794718
        5⤵
        
        PID:1732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        5⤵
        
        PID:4672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        5⤵
        
        PID:4916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        
        PID:1860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        5⤵
        
        PID:2064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 /prefetch:8
        5⤵
        
        PID:632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5884 /prefetch:8
        5⤵
        
        PID:1020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
        5⤵
        
        PID:3440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
        5⤵
        
        PID:3192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
        5⤵
        
        PID:3448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        
        PID:2424
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff75b9b5460,0x7ff75b9b5470,0x7ff75b9b5480
        6⤵
        
        PID:3056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
        5⤵
        
        PID:6924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,11006017902966200093,10119228205148210635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
        5⤵
        
        PID:5348
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate
      4⤵
      PID:2868
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
    C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
      C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x752ee428,0x752ee438,0x752ee444
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=3188 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230204041024" --session-guid=f5b9c146-6216-4d7b-8892-af239ee59be9 --server-tracking-blob="NTI2MmNiYTk4ZGMxOGQ0MWJkMmUxODYzZmJlZTJlZDhhMDRlMjNiNWE3MDI0YzdlYWQ1NzFhYWJkMjcxMDg0Njp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU9MRF9fMTgyMjZhIiwidGltZXN0YW1wIjoiMTY3NTQ4MDIxNi43Mjc4IiwidXNlcmFnZW50IjoiRGFydC8yLjE3IChkYXJ0OmlvKSIsInV0bSI6eyJjYW1wYWlnbiI6Ik9MRF9fMTgyMjZhIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiT0ZUIn0sInV1aWQiOiI0Mjc4N2I5Ny00Yjg4LTRhZGItOWYxNC0wOGJkMzNjMTA2NTYifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6805000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2c0,0x2fc,0x732fe428,0x732fe438,0x732fe444
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3700
    - - C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe" --backend --initial-pid=3188 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302040410241" --session-guid=f5b9c146-6216-4d7b-8892-af239ee59be9 --server-tracking-blob="NTI2MmNiYTk4ZGMxOGQ0MWJkMmUxODYzZmJlZTJlZDhhMDRlMjNiNWE3MDI0YzdlYWQ1NzFhYWJkMjcxMDg0Njp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGU/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1PRlQmdXRtX2NhbXBhaWduPU9MRF9fMTgyMjZhIiwidGltZXN0YW1wIjoiMTY3NTQ4MDIxNi43Mjc4IiwidXNlcmFnZW50IjoiRGFydC8yLjE3IChkYXJ0OmlvKSIsInV0bSI6eyJjYW1wYWlnbiI6Ik9MRF9fMTgyMjZhIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiT0ZUIn0sInV1aWQiOiI0Mjc4N2I5Ny00Yjg4LTRhZGItOWYxNC0wOGJkMzNjMTA2NTYifQ== " --silent --desktopshortcut=1 --install-subfolder=95.0.4635.25
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Enumerates connected drives
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x7fff4f43a908,0x7fff4f43a918,0x7fff4f43a928
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3288
      - C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --start-maximized
        6⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates system info in registry
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x7fff3f681a18,0x7fff3f681a28,0x7fff3f681a38
        8⤵
        Executes dropped EXE
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=2008,i,4423733788741368586,13188800480493399690,131072 /prefetch:2
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=1920 --field-trial-handle=2008,i,4423733788741368586,13188800480493399690,131072 /prefetch:8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5360
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302040410241\assistant\_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302040410241\assistant\_sfx.exe"
      4⤵
      Executes dropped EXE
      PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302040410241\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302040410241\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      PID:1392
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302040410241\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302040410241\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x512dc0,0x512dd0,0x512ddc
        5⤵
        Executes dropped EXE
        
        PID:4568

C:\Program Files\ExLoader\ExLoader.exe
"C:\Program Files\ExLoader\ExLoader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:2224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:588

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher --flag-switches-begin --flag-switches-end --enable-quic --lowered-browser
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5496
- C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe
  C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x2f4,0x7fff3f681a18,0x7fff3f681a28,0x7fff3f681a38
  2⤵
  - Executes dropped EXE
  PID:5520
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5672
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=1920 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5688
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=2268 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5748
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3128 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5900
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3140 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5932
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3152 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5960
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3164 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6016
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3180 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6064
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3168 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6104
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=3324 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5368
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=3340 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5440
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=4532 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6220
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=4576 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6240
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4584 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6288
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=4504 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6200
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5124 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6364
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=5452 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6484
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=5472 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6984
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=6204 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:7032
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4764 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:7072
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6720 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:7164
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6500 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:7056
- C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe" --user-data-dir="C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" --pipeid=oauc_pipe2906202b27b41e4bd66c9238c4b575c1
  2⤵
  - Executes dropped EXE
  PID:7020
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6744 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5268
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6844 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5340
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6596 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5364
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6872 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6836 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6748
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6824 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6592 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6908
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6884 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5460
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6516 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5140
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6812 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5228
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6552 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6892 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6896 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6984 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6968 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=6948 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4220
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6928 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6932 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7028 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7088 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5936
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7076 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:6096
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7136 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:6068
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3360 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5988
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7084 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:1324
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3820 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=8360 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:3604
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=8452 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=9744 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:6132
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=9204 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5904
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=8448 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:6964
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=4192 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6984 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=4324 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5976
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=9164 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5620
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=9144 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5992
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=8800 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5152
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7968 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5340
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7960 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5284
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=5612 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5148
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7468 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5420
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7512 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=9884 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:1132
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=8232 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:4900
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=8300 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:836
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7524 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7348 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=10140 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5920
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3900 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:5404
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=9448 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:216
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=7360 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:3340
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --mojo-platform-channel-handle=10340 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5440
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --mojo-platform-channel-handle=10492 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:6928
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:campaign-ignore-dna-ref=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=2368 --field-trial-handle=2020,i,4498400180011160741,7565449099521779204,131072 /prefetch:8
  2⤵
  PID:6392

C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe --scheduledautoupdate --autoupdaterequesttype=automatic --autoupdateoperaversion=95.0.4635.25 --newautoupdaterlogic
1⤵
- Executes dropped EXE
PID:7000
- C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe" --version
  2⤵
  PID:6896
- C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe" --pipeid=oauc_task_pipedcbb8f53eff625f232ff45d764476217 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015" --scheduledtask
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe
    C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\Crash Reports" --crash-count-file=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\crash_count.txt --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff601c0cbd8,0x7ff601c0cbe8,0x7ff601c0cbf8
    3⤵
    PID:6216
- - C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe" --version
    3⤵
    PID:3288

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.25\opera_autoupdate.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.25 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff601c0cbd8,0x7ff601c0cbe8,0x7ff601c0cbf8
1⤵
- Executes dropped EXE
PID:7064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ExLoader\ExLoader.exe

Filesize
198KB

MD5
a7cc2f5e469b7485fb3c9f66d84d5ea9

SHA1
b99f5ad433df78101744c3f7010f34e5c29a74f2

SHA256
95de3ca65ab84357f6589fec8f9d8fd0cfdeef56655b46667e774a58a9cf52f1

SHA512
118659eb5a767d8bb03a5ed4ca1ab3eeea34765395df3d38415fb4727204a9bccb8438d5865b29b3e456fdec5f6b0af570bd46dd2c2c1d4185870b281eef8239

Download Submit
C:\Program Files\ExLoader\ExLoader.exe

Filesize
198KB

MD5
a7cc2f5e469b7485fb3c9f66d84d5ea9

SHA1
b99f5ad433df78101744c3f7010f34e5c29a74f2

SHA256
95de3ca65ab84357f6589fec8f9d8fd0cfdeef56655b46667e774a58a9cf52f1

SHA512
118659eb5a767d8bb03a5ed4ca1ab3eeea34765395df3d38415fb4727204a9bccb8438d5865b29b3e456fdec5f6b0af570bd46dd2c2c1d4185870b281eef8239

Download Submit
C:\Program Files\ExLoader\ExLoader.exe

Filesize
198KB

MD5
a7cc2f5e469b7485fb3c9f66d84d5ea9

SHA1
b99f5ad433df78101744c3f7010f34e5c29a74f2

SHA256
95de3ca65ab84357f6589fec8f9d8fd0cfdeef56655b46667e774a58a9cf52f1

SHA512
118659eb5a767d8bb03a5ed4ca1ab3eeea34765395df3d38415fb4727204a9bccb8438d5865b29b3e456fdec5f6b0af570bd46dd2c2c1d4185870b281eef8239

Download Submit
C:\Program Files\ExLoader\MSVCP140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Program Files\ExLoader\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Program Files\ExLoader\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Program Files\ExLoader\data\app.so

Filesize
13.1MB

MD5
8f2fdcc542eacbe0c1dc85c210e2ee5b

SHA1
2995a4fdc21c8da0be01e1e8c49749833c64413d

SHA256
f3b1bcb7199f104d93fc2b504ac822983efbed2e56cc28a8f21c0f2ff44adef2

SHA512
044a80ef048f4c1cfb15874dadfedf0f8b960b8df84cf124dd1b33fc386237b24ea8a8a6ae84a1b01f3f0967155be87dd53ff17ac875bb1c4eab5bb60230f2e2

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\AssetManifest.json

Filesize
14KB

MD5
878b4a95422bd889072fa5f8b9e8e851

SHA1
cf473c8b4a0a6db94ccebc58040c7f7e4037a0e7

SHA256
b27fe5edfc156c7dfb87a72b966483c57d27508907366a9c44b8a3639a928426

SHA512
587e9f7dbc379201483fccfe2c145ca962c9f8e4014919f8a8b905aa0eae27e619975f9749b47bebb0c6c4c399269a53f5c037c397e2d2b087a34cb6e158e67b

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\FontManifest.json

Filesize
541B

MD5
207cb008b22eb824caab114233ec6e2a

SHA1
d957e89dd778129368ed48b4bcaa0453b36b1688

SHA256
94154480f043fda7c0987bf247e8ece44458cb3e9e17d2c6bade2ece30f219cc

SHA512
c633356b9a202e5d4aa9e50960d3a9bff7095995823af2d9d6528d765d67090592fda4496b0674c85b6f04a8df4abc4b81266da00a5c48e010995867d49675eb

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\fonts\MaterialIcons-Regular.otf

Filesize
1.5MB

MD5
95db9098c58fd6db106f1116bae85a0b

SHA1
99c98dac2ef47bf393f3dcbfa79120c6456c2ebb

SHA256
06e81144996425d00162ba62f990dcbd98ec87e10f43851fd924fae5bf37be57

SHA512
b1d64cde416e23f5ab90d91dafd1c8009d399df715c8e37abfbe882036b93afa1f5f87d99620c24c38c6665010ad5f2ab753443c41dff7117f3def06fd3b4832

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\backgrounds\Knighthood.png

Filesize
455KB

MD5
5e1d9c18fb792154434581eddf1aecd8

SHA1
44d8e90e0864b50652f59998bd261820cbd838a2

SHA256
4fd8f95e6a0624a5bba150950a2a31c436a3302936eb78b2f9bf5219ca915517

SHA512
a1c8731a3de1cfde1eae19451a0689fb5da12504ded7388973c827a7ab703ae815f2d1a2f94eba0ae4dde0d465733f7527a6b9536d762ea2b02252230a852cc0

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\MONTSERRAT-BOLD.TTF

Filesize
255KB

MD5
88932dadc42e1bba93b21a76de60ef7a

SHA1
3320ff5514b32565b0396de4f2064ce17ec9eea4

SHA256
c4c8cb572a5a2c43d78b3701f4b2349684e6ca4d1557e469af6065b1e099c26c

SHA512
298e1e171dbbe386e1abe153446b883c40910819099f64f54dc9faa95d739be56839537342bbe8dd8408545cb1f8c98878a3524d91af1f11a112d1bfc202657a

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\MONTSERRAT-MEDIUM.TTF

Filesize
254KB

MD5
a98626e1aef6ceba5dfc1ee7112e235a

SHA1
ca42fe10fa893f390472859405c7564095e4260f

SHA256
92b3d3c6e135eb1dc95f88e6ca75bd6113d9eb3261a95ca39f733e3897e53675

SHA512
81761cd87aece3cea03b4520d8c7518f8d549d8e91cce2a4a4752729e7a28ad4b502472731a06f7051f357bfa1042640a5e7592887b1c3914de0dfe230ef882c

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\fonts\MONTSERRAT-SEMIBOLD.TTF

Filesize
254KB

MD5
c88cecbffad6d8e731fd95de49561ebd

SHA1
4ef29a9163b56df34a3486b98b24be3a3d0cdca6

SHA256
bab583d38d105dac9141b287fb2b7763b6d8b0bae97e745faaccedb40a579c29

SHA512
d514f33af50e74906617f8a9bb91e91f11a3ad3387f262c78804252df284e860d9d61d0bb4a61b60f122a00749824957bf53e8c308d7a53b722e7b88777c791d

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\alphabetical-order.svg

Filesize
1KB

MD5
9cc12b49b54979a31d5222114ff7c880

SHA1
aa4894e9a3f756921697f45d8e819ee5c1510f1c

SHA256
81eeb21e6fa6d5245f8bb90a080603738e167d381f67aeef0f2a672d3cce5786

SHA512
1e26694d57bcc2e4a902fe451f2408527bd90fd4068cb129486ceffb5bea9de6a0b48a844fbc1b40e057f62b173438ea03f88d01439015ce2dc0b415b387de31

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\back-arrow.svg

Filesize
495B

MD5
860f8d49c488b32bb5739c471118c252

SHA1
b67ce2dd5cf0fd6ce24d6b187150d4a505981aec

SHA256
7ad62864a719bf6a2121fd4b7825c608d88d3ecc3616291b141ff21e3e4b2d0d

SHA512
3ee573e5c5eecdf40b054d07017e7673dd31ef83a8ceb26212989cc197116d9952863d407af13e210027b77ea090c8afbcb6412aacac20e996a0889f66e0845c

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\bell_filled.svg

Filesize
988B

MD5
7b9aa21505f509102849e9741b12a5f4

SHA1
b7c7ede42d3959fe6484c89206bf761627f508a8

SHA256
7b9ba510b5903dbb9b72454a3ea08b2eed41aa0aa497779be14aea1121159a1e

SHA512
18b6aa814e9fba04d6dc5c9ecb322281ac5521392da44c7389531adeec353362a78b1dbf440f42774747510846ddaeb46c5b3b43204cceca66c46841b3d3e858

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\bell_outlined.svg

Filesize
1KB

MD5
e5b1dd7ec4af2485d699892838373674

SHA1
b732f6ddf5e1c0676bd4de3ab45b3f8869b457c4

SHA256
1c1eeae8816502f2f04563af081002ead84e934c1cc24d483a0565f165a9d222

SHA512
18830793a56759ba094fd1fe87315a748d96d650db52323143ab9dabdde3454b76b37436547a5085b8f02c58d143eccb797529485c91b8d65192fd48327bbbb7

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\calendar.svg

Filesize
1KB

MD5
04c67a78e57fe41814a4e5377ee59aa5

SHA1
b6fdf3673d8b4265f5be0ccb96c2d47cca3bf2b9

SHA256
08a09fc49daf5938395087eb5dde519043aee6f2474ddf30d1af42a6428bc580

SHA512
5c16751df901ffd98c61ca30fb67538dbb6b72946f901eaa0bca0896ab56b83bcda7f0e115b38f0ac1b0c85aa63948ac40116d643c756473d82fa4abb45f83d4

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\checked.svg

Filesize
361B

MD5
b27ac70f81b9b2fd4354a36302762184

SHA1
599acb44c0e534c373df84878b32685254127b7c

SHA256
7498275739335d72f1553ac6da40ba121f36d5374383895e7e9ea77a946d6116

SHA512
5e7348bf09baee5d685875ede0a881f08468c55d83188c299e0f0b27e5ff31099c289abb1fe70501bab19af4b21b6793adf97ab082e94ecacfc601057a6277ec

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\christmas-tree.svg

Filesize
2KB

MD5
a6a49eb50acda68193097b384021d5bd

SHA1
261e1d9b2450b27678c63d5bedf4513bd6582d70

SHA256
25a2d2ae45fe4b903e5a9880ab16fd1d977d58cad899a2ad06264ce809c860d3

SHA512
a726a16281c19b940c798ce675c73a77ca1bcbdc3813d9aa7f289ccea37e52ac9baced968ed3f85dbaf0cd75860c6af0bd235733140db29bb7b8a2236711f960

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\close.svg

Filesize
299B

MD5
48136cdde28ef3bd42836d10a06b43fb

SHA1
623781c566c4cf19d0139b8036ce3bb5b076aa85

SHA256
4209cfea7eadb13b87a41dd79083b20aff8830ac3701d85eba9d939dc5b57af3

SHA512
ba16dafcab39d4fa8c0295e0f4707284a0f8c90333ee5b6135fd2ddd76f9a9920c40e5cbb730a1cb5a809228d6dbf6f5ad797d9d1e2c783dcea066bbb2a23c55

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\crab.svg

Filesize
3KB

MD5
fcca5b3c13e7069f276eb21f3dfb75de

SHA1
73d7022d1def2a856b26765d036426178f29559a

SHA256
f2268c760778dd5dfd57f7678fe60708e8e0f271fc7859c66e15d4be10c4a019

SHA512
583a5e4b88cb304f4025b4381de07856bafea8e11308ae8d3c01f81391ddcff85a63097277d315cbbf6809efca2dd16d24a82975de61b28d5e3d7a7d5f6caead

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\discord.svg

Filesize
2KB

MD5
89e3d8fb40d8aefccf9db8b2191fe839

SHA1
b18c68d1e1236d0e4516f73e9893e9d62dcd80b8

SHA256
3549a710377aca99691cec4cd9bd01597ba769d2cf4a8ee8666c9d95490f9811

SHA512
30235fe1c649f8a8347ff9e0d3af296efb3813bed5466afa521b15925508f7db7aa6888c81617345e89eb42a1fed2db6be6ef7194fbf4b4ff6d4c6da7baf19e5

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\dot-outline.svg

Filesize
752B

MD5
62b10d52595f974207c3cf61fea334bf

SHA1
c3f6a48cff2e3bf92ba0a7a22917bdd9f277523b

SHA256
77902ca35bed519645858f14270a367ae0afb0cb1cc353e648ff0dd90857fc3a

SHA512
d805c7d086c21450b2566f8da178cd4b7cdc0dcff86fd82309144c8e47e9b027713e4ac358a273c70a23b13ea8ef3fdf1d423f0ddbf793f47ec96829ed832b18

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\dot.svg

Filesize
498B

MD5
5b896d04e5daea39b5401b8bb0762a93

SHA1
cd2f1a700f10c0d54a5bb7baad677a16dcfcbbfa

SHA256
4be192cb209633a48c7eae62065f7c8eabdab7e6eb435b1413028fb93e4b5fd0

SHA512
682a4a442e56d86153c471e0ae9b74a0aa0c96a3f62e5b69d48e43e1728b57e042dbfe2ca8259ce8dfc69ef28ffd301a2bb92120f3504bce998a65e50c65a5a8

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\google.svg

Filesize
1KB

MD5
dbf11538f040a4a6880550bd7cd0e6d9

SHA1
347934640920836a4b4a06323baba6d43163131c

SHA256
b82f35aa61245dc8750ed337c04ee4c31277257124eba2d12e93feb346bb7e49

SHA512
7ff3a3662f5005855890ce4bd3f977826a7b4d3a465f9419e4208669a404a932696a557cf6f0e754c4ead9bac0221e44c4a9f5e5757a5878f85cba2166aa9796

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\maximize.svg

Filesize
330B

MD5
776c137f6b6fc0161cccef9229adf74f

SHA1
b15b53f6c286d9325995cede4b022689b44c0d8e

SHA256
641f30c10af5e892fff394eb39c2d4905ab7851e3146262ca9d6fa8f09163ea5

SHA512
b4188e1fd182db4689b6b1aa32d9aa51b882396d49b662df41e1d3d8507c2087fa10136c29c5ec6671e88628fdfba42ebc90c2913f591dd66c7509e24e5d833b

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\minimize.svg

Filesize
230B

MD5
5da2dfbd12c9aacdb03ce0d6dc414a8d

SHA1
9eccc4092745b13f051d90273af78a6f64a21348

SHA256
60a44cb1aecc5a3b6ed5b4224ce83ca001ec42fe22e33b0eccb183b74bb9b4a4

SHA512
e7d906f34258bed095aa1358c2dbf575f22ffb8d77e57391e23477801939b0907c927373fe4cc99ebdd30ba5be0adaadad76fbdbc6060788d7869c9047b2049f

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\more.svg

Filesize
661B

MD5
8258c0eabe05fed717b2b9833d50ed46

SHA1
b0606669a4ea1522355c61059bde7bd3e019ce6a

SHA256
9b316dea36d431beb6caf4cc02230c2df7896e259bf46af4ca3f165a9a2697b1

SHA512
a69a1308591700f68f35a509dd9796ece0f77c28c73dbdef2c06960287d85b54e9431aeb13faa0820122aa14670bce7409fd3ecccea765701223be22ad26cd4f

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\icons\vk.svg

Filesize
863B

MD5
5af2290cd10dd99228a08bb7a1f2e57e

SHA1
53d2e5c87fbb0c610040ad89bda7829b9690beee

SHA256
4789df43f5d80437af945bbb1629578a70831282b00bddfcde318661dcfc280a

SHA512
9112ee05c06862c21aed54c08b8689529d1ee16fa5a0985e89a6b3299f0fe3d7811765abdf9be6e912cde20da07a40d1903e9c15e526c1a234838575deb1760c

Download Submit
C:\Program Files\ExLoader\data\flutter_assets\resources\images\grain.png

Filesize
62KB

MD5
5e402aecd1bf06c9506d4a207dd6b031

SHA1
4ff62590bd729457f6a2998951122586777b8a95

SHA256
3c5f200f480f7f23aba0f558948fbc79fc4642af51ea518243cd31151bea5304

SHA512
f1c40a6dfcfdbbad2ed04029a197e5fb5d5bccdd13edd2a59062619048756f6db1715fdba80bf8bc75c328619c4b2aec5c34fef17d2b9cd08a18b85c93c2f7e8

Download Submit
C:\Program Files\ExLoader\data\icudtl.dat

Filesize
796KB

MD5
dc1d7fbeacfb517e801dcb886074ed42

SHA1
ab969ca7aace910f9c906d5ed7473a79caccafc5

SHA256
b00f83f6938d2ec735ac8f970c779f8ff28063b91a73d022b7a954bb85231c38

SHA512
085815b511544f531effffc46b0ed5cde5834d4c85497487fa5cbd8e7b3dbfef597b63c47c92b5512a1f80e7924ea41ba797c3b90d2818d34630a7f5f0bc3161

Download Submit
C:\Program Files\ExLoader\flutter_windows.dll

Filesize
15.1MB

MD5
ad39134489085f1983c0cbf801df7a5a

SHA1
d35d2408ee6449aaf3b8ce338dbba5e31107dda8

SHA256
76ba47ebf660de9c9271e3a9881c14c592559377a765d5e43ef19924c83c5524

SHA512
09bc769f77f2c7a193505a741c16f2ac991830ecea67ea8f20efd008d44ab8b1c1fa029a6d5154dffa2f338d9fd0a7a7e68d69ef4f0ac38576c046fe75c91fe7

Download Submit
C:\Program Files\ExLoader\flutter_windows.dll

Filesize
15.1MB

MD5
ad39134489085f1983c0cbf801df7a5a

SHA1
d35d2408ee6449aaf3b8ce338dbba5e31107dda8

SHA256
76ba47ebf660de9c9271e3a9881c14c592559377a765d5e43ef19924c83c5524

SHA512
09bc769f77f2c7a193505a741c16f2ac991830ecea67ea8f20efd008d44ab8b1c1fa029a6d5154dffa2f338d9fd0a7a7e68d69ef4f0ac38576c046fe75c91fe7

Download Submit
C:\Program Files\ExLoader\flutter_windows.dll

Filesize
15.1MB

MD5
ad39134489085f1983c0cbf801df7a5a

SHA1
d35d2408ee6449aaf3b8ce338dbba5e31107dda8

SHA256
76ba47ebf660de9c9271e3a9881c14c592559377a765d5e43ef19924c83c5524

SHA512
09bc769f77f2c7a193505a741c16f2ac991830ecea67ea8f20efd008d44ab8b1c1fa029a6d5154dffa2f338d9fd0a7a7e68d69ef4f0ac38576c046fe75c91fe7

Download Submit
C:\Program Files\ExLoader\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Program Files\ExLoader\vcruntime140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Program Files\ExLoader\vcruntime140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
101KB

MD5
18e0c730e6a4e9fcd99f9df88e9f6aa0

SHA1
ce0640fc1daf462c5fb37e8cc779f6d888fb2c67

SHA256
6cbfab14f15e68dedd6b20eeb59670d558f1790b7dbc910522650cadb8fef1cc

SHA512
0778249e720ec5e7eb87ef9793d22100058baf799184e51ae15ab9c2e4a1242c143552ed298a03e1dc0a037c82263f02b300c9302e91c80178a15dc4789ff901

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
101KB

MD5
18e0c730e6a4e9fcd99f9df88e9f6aa0

SHA1
ce0640fc1daf462c5fb37e8cc779f6d888fb2c67

SHA256
6cbfab14f15e68dedd6b20eeb59670d558f1790b7dbc910522650cadb8fef1cc

SHA512
0778249e720ec5e7eb87ef9793d22100058baf799184e51ae15ab9c2e4a1242c143552ed298a03e1dc0a037c82263f02b300c9302e91c80178a15dc4789ff901

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
6.0MB

MD5
d0c1a76d40eb5c0b4409f209e784ef4f

SHA1
2fecb50fe5ba44dc64e24de264c6038493ebfc61

SHA256
1f9dadb0b6f1f40a1c4eec3582d8e5f53a74b730126a63a48bc22369dc16baf1

SHA512
619362f82aa0bc02498bf26845e9ce81f134a1c88d835238f575aab4daf7f9fcd7ccd9d438105bf7094c86154ca5524e781ee9987f14992e2b0c8446da2a8bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.json

Filesize
1KB

MD5
7b134a5e3b9d796fe5cdff206710f874

SHA1
34805c55ae0ba64780b4a01132f9e4b923b94abc

SHA256
45bd1b5f1ad3d48c1d51ffbdb9dfec572562128fa37087fbadf9589ee05e2d48

SHA512
5712dae80d6d7413d7497bb071c102da1e599de0b3893f23f6fc7c864452d4a56dd24f44860a16cf537412fce714d46483dc2586dead601c4b9c9941e9c7644c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
394B

MD5
d5db5124c8470ef3d02e3fcb7536a234

SHA1
1b26ca91230fc342c6afb08dc0601eb8533e77b8

SHA256
ce82969b8c44f1f7750c9646d4ffdd1c99d6abb99565deb102dfb37c2c541de6

SHA512
8ff3d4786ebc2fe85f9035d85da58ea8953de129fa448b32b4c19eae8d3eb9bcce30399801e6762f6484a0b6d4d5c023d06c5b1ec4e13eddfe131ce9b9561641

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\fonts\MaterialIcons-Regular.otf

Filesize
1.5MB

MD5
95db9098c58fd6db106f1116bae85a0b

SHA1
99c98dac2ef47bf393f3dcbfa79120c6456c2ebb

SHA256
06e81144996425d00162ba62f990dcbd98ec87e10f43851fd924fae5bf37be57

SHA512
b1d64cde416e23f5ab90d91dafd1c8009d399df715c8e37abfbe882036b93afa1f5f87d99620c24c38c6665010ad5f2ab753443c41dff7117f3def06fd3b4832

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\background.png

Filesize
210KB

MD5
903e870339ea32df505f1c603830fa72

SHA1
460052cf71efb8ad1cdb354475a888146938f192

SHA256
cecedf106e85487dae2d990ce0cfe7e9f4e37f1aa0221b920d41f1afd24a5fef

SHA512
730164e0af61822537fe62553525fec3b7943631613c13c99192d5e23328cb0500f9dcb3b47b2b1d1cbec9fe7c039681ad31df00fee0896c6a5ae9a0e6ff7a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\MONTSERRAT-BOLD.TTF

Filesize
255KB

MD5
88932dadc42e1bba93b21a76de60ef7a

SHA1
3320ff5514b32565b0396de4f2064ce17ec9eea4

SHA256
c4c8cb572a5a2c43d78b3701f4b2349684e6ca4d1557e469af6065b1e099c26c

SHA512
298e1e171dbbe386e1abe153446b883c40910819099f64f54dc9faa95d739be56839537342bbe8dd8408545cb1f8c98878a3524d91af1f11a112d1bfc202657a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\MONTSERRAT-MEDIUM.TTF

Filesize
254KB

MD5
a98626e1aef6ceba5dfc1ee7112e235a

SHA1
ca42fe10fa893f390472859405c7564095e4260f

SHA256
92b3d3c6e135eb1dc95f88e6ca75bd6113d9eb3261a95ca39f733e3897e53675

SHA512
81761cd87aece3cea03b4520d8c7518f8d549d8e91cce2a4a4752729e7a28ad4b502472731a06f7051f357bfa1042640a5e7592887b1c3914de0dfe230ef882c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\MONTSERRAT-SEMIBOLD.TTF

Filesize
254KB

MD5
c88cecbffad6d8e731fd95de49561ebd

SHA1
4ef29a9163b56df34a3486b98b24be3a3d0cdca6

SHA256
bab583d38d105dac9141b287fb2b7763b6d8b0bae97e745faaccedb40a579c29

SHA512
d514f33af50e74906617f8a9bb91e91f11a3ad3387f262c78804252df284e860d9d61d0bb4a61b60f122a00749824957bf53e8c308d7a53b722e7b88777c791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
299B

MD5
48136cdde28ef3bd42836d10a06b43fb

SHA1
623781c566c4cf19d0139b8036ce3bb5b076aa85

SHA256
4209cfea7eadb13b87a41dd79083b20aff8830ac3701d85eba9d939dc5b57af3

SHA512
ba16dafcab39d4fa8c0295e0f4707284a0f8c90333ee5b6135fd2ddd76f9a9920c40e5cbb730a1cb5a809228d6dbf6f5ad797d9d1e2c783dcea066bbb2a23c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\maximize.svg

Filesize
330B

MD5
776c137f6b6fc0161cccef9229adf74f

SHA1
b15b53f6c286d9325995cede4b022689b44c0d8e

SHA256
641f30c10af5e892fff394eb39c2d4905ab7851e3146262ca9d6fa8f09163ea5

SHA512
b4188e1fd182db4689b6b1aa32d9aa51b882396d49b662df41e1d3d8507c2087fa10136c29c5ec6671e88628fdfba42ebc90c2913f591dd66c7509e24e5d833b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\minimize.svg

Filesize
230B

MD5
5da2dfbd12c9aacdb03ce0d6dc414a8d

SHA1
9eccc4092745b13f051d90273af78a6f64a21348

SHA256
60a44cb1aecc5a3b6ed5b4224ce83ca001ec42fe22e33b0eccb183b74bb9b4a4

SHA512
e7d906f34258bed095aa1358c2dbf575f22ffb8d77e57391e23477801939b0907c927373fe4cc99ebdd30ba5be0adaadad76fbdbc6060788d7869c9047b2049f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\opera_browser.png

Filesize
61KB

MD5
ee77265024d099499b48ab29fc620991

SHA1
4fdd41d8037830e9a7849decf73876443812fc83

SHA256
6254fc83f3b710db8739ad4e70417e5f77adca61c0908e88f272689619578aa0

SHA512
cb532a61118e83d350bc9e36f4dfafc5b31d3809154a78b50b2027b01cd1fed07fd4ec0efe9346826e5a827cee150f6cd2ca2285a46a55e8539febf3a1d6b293

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
796KB

MD5
5c4a85e40b17f2af5b6b124d47af363f

SHA1
e73709e4163ec3bcfe334b68e8ffae5163e7d38a

SHA256
c8d00eb25b1d2ba7bbd2af3c70eaea94aa2f6ee1f41a25037be20281ac274ab4

SHA512
7b98b1935b69decf49ece034a166e63ef3da746916850eb280e2d024ba7bed5ce278f3348e15307a85ab3e5ac789af42ba3bc47979d5d885fca7b41d5ae643f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
14.1MB

MD5
42db19d1d49db38d11c132efdb67e525

SHA1
5c62dd463876da859a6c322e8067dc134e247d13

SHA256
a9e9b6d1ec48381faa5d37e4ab9f022768612345014b5bde4ebd07118ac8b5ce

SHA512
672bb432fb98ed810eed411c058d9e4b976ec289ab0ff7983ef42c4c59c629ef1fdfcae6ea2331f814c9802dce1d05aae35f5b0534798ac1f69dd4ca4b73b04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
14.1MB

MD5
42db19d1d49db38d11c132efdb67e525

SHA1
5c62dd463876da859a6c322e8067dc134e247d13

SHA256
a9e9b6d1ec48381faa5d37e4ab9f022768612345014b5bde4ebd07118ac8b5ce

SHA512
672bb432fb98ed810eed411c058d9e4b976ec289ab0ff7983ef42c4c59c629ef1fdfcae6ea2331f814c9802dce1d05aae35f5b0534798ac1f69dd4ca4b73b04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
memory/1064-177-0x000001AC6EED0000-0x000001AC6F991000-memory.dmp

Filesize
10.8MB

Download
memory/1064-174-0x000001AC6EED0000-0x000001AC6F991000-memory.dmp

Filesize
10.8MB

Download
memory/1264-170-0x00000203300E0000-0x0000020330BA1000-memory.dmp

Filesize
10.8MB

Download
memory/1264-181-0x00000203300E0000-0x0000020330BA1000-memory.dmp

Filesize
10.8MB

Download
memory/1264-167-0x0000020348EE0000-0x0000020348F02000-memory.dmp

Filesize
136KB

Download
memory/1636-195-0x000002199C570000-0x000002199D285000-memory.dmp

Filesize
13.1MB

Download
memory/1636-196-0x000002199C570000-0x000002199D285000-memory.dmp

Filesize
13.1MB

Download
memory/1636-198-0x000002199C570000-0x000002199D285000-memory.dmp

Filesize
13.1MB

Download
memory/2280-318-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/2280-249-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3188-319-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3188-242-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3700-320-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/3700-251-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4080-146-0x000001AF97A80000-0x000001AF98085000-memory.dmp

Filesize
6.0MB

Download
memory/4080-145-0x000001AF97A80000-0x000001AF98085000-memory.dmp

Filesize
6.0MB

Download
memory/4080-144-0x000001AF97A80000-0x000001AF98085000-memory.dmp

Filesize
6.0MB

Download
memory/4152-247-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4300-243-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4300-321-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download