662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2023 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

koid.exe
Size

1.7MB
MD5

937bd53a5f505b8e9b00416590ad8d92
SHA1

5abece11f9d282ec009bf441f132676344f1ede2
SHA256

662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36
SHA512

2027fe14eff8cc0edd67be7f159e0710d79376aef11a70d4c0ad94d501667fd178780fb3a8f0c4481d2da32a3f6fd698e45cef297aee628cda1ae164e0434dd5
SSDEEP

49152:MXi87ZaoNcK9mVrSPYO1M+BrgdhwmzJnU:yvycBr

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

irsetup.exeAdditionalExecuteTL.exeAdditionalExecuteTL.exeirsetup.exeirsetup.exeopera.exeTLauncher-2.871-Installer-1.0.6-global.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	AdditionalExecuteTL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	AdditionalExecuteTL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	TLauncher-2.871-Installer-1.0.6-global.exe

Executes dropped EXE 31 IoCs

Processes:

TLauncher-2.871-Installer-1.0.6-global.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exe_sfx.exeassistant_installer.exeassistant_installer.exeTLauncher.exeTLauncher.exeinstaller.exeinstaller.exelauncher.exeopera.exeopera_crashreporter.exeopera.exeopera.exeopera.exeopera_crashreporter.exeopera.exeopera.exeopera.exeopera.exeopera.exeopera.exe

pid	process
5280	TLauncher-2.871-Installer-1.0.6-global.exe
388	irsetup.exe
4436	AdditionalExecuteTL.exe
1320	irsetup.exe
4140	AdditionalExecuteTL.exe
3884	irsetup.exe
5596	opera-installer-bro.exe
5856	opera-installer-bro.exe
4112	opera-installer-bro.exe
5460	opera-installer-bro.exe
6084	opera-installer-bro.exe
4556	_sfx.exe
4348	assistant_installer.exe
4988	assistant_installer.exe
6140	TLauncher.exe
3604	TLauncher.exe
4584	installer.exe
5636	installer.exe
3392	launcher.exe
5744	opera.exe
5388	opera_crashreporter.exe
60	opera.exe
4248	opera.exe
5520	opera.exe
4100	opera_crashreporter.exe
2176	opera.exe
5820	opera.exe
4776	opera.exe
3496	opera.exe
5932	opera.exe
752	opera.exe

Loads dropped DLL 41 IoCs

Processes:

irsetup.exeirsetup.exeirsetup.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeopera-installer-bro.exeinstaller.exeinstaller.exeopera.exeopera.exeopera.exeopera.exeopera.exeopera.exeopera.exeopera.exeopera.exeopera.exe

pid	process
388	irsetup.exe
388	irsetup.exe
388	irsetup.exe
1320	irsetup.exe
3884	irsetup.exe
5596	opera-installer-bro.exe
5856	opera-installer-bro.exe
4112	opera-installer-bro.exe
5460	opera-installer-bro.exe
6084	opera-installer-bro.exe
4584	installer.exe
5636	installer.exe
5744	opera.exe
5744	opera.exe
60	opera.exe
60	opera.exe
4248	opera.exe
60	opera.exe
60	opera.exe
60	opera.exe
60	opera.exe
60	opera.exe
4248	opera.exe
5520	opera.exe
5520	opera.exe
2176	opera.exe
5820	opera.exe
2176	opera.exe
5820	opera.exe
2176	opera.exe
2176	opera.exe
2176	opera.exe
2176	opera.exe
2176	opera.exe
4776	opera.exe
4776	opera.exe
3496	opera.exe
3496	opera.exe
5932	opera.exe
5932	opera.exe
752	opera.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

installer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.46\\notification_helper.exe\""	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.46\\notification_helper.exe"	installer.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/388-141-0x0000000000B30000-0x0000000000F18000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe	upx
behavioral1/memory/1320-157-0x0000000000140000-0x0000000000528000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/388-164-0x0000000000B30000-0x0000000000F18000-memory.dmp	upx
behavioral1/memory/3884-165-0x0000000000EC0000-0x00000000012A8000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/5596-173-0x0000000000400000-0x0000000000947000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe	upx
behavioral1/memory/3884-176-0x0000000000EC0000-0x00000000012A8000-memory.dmp	upx
behavioral1/memory/5856-177-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/4112-179-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/5460-182-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/6084-183-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/1320-184-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/388-194-0x0000000000B30000-0x0000000000F18000-memory.dmp	upx
behavioral1/memory/1320-201-0x0000000000140000-0x0000000000528000-memory.dmp	upx
behavioral1/memory/5460-239-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/5596-238-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/5856-240-0x0000000000400000-0x0000000000947000-memory.dmp	upx
behavioral1/memory/6084-241-0x0000000000400000-0x0000000000947000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

opera.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	opera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Stable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\launcher.exe"	opera.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

opera-installer-bro.exeopera-installer-bro.exeinstaller.exe

description	ioc	process
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\D:	opera-installer-bro.exe
File opened (read-only)	\??\D:	installer.exe

Drops file in Program Files directory 26 IoCs

Processes:

opera.exejavaw.exejavaw.exe

description	ioc	process
File created	C:\Program Files\scoped_dir5520_666074508\persona.ini	opera.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File created	C:\Program Files\scoped_dir5520_666074508\reborn5.png	opera.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeopera.exeopera.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 44 IoCs

Processes:

installer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.xht\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.xht	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Applications\opera.exe\shell\open\command	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Applications\opera.exe\shell	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe,0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.htm\OpenWithProgids\OperaStable = "0"	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.pdf\OpenWithProgids\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.shtml	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.xhtml\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\ddeexec\Topic\	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Applications\opera.exe\shell\open	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Applications\opera.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe\" \"%1\""	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.46\\notification_helper.exe"	installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{B87C92B5-44A6-4C78-99E4-C7B5DC84E31C}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.shtml\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\ddeexec\Application	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.html\OpenWithProgids\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Applications	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Applications\opera.exe	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\FriendlyTypeName = "Opera Web Document"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\ddeexec\	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.opdownload	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.opdownload\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\95.0.4635.46\\notification_helper.exe\""	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\ddeexec	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.opdownload\OpenWithProgIDs	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\ddeexec\Application\	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\URL Protocol	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\DefaultIcon	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.shtml\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.xhtml	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}\LocalServer32	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{E7629152-0A34-4487-B787-5D1144304455}	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Opera\\Launcher.exe\" -noautoupdate -- \"%1\""	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\ddeexec\Topic	installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.xht\OpenWithProgIDs\OperaStable = "0"	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.xhtml\OpenWithProgIDs	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open\command	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\OperaStable\shell\open	installer.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

opera-installer-bro.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	opera-installer-bro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	opera-installer-bro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	opera-installer-bro.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeopera.exe

pid	process
4508	chrome.exe
4508	chrome.exe
888	chrome.exe
888	chrome.exe
5236	chrome.exe
5236	chrome.exe
5292	chrome.exe
5292	chrome.exe
5448	chrome.exe
5448	chrome.exe
5844	chrome.exe
5844	chrome.exe
2684	chrome.exe
2684	chrome.exe
2772	chrome.exe
2772	chrome.exe
5520	opera.exe
5520	opera.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

opera_autoupdate.exe

description pid process

Token: SeShutdownPrivilege 5744 opera_autoupdate.exe
Token: SeCreatePagefilePrivilege 5744 opera_autoupdate.exe

description	pid	process
Token: SeShutdownPrivilege	5744	opera_autoupdate.exe
Token: SeCreatePagefilePrivilege	5744	opera_autoupdate.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exeinstaller.exe

pid	process
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
4584	installer.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exeinstaller.exe

pid	process
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

irsetup.exeirsetup.exeirsetup.exejavaw.exejavaw.exeOpenWith.exeinstaller.exe

pid	process
388	irsetup.exe
388	irsetup.exe
388	irsetup.exe
388	irsetup.exe
388	irsetup.exe
388	irsetup.exe
1320	irsetup.exe
1320	irsetup.exe
3884	irsetup.exe
3884	irsetup.exe
6124	javaw.exe
1252	javaw.exe
1252	javaw.exe
1252	javaw.exe
1252	javaw.exe
5688	OpenWith.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe
4584	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 888 wrote to memory of 3932	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 3932	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4392	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4508	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 4508	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe
PID 888 wrote to memory of 400	888	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\koid.exe
"C:\Users\Admin\AppData\Local\Temp\koid.exe"
1⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbace74f50,0x7ffbace74f60,0x7ffbace74f70
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1976 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 /prefetch:8
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:8
2⤵
PID:880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
2⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
2⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
2⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
2⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5444 /prefetch:8
2⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:8
2⤵
PID:6100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 /prefetch:8
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,15228766335930855210,14315911243741862475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 /prefetch:8
2⤵
PID:392

C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe
"C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5280

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe" "__IRCT:3" "__IRTSS:24771453" "__IRSID:S-1-5-21-4246620582-653642754-1174164128-1000"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:388

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4436

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-4246620582-653642754-1174164128-1000"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4140

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-4246620582-653642754-1174164128-1000"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:5596

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.46 --initial-client-data=0x344,0x348,0x34c,0x320,0x350,0x6f4ce428,0x6f4ce438,0x6f4ce444
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5856

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera-installer-bro.exe" --version
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4112

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
"C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5596 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230216224854" --session-guid=aff46e0b-fdf3-4622-8b87-5e8f51095d95 --server-tracking-blob=ODE4ZjAyNzI3OTgxM2U3ZGNkNWQ4N2RhZjkyODY1ODIxZGI1MzkwNTFkMDAyMDM0MjBhYTNhMmZiYzgyNDUyYjp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzY1ODQxMzEuOTM3MCIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiM2FjZDliNmEtYmI3Ni00OTY2LTliOGUtMzRkNjk5NmQ3ZDUyIn0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B805000000000000
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:5460

C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.46 --initial-client-data=0x340,0x350,0x354,0x31c,0x358,0x6e9de428,0x6e9de438,0x6e9de444
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6084

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\installer.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\installer.exe" --backend --initial-pid=5596 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302162248541" --session-guid=aff46e0b-fdf3-4622-8b87-5e8f51095d95 --server-tracking-blob=ODE4ZjAyNzI3OTgxM2U3ZGNkNWQ4N2RhZjkyODY1ODIxZGI1MzkwNTFkMDAyMDM0MjBhYTNhMmZiYzgyNDUyYjp7ImNvdW50cnkiOiJJTiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fbWVkaXVtPWFwYiZ1dG1fc291cmNlPU1TVEwmdXRtX2NhbXBhaWduPU9wZXJhRGVza3RvcCIsInRpbWVzdGFtcCI6IjE2NzY1ODQxMzEuOTM3MCIsInVzZXJhZ2VudCI6IlNldHVwIEZhY3RvcnkgOS4wIiwidXRtIjp7ImNhbXBhaWduIjoiT3BlcmFEZXNrdG9wIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTVNUTCJ9LCJ1dWlkIjoiM2FjZDliNmEtYmI3Ni00OTY2LTliOGUtMzRkNjk5NmQ3ZDUyIn0= --silent --desktopshortcut=1 --install-subfolder=95.0.4635.46
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\installer.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.46 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2a4,0x2d4,0x7ffbaed2a908,0x7ffbaed2a918,0x7ffbaed2a928
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5636

C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --start-maximized
9⤵
- Executes dropped EXE
PID:3392

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:5744

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.46 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x7ffba5963a18,0x7ffba5963a28,0x7ffba5963a38
11⤵
- Executes dropped EXE
PID:5388

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1912,i,13328108568535269133,15682556225185632897,131072 /prefetch:2
11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:60

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,13328108568535269133,15682556225185632897,131072 /prefetch:8
11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4248

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302162248541\assistant\_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302162248541\assistant\_sfx.exe"
7⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302162248541\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302162248541\assistant\assistant_installer.exe" --version
7⤵
- Executes dropped EXE
PID:4348

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302162248541\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202302162248541\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=94.0.4606.38 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x662dc0,0x662dd0,0x662ddc
8⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
4⤵
- Executes dropped EXE
PID:6140

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
5⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:6040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5408

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher --flag-switches-begin --flag-switches-end --enable-quic --lowered-browser
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5520

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_crashreporter.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.46 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x7ffba5963a18,0x7ffba5963a28,0x7ffba5963a38
2⤵
- Executes dropped EXE
PID:4100

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=1944 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5820

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=2356 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4776

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3124 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3496

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3136 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5932

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3168 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3172 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:2064

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3184 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:1636

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=3216 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:3420

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=3392 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:4952

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=3412 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:5208

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=3796 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:2816

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=3812 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:3544

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=3840 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:2560

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3856 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:3000

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4100 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:3732

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=4508 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:4088

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=4724 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5092

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5316 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:3720

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=5404 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5748

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5584 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:760

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5636 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:5676

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5652 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:5472

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6200 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:6076

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6188 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5972

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6228 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:3984

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6236 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:1828

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6248 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:4500

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6260 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:4456

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6304 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:4988

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6320 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5172

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6332 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:2804

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6560 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:1
2⤵
PID:4480

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6548 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5264

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6600 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5728

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6616 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:6060

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6944 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5560

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6952 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5496

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6960 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5532

C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:aliexpress-modal=off --with-feature:automatic-video-popout-expanded=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-maker-studio-integration=on --with-feature:gaming-api=on --with-feature:in-house-autocomplete-send=on --with-feature:lucid-mode-hide-text=on --with-feature:native-crypto-wallet=on --with-feature:partner-dropdown-suggestions-boost=on --with-feature:personalized-speeddials=on --with-feature:premium-valve-in=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:specific-keywords=on --with-feature:startpage-sync-banner-ref=on --with-feature:tiktok-panel=off --with-feature:yandex-zen-iframe-scroll=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-bypass-launcher=off --with-feature:installer-one-version-one-subfolder=off --mojo-platform-channel-handle=6888 --field-trial-handle=2012,i,854397295884477396,2999003830785224637,131072 /prefetch:8
2⤵
PID:5540

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_autoupdate.exe
"C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_autoupdate.exe" --edition --host=https://autoupdate.geo.opera.com/ --installationdatadir="C:\Users\Admin\AppData\Local\Programs\Opera" --installdir="C:\Users\Admin\AppData\Local\Programs\Opera" --lang=en-US --pipeid --producttype --requesttype=shutdown --version=95.0.4635.46 --user-data-dir="C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" --firstrunver=95.0.4635.46 --firstrunts=1676587780 --consent-info=eyJzdGF0aXN0aWNzX2NvbGxlY3Rpb25fZW5hYmxlZCI6dHJ1ZSwidXNlcl9leHBlcmllbmNlX21ldHJpY3NfcmVwb3J0aW5nX2VuYWJsZWQiOnRydWV9
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5744

C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_autoupdate.exe
C:\Users\Admin\AppData\Local\Programs\Opera\95.0.4635.46\opera_autoupdate.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=95.0.4635.46 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff685e5cbd8,0x7ff685e5cbe8,0x7ff685e5cbf8
3⤵
PID:5760

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
PID:5244

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
2⤵
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
471B

MD5
72689e5a2d88e570b2cd3a71f3d49424

SHA1
3379c8362f124da67c5141197cecae853c819b41

SHA256
45e3341218e74a39ad5d2fb3101e8f6e8e862e1d50812eb61b6948e55f09eb31

SHA512
2bdd07a33a901b018eae963adcadf7907889f50233c4797bac9180873d9fe1095c1ba25e6b8acacd07b1a992c06eda7b6d9dc0cdedc985c7579b9de126324f70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
404B

MD5
b39378f6b39104f060860d76b08b67f8

SHA1
3a8010b867b95e0426327f97eefcf6f564a67d68

SHA256
f78fc5ab736845e6b0740cff28b97b4684bafef01b63bce8f079f66ae0dcde5e

SHA512
bfedaa8a5f4d672f47f81448db9386bc9f9bdfe76129e8c90ac0763a8a59645dbe2963a8d87f6584bfeb994ef103c8c7b6a407fa636b28abf5277c40ed891544

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302162248518565596.dll
Filesize
4.6MB

MD5
5ecb01e7d94ce0a17c96b53fc1fcfa44

SHA1
a48e8c9e2b0d92e273830ee450427bd7a4da8d4e

SHA256
4a4199a22faa2995d8149f4433d1505e19afc8ad91d4f74fbc70f2f66d0afab4

SHA512
33167e72712d14422e37c72308ee97d08f307af1b3279ca1bc43b9a383b73fe6dbd0f0389a1870d6023692e1b3fe3d82a18bbccc13f6192f4abd155f1994b333

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2302162248526375856.dll
Filesize
4.6MB

MD5
5ecb01e7d94ce0a17c96b53fc1fcfa44

SHA1
a48e8c9e2b0d92e273830ee450427bd7a4da8d4e

SHA256
4a4199a22faa2995d8149f4433d1505e19afc8ad91d4f74fbc70f2f66d0afab4

SHA512
33167e72712d14422e37c72308ee97d08f307af1b3279ca1bc43b9a383b73fe6dbd0f0389a1870d6023692e1b3fe3d82a18bbccc13f6192f4abd155f1994b333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
Filesize
1.8MB

MD5
aa4de04ccc16b74a4c2301da8d621ec1

SHA1
d05c6d8200f6e6b1283df82d24d687adc47d9664

SHA256
e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b

SHA512
28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
7e08af319c9eb3297e09ca7bb8387de4

SHA1
4cf091f77a3eb9437ef33985e64bd10c1257284f

SHA256
6c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8

SHA512
bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe
Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe
Filesize
1.3MB

MD5
e801c5847f5f9d207db53aaaf5c6f3a2

SHA1
8e6818ce66555e2cca92e5c5f32551fb4a91645e

SHA256
196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03

SHA512
303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
83a9a2ca6471954e46088e8bce30fe80

SHA1
8ec27443061d1e2464835158b53bca8e1817539b

SHA256
9ec7bd74bd9f0e22aa3d1faadbcd501235e370544a6564a97709d8467d650629

SHA512
c2ea5a6f1c060aab618687d516dff0bc3bdc60f927c4fc0069648761a1701792554307ad11a4527bf755fd277c3afd1af5df59448bb927edb552ea7ac03994c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
e95e85d37693f430629a035c5a0a7dd1

SHA1
b0341b790627a3c8690b81782691ea718e95c8f4

SHA256
d716287e507e81b3dce67f291f35916bcfb39c10ddb5bd7349f36119a738fe9c

SHA512
bc633a84bc43e9013a460cc4aef4a43ffdedfc387bfef57f58ef10888c438ff678e2280f4a853bc8848cadcafbe4ae5e5b0f27755ef45cd728e495436c1d86b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
e95e85d37693f430629a035c5a0a7dd1

SHA1
b0341b790627a3c8690b81782691ea718e95c8f4

SHA256
d716287e507e81b3dce67f291f35916bcfb39c10ddb5bd7349f36119a738fe9c

SHA512
bc633a84bc43e9013a460cc4aef4a43ffdedfc387bfef57f58ef10888c438ff678e2280f4a853bc8848cadcafbe4ae5e5b0f27755ef45cd728e495436c1d86b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\opera-installer-bro.exe
Filesize
2.7MB

MD5
e95e85d37693f430629a035c5a0a7dd1

SHA1
b0341b790627a3c8690b81782691ea718e95c8f4

SHA256
d716287e507e81b3dce67f291f35916bcfb39c10ddb5bd7349f36119a738fe9c

SHA512
bc633a84bc43e9013a460cc4aef4a43ffdedfc387bfef57f58ef10888c438ff678e2280f4a853bc8848cadcafbe4ae5e5b0f27755ef45cd728e495436c1d86b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
Filesize
645B

MD5
a19cd7b66a39bbab281a2d481c0b06b9

SHA1
ae373594a4bfbb86096922d1c09a1d713ee66b06

SHA256
4645752e53b98b95e19da6e455c06efb7c8a9b368e46690905179971fcc88dfd

SHA512
9b341654ebe02d9c0fa4bde219112672a314b830b4dbcaaa01c0c3cc69b64b7c9457a8241296dd0512f68195e07930c4bee84eab5d37a6e6cb1b8c0af063506e

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe
Filesize
23.6MB

MD5
7a4472a78d0651e11d20aa08e43cc045

SHA1
aab1d5f80d7399ae2c1982201733be7681d100b1

SHA256
318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96

SHA512
c152c9d21b0615548173dcc61accb1a1afd5b6f98e6ec21f6a7119536397f07a54ad4087669716c3344dd338ce4f24cecf9989d472f65eaa18c87d496f23c681

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe
Filesize
23.6MB

MD5
7a4472a78d0651e11d20aa08e43cc045

SHA1
aab1d5f80d7399ae2c1982201733be7681d100b1

SHA256
318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96

SHA512
c152c9d21b0615548173dcc61accb1a1afd5b6f98e6ec21f6a7119536397f07a54ad4087669716c3344dd338ce4f24cecf9989d472f65eaa18c87d496f23c681

Download Submit
\??\pipe\crashpad_888_WXZVDYVLEXNXWXLR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-236-0x0000000000000000-mapping.dmp

Download
memory/388-144-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/388-145-0x0000000006510000-0x0000000006513000-memory.dmp

Filesize
12KB

Download
memory/388-164-0x0000000000B30000-0x0000000000F18000-memory.dmp

Filesize
3.9MB

Download
memory/388-141-0x0000000000B30000-0x0000000000F18000-memory.dmp

Filesize
3.9MB

Download
memory/388-136-0x0000000000000000-mapping.dmp

Download
memory/388-194-0x0000000000B30000-0x0000000000F18000-memory.dmp

Filesize
3.9MB

Download
memory/752-255-0x0000000000000000-mapping.dmp

Download
memory/760-292-0x0000000000000000-mapping.dmp

Download
memory/1252-244-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download
memory/1252-213-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download
memory/1252-225-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download
memory/1252-202-0x0000000000000000-mapping.dmp

Download
memory/1252-228-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download
memory/1252-229-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download
memory/1320-201-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1320-149-0x0000000000000000-mapping.dmp

Download
memory/1320-157-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1320-184-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1636-259-0x0000000000000000-mapping.dmp

Download
memory/1828-308-0x0000000000000000-mapping.dmp

Download
memory/2064-257-0x0000000000000000-mapping.dmp

Download
memory/2176-246-0x0000000000000000-mapping.dmp

Download
memory/2560-274-0x0000000000000000-mapping.dmp

Download
memory/2804-318-0x0000000000000000-mapping.dmp

Download
memory/2816-267-0x0000000000000000-mapping.dmp

Download
memory/3000-277-0x0000000000000000-mapping.dmp

Download
memory/3392-232-0x0000000000000000-mapping.dmp

Download
memory/3420-261-0x0000000000000000-mapping.dmp

Download
memory/3496-251-0x0000000000000000-mapping.dmp

Download
memory/3544-271-0x0000000000000000-mapping.dmp

Download
memory/3720-289-0x0000000000000000-mapping.dmp

Download
memory/3732-280-0x0000000000000000-mapping.dmp

Download
memory/3884-158-0x0000000000000000-mapping.dmp

Download
memory/3884-165-0x0000000000EC0000-0x00000000012A8000-memory.dmp

Filesize
3.9MB

Download
memory/3884-176-0x0000000000EC0000-0x00000000012A8000-memory.dmp

Filesize
3.9MB

Download
memory/3984-306-0x0000000000000000-mapping.dmp

Download
memory/4088-283-0x0000000000000000-mapping.dmp

Download
memory/4100-243-0x0000000000000000-mapping.dmp

Download
memory/4112-178-0x0000000000000000-mapping.dmp

Download
memory/4112-179-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4140-154-0x0000000000000000-mapping.dmp

Download
memory/4248-237-0x0000000000000000-mapping.dmp

Download
memory/4348-186-0x0000000000000000-mapping.dmp

Download
memory/4436-146-0x0000000000000000-mapping.dmp

Download
memory/4456-312-0x0000000000000000-mapping.dmp

Download
memory/4480-320-0x0000000000000000-mapping.dmp

Download
memory/4500-310-0x0000000000000000-mapping.dmp

Download
memory/4556-185-0x0000000000000000-mapping.dmp

Download
memory/4584-230-0x0000000000000000-mapping.dmp

Download
memory/4776-249-0x0000000000000000-mapping.dmp

Download
memory/4952-263-0x0000000000000000-mapping.dmp

Download
memory/4988-187-0x0000000000000000-mapping.dmp

Download
memory/4988-314-0x0000000000000000-mapping.dmp

Download
memory/5092-286-0x0000000000000000-mapping.dmp

Download
memory/5172-316-0x0000000000000000-mapping.dmp

Download
memory/5208-265-0x0000000000000000-mapping.dmp

Download
memory/5264-322-0x0000000000000000-mapping.dmp

Download
memory/5280-133-0x0000000000000000-mapping.dmp

Download
memory/5388-234-0x0000000000000000-mapping.dmp

Download
memory/5460-239-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/5460-180-0x0000000000000000-mapping.dmp

Download
memory/5460-182-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/5472-298-0x0000000000000000-mapping.dmp

Download
memory/5496-331-0x0000000000000000-mapping.dmp

Download
memory/5532-333-0x0000000000000000-mapping.dmp

Download
memory/5560-329-0x0000000000000000-mapping.dmp

Download
memory/5596-238-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/5596-168-0x0000000000000000-mapping.dmp

Download
memory/5596-173-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/5636-231-0x0000000000000000-mapping.dmp

Download
memory/5676-295-0x0000000000000000-mapping.dmp

Download
memory/5728-324-0x0000000000000000-mapping.dmp

Download
memory/5744-233-0x0000000000000000-mapping.dmp

Download
memory/5748-290-0x0000000000000000-mapping.dmp

Download
memory/5820-247-0x0000000000000000-mapping.dmp

Download
memory/5856-177-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/5856-172-0x0000000000000000-mapping.dmp

Download
memory/5856-240-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/5932-253-0x0000000000000000-mapping.dmp

Download
memory/5972-304-0x0000000000000000-mapping.dmp

Download
memory/6060-327-0x0000000000000000-mapping.dmp

Download
memory/6076-301-0x0000000000000000-mapping.dmp

Download
memory/6084-183-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/6084-181-0x0000000000000000-mapping.dmp

Download
memory/6084-241-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/6124-221-0x0000000002F10000-0x0000000003F10000-memory.dmp

Filesize
16.0MB

Download
memory/6124-189-0x0000000000000000-mapping.dmp

Download
memory/6124-199-0x0000000002F10000-0x0000000003F10000-memory.dmp

Filesize
16.0MB

Download
memory/6124-242-0x0000000002F10000-0x0000000003F10000-memory.dmp

Filesize
16.0MB

Download
memory/6140-188-0x0000000000000000-mapping.dmp

Download