0b8be7d62ba830a3a53686afb8af57d1b2301d76c8b06759bf4b148d1e2ab6cc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Delta V3.61 b_77978399.exe
Size

5.7MB
MD5

0aa6945aee17c3eae75f48e715ee5eb7
SHA1

b84977d612d1760f7a682e96dba9f7160cdaf72d
SHA256

0b8be7d62ba830a3a53686afb8af57d1b2301d76c8b06759bf4b148d1e2ab6cc
SHA512

8cdb467c92fefe0add78824acc496bf1c70c1eada04a801076073df92497660551c7b3c56a7d97a5ba74eb75879e5323f4b33ee51f94cab8c8afe6515056f5e5
SSDEEP

98304:Vj8ab67Ht6RL8xpH4Tv7wPV6osBsBpPj7cZ+KCojTeEw98rqNkUi+bD:Vj8aatLPV6oPrke8rqN7

Score

6^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Delta V3.61 b_77978399.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pmls.dll	pmropn.exe
File created	C:\Windows\system32\pmls64.dll	pmropn.exe
File created	C:\Windows\SysWOW64\pmls.dll	pmropn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmls64.dll	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmropn.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\cacert.pem	pmservice.exe
File created	C:\Program Files (x86)\PremierOpinion\readme.txt	pmropn.exe
File created	C:\Program Files (x86)\PremierOpinion\pmservice.exe	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmropn32.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmropn32.exe	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmph.dll	ContentI3.exe
File created	C:\PROGRA~2\PREMIE~1\RData.reg	reg.exe
File created	C:\PROGRA~2\PREMIE~1\tms.bin	pmservice.exe
File opened for modification	C:\PROGRA~2\PREMIE~1\snt.dat.bac	pmservice.exe
File opened for modification	C:\PROGRA~2\PREMIE~1\snt.dat	pmservice.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmls.dll	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmropn64.exe	ContentI3.exe
File opened for modification	C:\PROGRA~2\PREMIE~1\RData.reg	reg.exe
File created	C:\Program Files (x86)\PremierOpinion\pmocid.bin	pmropn.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmropn64.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmls.dll	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmls64.dll	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmph.dll	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmropn.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\catrust.pem	pmservice.exe
File created	C:\PROGRA~2\PREMIE~1\snt.dat	pmservice.exe
File created	C:\Program Files (x86)\PremierOpinion\pmoci.bin	pmropn.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmservice.exe	ContentI3.exe

Executes dropped EXE 19 IoCs

pid	Process
3848	opera.exe
2208	setup.exe
1204	setup.exe
932	setup.exe
1608	setup.exe
3616	setup.exe
4904	Assistant_114.0.5282.21_Setup.exe_sfx.exe
720	assistant_installer.exe
5060	assistant_installer.exe
2708	ContentI3.exe
2968	pmropn.exe
2236	pmservice.exe
1644	pmropn.exe
3832	pmropn32.exe
4632	pmropn64.exe
2744	pmropn.exe
316	Process not Found
2712	Process not Found
2320	Process not Found

Loads dropped DLL 19 IoCs

pid	Process
2208	setup.exe
1204	setup.exe
932	setup.exe
1608	setup.exe
3616	setup.exe
720	assistant_installer.exe
720	assistant_installer.exe
5060	assistant_installer.exe
5060	assistant_installer.exe
2236	pmservice.exe
4632	rundll32.exe
1208	svchost.exe
1644	pmropn.exe
4632	pmropn64.exe
3832	pmropn32.exe
1684	unsecapp.exe
3456	Process not Found
4460	NOTEPAD.EXE
2792	Delta V3.61 b_77978399.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContentI3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delta V3.61 b_77978399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	pmservice.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Opera GXStable	Delta V3.61 b_77978399.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Delta V3.61 b_77978399.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Delta V3.61 b_77978399.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D	pmropn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmropn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D	pmservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 19000000010000001000000012cab0233db2f09a0336851de92237df0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 5c000000010000000400000000080000140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c7619000000010000001000000012cab0233db2f09a0336851de92237df2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a58102000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4460	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	pmropn.exe
2968	pmropn.exe
2968	pmropn.exe
2968	pmropn.exe
2236	pmservice.exe
2236	pmservice.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe
1644	pmropn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	rundll32.exe
Token: SeDebugPrivilege	2236	pmservice.exe
Token: SeTcbPrivilege	2236	pmservice.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1644	pmropn.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1644	pmropn.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2792	Delta V3.61 b_77978399.exe
2708	ContentI3.exe
2968	pmropn.exe
4632	pmropn64.exe
4632	pmropn64.exe
4632	pmropn64.exe
3832	pmropn32.exe
3832	pmropn32.exe
3832	pmropn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3848	2792	Delta V3.61 b_77978399.exe	91
PID 2792 wrote to memory of 3848	2792	Delta V3.61 b_77978399.exe	91
PID 2792 wrote to memory of 3848	2792	Delta V3.61 b_77978399.exe	91
PID 3848 wrote to memory of 2208	3848	opera.exe	93
PID 3848 wrote to memory of 2208	3848	opera.exe	93
PID 3848 wrote to memory of 2208	3848	opera.exe	93
PID 2208 wrote to memory of 1204	2208	setup.exe	94
PID 2208 wrote to memory of 1204	2208	setup.exe	94
PID 2208 wrote to memory of 1204	2208	setup.exe	94
PID 2208 wrote to memory of 932	2208	setup.exe	95
PID 2208 wrote to memory of 932	2208	setup.exe	95
PID 2208 wrote to memory of 932	2208	setup.exe	95
PID 2208 wrote to memory of 1608	2208	setup.exe	96
PID 2208 wrote to memory of 1608	2208	setup.exe	96
PID 2208 wrote to memory of 1608	2208	setup.exe	96
PID 1608 wrote to memory of 3616	1608	setup.exe	97
PID 1608 wrote to memory of 3616	1608	setup.exe	97
PID 1608 wrote to memory of 3616	1608	setup.exe	97
PID 2208 wrote to memory of 4904	2208	setup.exe	98
PID 2208 wrote to memory of 4904	2208	setup.exe	98
PID 2208 wrote to memory of 4904	2208	setup.exe	98
PID 2208 wrote to memory of 720	2208	setup.exe	99
PID 2208 wrote to memory of 720	2208	setup.exe	99
PID 2208 wrote to memory of 720	2208	setup.exe	99
PID 720 wrote to memory of 5060	720	assistant_installer.exe	100
PID 720 wrote to memory of 5060	720	assistant_installer.exe	100
PID 720 wrote to memory of 5060	720	assistant_installer.exe	100
PID 2792 wrote to memory of 2708	2792	Delta V3.61 b_77978399.exe	102
PID 2792 wrote to memory of 2708	2792	Delta V3.61 b_77978399.exe	102
PID 2792 wrote to memory of 2708	2792	Delta V3.61 b_77978399.exe	102
PID 2792 wrote to memory of 4460	2792	Delta V3.61 b_77978399.exe	106
PID 2792 wrote to memory of 4460	2792	Delta V3.61 b_77978399.exe	106
PID 2792 wrote to memory of 4460	2792	Delta V3.61 b_77978399.exe	106
PID 2708 wrote to memory of 2968	2708	ContentI3.exe	107
PID 2708 wrote to memory of 2968	2708	ContentI3.exe	107
PID 2708 wrote to memory of 2968	2708	ContentI3.exe	107
PID 2236 wrote to memory of 4632	2236	pmservice.exe	110
PID 2236 wrote to memory of 4632	2236	pmservice.exe	110
PID 4632 wrote to memory of 1208	4632	rundll32.exe	19
PID 2236 wrote to memory of 876	2236	pmservice.exe	111
PID 2236 wrote to memory of 876	2236	pmservice.exe	111
PID 2236 wrote to memory of 876	2236	pmservice.exe	111
PID 2236 wrote to memory of 1644	2236	pmservice.exe	115
PID 2236 wrote to memory of 1644	2236	pmservice.exe	115
PID 2236 wrote to memory of 1644	2236	pmservice.exe	115
PID 2236 wrote to memory of 3920	2236	pmservice.exe	120
PID 2236 wrote to memory of 3920	2236	pmservice.exe	120
PID 2236 wrote to memory of 3920	2236	pmservice.exe	120
PID 2236 wrote to memory of 1276	2236	pmservice.exe	121
PID 2236 wrote to memory of 1276	2236	pmservice.exe	121
PID 2236 wrote to memory of 1276	2236	pmservice.exe	121
PID 3920 wrote to memory of 3832	3920	cmd.exe	122
PID 3920 wrote to memory of 3832	3920	cmd.exe	122
PID 3920 wrote to memory of 3832	3920	cmd.exe	122
PID 1276 wrote to memory of 4632	1276	cmd.exe	123
PID 1276 wrote to memory of 4632	1276	cmd.exe	123
PID 1644 wrote to memory of 1144	1644	pmropn.exe	124
PID 1644 wrote to memory of 1144	1644	pmropn.exe	124
PID 1644 wrote to memory of 1144	1644	pmropn.exe	124
PID 2236 wrote to memory of 2744	2236	pmservice.exe	126
PID 2236 wrote to memory of 2744	2236	pmservice.exe	126
PID 2236 wrote to memory of 2744	2236	pmservice.exe	126
PID 2744 wrote to memory of 4380	2744	pmropn.exe	127
PID 2744 wrote to memory of 4380	2744	pmropn.exe	127

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
PID:1208

C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_77978399.exe
"C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_77978399.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\opera.exe
  C:\Users\Admin\AppData\Local\opera.exe --silent --allusers=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe --silent --allusers=0 --server-tracking-blob=Njg1ZTUyYzIxMjIxODk3ZTA2YjE3YTU5ZDE0OTA4MDI1ZmVmY2UxMDAyMjc2NDA2YmFhNjg3NTVjMDIzODZiMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1LQTFyeiIsInRpbWVzdGFtcCI6IjE3Mjg3ODEzODIuMTQ3NyIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IktBMXJ6IiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJJbnN0YWxsdW5pb24ifSwidXVpZCI6ImQ0YjQ5MTIxLTZiNjMtNGRjYy1iNjVkLTQwYjNkZjc5Yjk5MiJ9
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.94 --initial-client-data=0x32c,0x330,0x334,0x300,0x338,0x70fb1a74,0x70fb1a80,0x70fb1a8c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:932
  - - C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2208 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241013010306" --session-guid=230c31f5-86ed-46ec-a13c-8b08991c98e0 --server-tracking-blob="ODg1OWI4YmJjYjMwZmIzYjVkMjVmZjUyZmEzNzY4MTUzNjk1Y2M5NTAyMDlmYjBlMDI5NjUxMzI0NWU1NTFiNjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj1LQTFyeiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyODc4MTM4Mi4xNDc3IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiS0ExcnoiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6Ikluc3RhbGx1bmlvbiJ9LCJ1dWlkIjoiZDRiNDkxMjEtNmI2My00ZGNjLWI2NWQtNDBiM2RmNzliOTkyIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1C06000000000000
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.94 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x703f1a74,0x703f1a80,0x703f1a8c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x4c17a0,0x4c17ac,0x4c17b8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5060
- C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
  "C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Program Files (x86)\PremierOpinion\pmropn.exe
    C:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:InstallUnion -bid:9zkM1im3A1ibL7qUu$POGG -o:0
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2968
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:4460

C:\Program Files (x86)\PremierOpinion\pmservice.exe
"C:\Program Files (x86)\PremierOpinion\pmservice.exe" /service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\pmls64.dll,UpdateProcess 1208
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4632
- C:\Windows\SysWOW64\reg.exe
  reg.exe EXPORT "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~2\PREMIE~1\RData.reg /y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:876
- \??\c:\program files (x86)\premieropinion\pmropn.exe
  "c:\program files (x86)\premieropinion\pmropn.exe" -boot
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  /C C:\PROGRA~2\PREMIE~1\pmropn32.exe 1644
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\PROGRA~2\PREMIE~1\pmropn32.exe
    C:\PROGRA~2\PREMIE~1\pmropn32.exe 1644
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  /C C:\PROGRA~2\PREMIE~1\pmropn64.exe 1644
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\PROGRA~2\PREMIE~1\pmropn64.exe
    C:\PROGRA~2\PREMIE~1\pmropn64.exe 1644
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4632
- \??\c:\program files (x86)\premieropinion\pmropn.exe
  "c:\program files (x86)\premieropinion\pmropn.exe" -updateapps
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4352
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=f46d4000-fd22-4db4-ac8e-4e1ddde828fe_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.aad.brokerplugin_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.accountscontrol_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.asynctextservice_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3236
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.bioenrollment_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.creddialoghost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.ecapp_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:184
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.lockapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.microsoftedge_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.vclibs.140.00_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.win32webviewhost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.apprep.chxapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1220
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.callingshellapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.capturepicker_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3440
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.contentdeliverymanager_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3448
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.narratorquickstart_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4724
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.parentalcontrols_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.peopleexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:452
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.search_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:532
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.shellexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:432
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.xgpuejectdialog_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.xboxgamecallableui_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoftwindows.client.cbs_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1220
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoftwindows.undockeddevkit_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=ncsiuwpapp_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:932
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=windows.cbspreview_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3564
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=windows.printdialog_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=windows_ie_ac_001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
- Loads dropped DLL
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\PREMIE~1\RData.reg

Filesize
3KB

MD5
8637475a5744c382956aa1ce5ff945ea

SHA1
0ae087d07b96e6c92445686b6c4a15e40e754843

SHA256
71eac10c166973feeb484ffe2d4abde4a2c5392a4b177f49b72243bfe4229a5c

SHA512
325080cbca35a0df82ae3cac9982bc8ed4d12251e1409c3fdec4754824a258a83ebc7e2b6e6eb69639aa8cd4ca2439c2296c1655430ee52b4ac46115ab5109bb

Download Submit
C:\PROGRA~2\PREMIE~1\snt.dat

Filesize
3.1MB

MD5
5cc1063bcc4abe1dc4ebe2d866c8dbcc

SHA1
668cda5d04972e244ae7a8e6a3f5110b690f7c64

SHA256
b4e217617c514cfa1e03a87d6a78c440cb22cc06ae5175b6b076b79f29382fa1

SHA512
e92b217f9fa8dcdf73b634d38291c2f2b62d933748d0a1350c2712d956558b53143bd5640c7290ac1b1c54aca045dc7985ced79c72b1c7657178289865416224

Download Submit
C:\Program Files (x86)\PremierOpinion\cacert.pem

Filesize
3KB

MD5
77eb3ade4c5b0db67c6e8a26f131073c

SHA1
ad9e8c00174cc2e707f59df671f89a9d7fc2ffc7

SHA256
9f19e7a7139cca8373b516ab1ae49c644aa1c8048e8c7aa5784774a081dcbb87

SHA512
20eb7d34c80bb8d8a415bcdccf8e46cb36396c095ed1468b69c0cb91da915e3a14c7fd55247f68e64ff71cf8d336cc286c3662710ca6281840fdc2f1eb7ac6a1

Download Submit
C:\Program Files (x86)\PremierOpinion\pmls.dll

Filesize
885KB

MD5
50a0c6c01cdc5d2690ccd1f1541f6670

SHA1
c5e017a468efb70eabb1f861784edac62acb0e17

SHA256
f9a853830949bb22d6f4d128d71a0ab923d9b5549c0dc8785c7de7d1a4eabf99

SHA512
028d5a56c581d3751628c7503e83aa52c332678495943c3648049ae0b26a7190e98395ad205cf60896140d1a802c14a346a2d1553e7b53090c3f5beefd66e9b1

Download Submit
C:\Program Files (x86)\PremierOpinion\pmls64.dll

Filesize
1.1MB

MD5
aa56cb7fd83150c3a75cd6a0de97eb78

SHA1
34415c5c8e57cfe9a7b4a498eacfe1403f3191ec

SHA256
034e066829d28bbc81604250f6df721a35ab1c0898ab82bef6305ffada240765

SHA512
765f12e5e060db934d0f4e8159bb9bd10cdbe797d79488a0dc88215a73e49101e279ca69e10c1775a5e161bb4dd02585724c7c87bbefdcdd047adb4277804fa2

Download Submit
C:\Program Files (x86)\PremierOpinion\pmropn.exe

Filesize
6.7MB

MD5
f27f98c1a877f9ca6f06c23bed4014ca

SHA1
25a231319659c30d6f86a5c9cdd1747d7c471542

SHA256
1ed47933c9f33c4860ecc0bf1ba7525212aa00054037a9a51a8d8f5ce3b821bd

SHA512
f054a618d2f8e7a829c26548312b436e21058ee1ff64b40e7c19be2bde037003c21332af3c60e2fd92675af80526ef6faf84b8c1d7a095bb2c4d0b799e66599c

Download Submit
C:\Program Files (x86)\PremierOpinion\pmropn32.exe

Filesize
245KB

MD5
6e4d6b68e9565c4cc7791b00c2094ff9

SHA1
965a00a5a8bb05b35fbaa357951779ea3b71e392

SHA256
65d6f18e1b366aff5343c3f6628041329e7c1375d18ba57076b19bf5f48bc483

SHA512
0cb1396822c7350057cfc7280e1c67ccf1e1a2206347a10025e285f00e9364563685ba5282775960a9329511fd321a631222c87ae7ca8106eca00fb78722b20f

Download Submit
C:\Program Files (x86)\PremierOpinion\pmropn64.exe

Filesize
304KB

MD5
ae5bbcc69b05359d0d5cc72ca6a1262e

SHA1
6843bd883d50216be44065411a983a4bcccdcc91

SHA256
12bfd1007634138b22c56ead24db02a1fe3a4d4b7fe04d30cd07a0ff5d4c8425

SHA512
6417aaeb4ccd86504bc1f83e32c91a60920e98fff833c02fdbef974819a3288cab0c96d6b114ceed4432c305d49120cacbc7e0da69c911f4035aadfbec7a91de

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\3231ae299a0af0b2\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
3b103a9ba068fb4f932d272d19f5619f

SHA1
8270adf6a18d0101ce54afb77179d55a78a35fc7

SHA256
7e9f5f137372bf9e13383dc06c71139d92a4a7efcb5c64c570311999ecafab15

SHA512
83011d2315dfdd8838d62b66f576259882033e28e58ffb1931f97bb0a105cce5f03a4ca6c1de88611876d038f7e2ca7be626d4e0fb689d1ed8c99c6ce9adda4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\dbgcore.DLL

Filesize
166KB

MD5
612a3bebcf72256296103e034ace0236

SHA1
4e722e00e3294194224ae348477e3898c01b47b3

SHA256
3e20d38b7f1ab5dcbb1057f06f4dabf64e57b71d12a7335b4c5601b5b4a6047c

SHA512
dde0aabbe0905408c8df74fb51232b322e233dc43fc34f4ddac9a5e626359d7e4948d41f3fcbb95f0a635cbd229953757ba456a095b2b3523bb7a851663e6302

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410130103061\assistant\dbghelp.dll

Filesize
1.7MB

MD5
3f68b6ab3dcfd45911952ed4f5d75197

SHA1
c24c63d36a26f2320ae1c70b282769fae1e18b48

SHA256
e2f7ff92d8b959239e535b1824eac0bcf21b3134418a7b0411fa0c92ab6259e4

SHA512
5e6e031c5b802f667dc846f5dddd3c3ff5ad810b6274633bf519aa07d6a4eb7cd1c810b04f9fd552e0f6c7bb7285db0d3dc64b7a5690899583ae30bdc4e3c09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80F88408\setup.exe

Filesize
5.3MB

MD5
d2b32d2ca95b09c440db5f37788a3829

SHA1
d0f5f06b9050ee2cc9202e6eae18349ab1257d70

SHA256
6cab004538645353524008c307f897f76a1b46282ea6761cc88fdd4b6fe3e9ca

SHA512
cc091d48ff9abf5add640bfdf99148b466cfded3cafc8451f87cf3723fd4b7f096e4b518216fbf7482f34167dc8deea5de251fe369bccd28ce2bf56b09163a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410130103047342208.dll

Filesize
4.8MB

MD5
a0a086eadb30b33d556ace427e6fe3b5

SHA1
ccd76ed307469d0e2ec59a57f4b9ef5f6db42123

SHA256
99ad2bef393791036eb600f35cd5ba5c7d9cdb28676ceb5fb6fbb748515e2f16

SHA512
f2208b5ad4180d7bfb1b6eab3f18f52692505d5fc84ef34118e16659421a099f11fad1ea49233951057bbdfcf173c13d9927fb2ea984629b8fe60cd91c8c14a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe

Filesize
3.8MB

MD5
bf6eed6cdc17a0130189a33a55ef5209

SHA1
e337f5a0931f69c464f162385f1330b4d27b372f

SHA256
ef2734657b11113a433abb7ebac962e2bf6bf685f05c5f672997f01875430168

SHA512
90d23fd84007343e85f9fc003cf826b112fd930216a24d8c1488468443ae2a4b0c3cc2426b91c81a8228e125050e922fce05672e010e65247709fc4a7b856f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~os23CB.tmp\pmph.dll

Filesize
807KB

MD5
9d96ccb0d5ab5541b61d5c138d91796f

SHA1
cf3ee3e66c8f9c23e3efd29978215461347e650d

SHA256
379a1f1f02c8cb704f248c2f1ff79c8986f73c350a3bf6d9bbc93aeacd286e36

SHA512
69ca7d96896d872eefa63f0c0bd9613526a914e99c4cf12b5d221315277aa64894d99d0f5ce9c5e0ef640d61c9202cd3d51ddb2ab4c55f8fdf60d24a8c1ff6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\~os23CB.tmp\pmservice.exe

Filesize
4.2MB

MD5
4ef95918e313c7ca01084629416fc714

SHA1
5bdaba6920d3f4d1f8ea47ce693276530b5f2a9c

SHA256
303707068aab06ab0341178558c28ce1670d10f16c39522859c4f21097a87ee9

SHA512
75861731e9ec1a43741b2b84f60677e9fdf26d5db8d6e4e91297f826fc2c357272c18cede7f64c42798f5459900b33d693ababe4e1140e4cfc54ef7a04af633a

Download Submit
C:\Users\Admin\AppData\Local\link.txt

Filesize
57B

MD5
ec0997dc529c9ecf7825772b7ee2d0e9

SHA1
10d3891a3c3a2eb40e951fb96e8b0f0865b1ed49

SHA256
ccbc2a3c61e15e64256881f6d505f0e0fecf97d72fa0327a157ab2fa10f79f56

SHA512
d0f6197af91abc0d723dd889a00cba48973098709d4b80b24155dcb2fb5523461f816ec97accf873a679a467d818074c2a1d07eb49b94b1f0670d7307724eb7b

Download Submit
C:\Users\Admin\AppData\Local\opera.exe

Filesize
2.1MB

MD5
5c271d4e34eaa03d7d9405f8b8026b70

SHA1
c73837452889bb62b246792cb5fcbae7eeed7311

SHA256
2d8681f0e346f3bf9734565b629159adb6fe97d8c79a5e83cc3f45fb1e2d8f48

SHA512
c9cf9c39005df5ae6ea340d5810943277bc1c92e9cc30912f5ef3308cabb1fec3965e9296b49c25dd7e14241cbf667b8f984153b54ed0fa8fe8f55fd2c9d3ece

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
665c512cedb375ce0046f47aed47e746

SHA1
c386689a2de4b5f00b801452a8e3d54bc49c3367

SHA256
59ada1f4ff168ebff58f2f8de9d6b0d583c81f2afa314a114bcb6fcb36026b55

SHA512
fcc182b691fb8601d434ac6b6cca0a0df2ccf9661647279b81d763efdc95813fd0e8eac2a15e8506b3172c101096a34a360a05b5ea5e9ee04dd297277156a8a3

Download Submit
memory/1644-325-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-327-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-396-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-399-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-398-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-401-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-400-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-397-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-390-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-392-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-391-0x0000000009F90000-0x0000000009F91000-memory.dmp

Filesize
4KB

Download
memory/1644-328-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-329-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-324-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-326-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-320-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-319-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1644-318-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/2968-229-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-234-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-239-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-230-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-238-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-237-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-236-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-240-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-228-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2968-235-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4632-282-0x00007FFBA5700000-0x00007FFBA5731000-memory.dmp

Filesize
196KB

Download
memory/4632-272-0x00007FFBA7410000-0x00007FFBA747B000-memory.dmp

Filesize
428KB

Download
memory/4632-271-0x00007FFBA5C90000-0x00007FFBA5F59000-memory.dmp

Filesize
2.8MB

Download
memory/4632-270-0x00007FFBA6A90000-0x00007FFBA6B4E000-memory.dmp

Filesize
760KB

Download
memory/4632-273-0x00007FFB9A260000-0x00007FFB9A730000-memory.dmp

Filesize
4.8MB

Download
memory/4632-283-0x00007FFBA6140000-0x00007FFBA687F000-memory.dmp

Filesize
7.2MB

Download
memory/4632-281-0x00007FFB9DAF0000-0x00007FFB9DBF8000-memory.dmp

Filesize
1.0MB

Download
memory/4632-274-0x00007FFBA4EF0000-0x00007FFBA4F5A000-memory.dmp

Filesize
424KB

Download