0b8be7d62ba830a3a53686afb8af57d1b2301d76c8b06759bf4b148d1e2ab6cc

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 07:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Roblox Evon Exploit V4 UWP_97769491.exe
Size

5.7MB
MD5

0aa6945aee17c3eae75f48e715ee5eb7
SHA1

b84977d612d1760f7a682e96dba9f7160cdaf72d
SHA256

0b8be7d62ba830a3a53686afb8af57d1b2301d76c8b06759bf4b148d1e2ab6cc
SHA512

8cdb467c92fefe0add78824acc496bf1c70c1eada04a801076073df92497660551c7b3c56a7d97a5ba74eb75879e5323f4b33ee51f94cab8c8afe6515056f5e5
SSDEEP

98304:Vj8ab67Ht6RL8xpH4Tv7wPV6osBsBpPj7cZ+KCojTeEw98rqNkUi+bD:Vj8aatLPV6oPrke8rqN7

Score

6^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Roblox Evon Exploit V4 UWP_97769491.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pmls.dll	pmropn.exe
File opened for modification	C:\Windows\SysWOW64\pmls.dll	pmropn.exe
File created	C:\Windows\system32\pmls64.dll	pmropn.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PremierOpinion\pmocid.bin	pmropn.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmservice.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmropn.exe	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmph.dll	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmropn.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\cacert.pem	pmservice.exe
File created	C:\Program Files (x86)\PremierOpinion\catrust.pem	pmservice.exe
File opened for modification	C:\PROGRA~2\PREMIE~1\RData.reg	reg.exe
File created	C:\PROGRA~2\PREMIE~1\RData.reg	reg.exe
File created	C:\Program Files (x86)\PremierOpinion\pmservice.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmls.dll	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\readme.txt	pmropn.exe
File created	C:\Program Files (x86)\PremierOpinion\pmls64.dll	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmropn64.exe	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmph.dll	ContentI3.exe
File created	C:\PROGRA~2\PREMIE~1\tms.bin	pmservice.exe
File created	C:\PROGRA~2\PREMIE~1\snt.dat	pmservice.exe
File opened for modification	C:\PROGRA~2\PREMIE~1\snt.dat	pmservice.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmls.dll	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmls64.dll	ContentI3.exe
File created	C:\Program Files (x86)\PremierOpinion\pmropn32.exe	ContentI3.exe
File opened for modification	C:\PROGRA~2\PREMIE~1\snt.dat.bac	pmservice.exe
File created	C:\Program Files (x86)\PremierOpinion\pmoci.bin	pmropn.exe
File created	C:\Program Files (x86)\PremierOpinion\pmropn64.exe	ContentI3.exe
File opened for modification	C:\Program Files (x86)\PremierOpinion\pmropn32.exe	ContentI3.exe

Executes dropped EXE 16 IoCs

pid	Process
2212	opera.exe
1548	setup.exe
4720	setup.exe
216	setup.exe
4560	setup.exe
3108	setup.exe
4636	Assistant_114.0.5282.21_Setup.exe_sfx.exe
2696	assistant_installer.exe
4216	assistant_installer.exe
4356	ContentI3.exe
4984	pmropn.exe
4788	pmservice.exe
4112	pmropn.exe
3020	pmropn64.exe
4176	pmropn32.exe
976	pmropn.exe

Loads dropped DLL 17 IoCs

pid	Process
1548	setup.exe
4720	setup.exe
216	setup.exe
4560	setup.exe
3108	setup.exe
2696	assistant_installer.exe
2696	assistant_installer.exe
4216	assistant_installer.exe
4216	assistant_installer.exe
4788	pmservice.exe
2248	rundll32.exe
1232	svchost.exe
4112	pmropn.exe
3020	pmropn64.exe
4860	unsecapp.exe
4176	pmropn32.exe
3500	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opera.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Evon Exploit V4 UWP_97769491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ContentI3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmropn32.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	pmservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	pmservice.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Opera GXStable	Roblox Evon Exploit V4 UWP_97769491.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Roblox Evon Exploit V4 UWP_97769491.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D	pmropn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmropn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a58102000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 19000000010000001000000012cab0233db2f09a0336851de92237df0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D	pmservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 5c000000010000000400000000080000140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c7619000000010000001000000012cab0233db2f09a0336851de92237df2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb	pmservice.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4984	pmropn.exe
4984	pmropn.exe
4984	pmropn.exe
4984	pmropn.exe
4788	pmservice.exe
4788	pmservice.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe
4112	pmropn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	rundll32.exe
Token: SeDebugPrivilege	4788	pmservice.exe
Token: SeTcbPrivilege	4788	pmservice.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4112	pmropn.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4112	pmropn.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3660	Roblox Evon Exploit V4 UWP_97769491.exe
3660	Roblox Evon Exploit V4 UWP_97769491.exe
3660	Roblox Evon Exploit V4 UWP_97769491.exe
3660	Roblox Evon Exploit V4 UWP_97769491.exe
4356	ContentI3.exe
4984	pmropn.exe
3020	pmropn64.exe
3020	pmropn64.exe
3020	pmropn64.exe
4176	pmropn32.exe
4176	pmropn32.exe
4176	pmropn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2212	3660	Roblox Evon Exploit V4 UWP_97769491.exe	95
PID 3660 wrote to memory of 2212	3660	Roblox Evon Exploit V4 UWP_97769491.exe	95
PID 3660 wrote to memory of 2212	3660	Roblox Evon Exploit V4 UWP_97769491.exe	95
PID 2212 wrote to memory of 1548	2212	opera.exe	96
PID 2212 wrote to memory of 1548	2212	opera.exe	96
PID 2212 wrote to memory of 1548	2212	opera.exe	96
PID 1548 wrote to memory of 4720	1548	setup.exe	97
PID 1548 wrote to memory of 4720	1548	setup.exe	97
PID 1548 wrote to memory of 4720	1548	setup.exe	97
PID 1548 wrote to memory of 216	1548	setup.exe	98
PID 1548 wrote to memory of 216	1548	setup.exe	98
PID 1548 wrote to memory of 216	1548	setup.exe	98
PID 1548 wrote to memory of 4560	1548	setup.exe	99
PID 1548 wrote to memory of 4560	1548	setup.exe	99
PID 1548 wrote to memory of 4560	1548	setup.exe	99
PID 4560 wrote to memory of 3108	4560	setup.exe	100
PID 4560 wrote to memory of 3108	4560	setup.exe	100
PID 4560 wrote to memory of 3108	4560	setup.exe	100
PID 1548 wrote to memory of 4636	1548	setup.exe	105
PID 1548 wrote to memory of 4636	1548	setup.exe	105
PID 1548 wrote to memory of 4636	1548	setup.exe	105
PID 1548 wrote to memory of 2696	1548	setup.exe	106
PID 1548 wrote to memory of 2696	1548	setup.exe	106
PID 1548 wrote to memory of 2696	1548	setup.exe	106
PID 2696 wrote to memory of 4216	2696	assistant_installer.exe	107
PID 2696 wrote to memory of 4216	2696	assistant_installer.exe	107
PID 2696 wrote to memory of 4216	2696	assistant_installer.exe	107
PID 3660 wrote to memory of 4356	3660	Roblox Evon Exploit V4 UWP_97769491.exe	109
PID 3660 wrote to memory of 4356	3660	Roblox Evon Exploit V4 UWP_97769491.exe	109
PID 3660 wrote to memory of 4356	3660	Roblox Evon Exploit V4 UWP_97769491.exe	109
PID 4356 wrote to memory of 4984	4356	ContentI3.exe	112
PID 4356 wrote to memory of 4984	4356	ContentI3.exe	112
PID 4356 wrote to memory of 4984	4356	ContentI3.exe	112
PID 4788 wrote to memory of 2248	4788	pmservice.exe	114
PID 4788 wrote to memory of 2248	4788	pmservice.exe	114
PID 4788 wrote to memory of 2928	4788	pmservice.exe	115
PID 4788 wrote to memory of 2928	4788	pmservice.exe	115
PID 4788 wrote to memory of 2928	4788	pmservice.exe	115
PID 2248 wrote to memory of 1232	2248	rundll32.exe	19
PID 4788 wrote to memory of 4112	4788	pmservice.exe	122
PID 4788 wrote to memory of 4112	4788	pmservice.exe	122
PID 4788 wrote to memory of 4112	4788	pmservice.exe	122
PID 4788 wrote to memory of 3732	4788	pmservice.exe	129
PID 4788 wrote to memory of 3732	4788	pmservice.exe	129
PID 4788 wrote to memory of 3732	4788	pmservice.exe	129
PID 4788 wrote to memory of 1188	4788	pmservice.exe	130
PID 4788 wrote to memory of 1188	4788	pmservice.exe	130
PID 4788 wrote to memory of 1188	4788	pmservice.exe	130
PID 3732 wrote to memory of 4176	3732	cmd.exe	132
PID 3732 wrote to memory of 4176	3732	cmd.exe	132
PID 3732 wrote to memory of 4176	3732	cmd.exe	132
PID 1188 wrote to memory of 3020	1188	cmd.exe	131
PID 1188 wrote to memory of 3020	1188	cmd.exe	131
PID 4112 wrote to memory of 2112	4112	pmropn.exe	133
PID 4112 wrote to memory of 2112	4112	pmropn.exe	133
PID 4112 wrote to memory of 2112	4112	pmropn.exe	133
PID 4788 wrote to memory of 976	4788	pmservice.exe	135
PID 4788 wrote to memory of 976	4788	pmservice.exe	135
PID 4788 wrote to memory of 976	4788	pmservice.exe	135
PID 976 wrote to memory of 3132	976	pmropn.exe	136
PID 976 wrote to memory of 3132	976	pmropn.exe	136
PID 976 wrote to memory of 3132	976	pmropn.exe	136
PID 976 wrote to memory of 5096	976	pmropn.exe	138
PID 976 wrote to memory of 5096	976	pmropn.exe	138

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
- Loads dropped DLL
PID:1232

C:\Users\Admin\AppData\Local\Temp\Roblox Evon Exploit V4 UWP_97769491.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Evon Exploit V4 UWP_97769491.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\opera.exe
  C:\Users\Admin\AppData\Local\opera.exe --silent --allusers=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe --silent --allusers=0 --server-tracking-blob=ODI2ZmYzOWEwMGE3ZGQ2MTBhNTFlNTE3ZWI4YTdiY2EwZjY0NjcyYWM2NTlkN2I3ZTQzNzJiZThiOGY0NDk4Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj04akEyeiIsInRpbWVzdGFtcCI6IjE3Mjg5Nzc4MDEuMzk4NSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IjhqQTJ6IiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJJbnN0YWxsdW5pb24ifSwidXVpZCI6IjNkMjZkNTEyLTE0ODEtNGFhNi1hYTBjLTkxY2Q1MmZhODA4MSJ9
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.94 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x71961a74,0x71961a80,0x71961a8c
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:216
  - - C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1548 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241015073647" --session-guid=bd1a6a3a-3343-42d3-a9b6-3325e42a8249 --server-tracking-blob="MzEwYjgyYzY2ZTEwMmQxMTE2NGFkYTM1YjU5YzkwZTI2NGQzODhjMjI5NTY1MzkxYmRlOTE3YjhlNzVmNGNiYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUluc3RhbGx1bmlvbiZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj04akEyeiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyODk3NzgwMS4zOTg1IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiOGpBMnoiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6Ikluc3RhbGx1bmlvbiJ9LCJ1dWlkIjoiM2QyNmQ1MTItMTQ4MS00YWE2LWFhMGMtOTFjZDUyZmE4MDgxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1006000000000000
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.94 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x70da1a74,0x70da1a80,0x70da1a8c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xa817a0,0xa817ac,0xa817b8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4216
- C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
  "C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Program Files (x86)\PremierOpinion\pmropn.exe
    C:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:InstallUnion -bid:en4FQupvQF59xwa0j4POPN -o:0
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4984

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\eee9c8bb2d0541fa962a6dd8bbe9abde /t 1228 /p 3660
1⤵
PID:2436

C:\Program Files (x86)\PremierOpinion\pmservice.exe
"C:\Program Files (x86)\PremierOpinion\pmservice.exe" /service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\pmls64.dll,UpdateProcess 1232
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- C:\Windows\SysWOW64\reg.exe
  reg.exe EXPORT "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~2\PREMIE~1\RData.reg /y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2928
- \??\c:\program files (x86)\premieropinion\pmropn.exe
  "c:\program files (x86)\premieropinion\pmropn.exe" -boot
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  /C C:\PROGRA~2\PREMIE~1\pmropn32.exe 4112
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\PROGRA~2\PREMIE~1\pmropn32.exe
    C:\PROGRA~2\PREMIE~1\pmropn32.exe 4112
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  /C C:\PROGRA~2\PREMIE~1\pmropn64.exe 4112
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\PROGRA~2\PREMIE~1\pmropn64.exe
    C:\PROGRA~2\PREMIE~1\pmropn64.exe 4112
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3020
- \??\c:\program files (x86)\premieropinion\pmropn.exe
  "c:\program files (x86)\premieropinion\pmropn.exe" -updateapps
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3132
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5096
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=f46d4000-fd22-4db4-ac8e-4e1ddde828fe_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.aad.brokerplugin_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3528
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.accountscontrol_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.asynctextservice_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.bioenrollment_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.creddialoghost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3632
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.ecapp_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.lockapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.microsoftedge_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.vclibs.140.00_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.win32webviewhost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.apprep.chxapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.callingshellapp_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.capturepicker_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.contentdeliverymanager_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4184
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.narratorquickstart_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:556
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.parentalcontrols_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.peopleexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1352
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.search_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4572
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.shellexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3592
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3824
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.xgpuejectdialog_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1008
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.xboxgamecallableui_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoftwindows.client.cbs_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=microsoftwindows.undockeddevkit_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=ncsiuwpapp_8wekyb3d8bbwe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=windows.cbspreview_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3632
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=windows.printdialog_cw5n1h2txyewy
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    CheckNetIsolation.exe LoopbackExempt -a -n=windows_ie_ac_001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
- Loads dropped DLL
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\PREMIE~1\RData.reg

Filesize
3KB

MD5
8a1c9bf4332cb23429307fb7f0a97fbc

SHA1
77f480f6621074e986b3d7ae22735c8cebd33605

SHA256
8db0bc43d75cbb30f29f3db85476de83dfa49e979835a28412783d00cd853e10

SHA512
70fcc5f8362c184f7dc66805b7cc91d741c0e1836d4801b535125ab5f929c7d565ee0c67652f0adbb9eb95eddee7371e9bb3d3e0997b855ed05cf758df5fa428

Download Submit
C:\PROGRA~2\PREMIE~1\snt.dat

Filesize
3.1MB

MD5
660e9ed793cfa8960de21fe9cd32db0b

SHA1
1f30bc16218654b05499a90ab1ef6b3148840d31

SHA256
995b28b3187361792ba9db986cf4bf5ed1de3cb5f0a8b5c55925eead06779d7a

SHA512
9b97d97a9c97e8b84436356338d76040619cf19337c8048c83fdf480ab0fb8cdbd8b115aeaa03e7202aa0a8eb91e14c83602af01353083ed07e736ac95cb0984

Download Submit
C:\Program Files (x86)\PremierOpinion\cacert.pem

Filesize
3KB

MD5
77eb3ade4c5b0db67c6e8a26f131073c

SHA1
ad9e8c00174cc2e707f59df671f89a9d7fc2ffc7

SHA256
9f19e7a7139cca8373b516ab1ae49c644aa1c8048e8c7aa5784774a081dcbb87

SHA512
20eb7d34c80bb8d8a415bcdccf8e46cb36396c095ed1468b69c0cb91da915e3a14c7fd55247f68e64ff71cf8d336cc286c3662710ca6281840fdc2f1eb7ac6a1

Download Submit
C:\Program Files (x86)\PremierOpinion\pmls.dll

Filesize
885KB

MD5
50a0c6c01cdc5d2690ccd1f1541f6670

SHA1
c5e017a468efb70eabb1f861784edac62acb0e17

SHA256
f9a853830949bb22d6f4d128d71a0ab923d9b5549c0dc8785c7de7d1a4eabf99

SHA512
028d5a56c581d3751628c7503e83aa52c332678495943c3648049ae0b26a7190e98395ad205cf60896140d1a802c14a346a2d1553e7b53090c3f5beefd66e9b1

Download Submit
C:\Program Files (x86)\PremierOpinion\pmls64.dll

Filesize
1.1MB

MD5
aa56cb7fd83150c3a75cd6a0de97eb78

SHA1
34415c5c8e57cfe9a7b4a498eacfe1403f3191ec

SHA256
034e066829d28bbc81604250f6df721a35ab1c0898ab82bef6305ffada240765

SHA512
765f12e5e060db934d0f4e8159bb9bd10cdbe797d79488a0dc88215a73e49101e279ca69e10c1775a5e161bb4dd02585724c7c87bbefdcdd047adb4277804fa2

Download Submit
C:\Program Files (x86)\PremierOpinion\pmph.dll

Filesize
807KB

MD5
9d96ccb0d5ab5541b61d5c138d91796f

SHA1
cf3ee3e66c8f9c23e3efd29978215461347e650d

SHA256
379a1f1f02c8cb704f248c2f1ff79c8986f73c350a3bf6d9bbc93aeacd286e36

SHA512
69ca7d96896d872eefa63f0c0bd9613526a914e99c4cf12b5d221315277aa64894d99d0f5ce9c5e0ef640d61c9202cd3d51ddb2ab4c55f8fdf60d24a8c1ff6ac

Download Submit
C:\Program Files (x86)\PremierOpinion\pmropn.exe

Filesize
6.7MB

MD5
f27f98c1a877f9ca6f06c23bed4014ca

SHA1
25a231319659c30d6f86a5c9cdd1747d7c471542

SHA256
1ed47933c9f33c4860ecc0bf1ba7525212aa00054037a9a51a8d8f5ce3b821bd

SHA512
f054a618d2f8e7a829c26548312b436e21058ee1ff64b40e7c19be2bde037003c21332af3c60e2fd92675af80526ef6faf84b8c1d7a095bb2c4d0b799e66599c

Download Submit
C:\Program Files (x86)\PremierOpinion\pmropn32.exe

Filesize
245KB

MD5
6e4d6b68e9565c4cc7791b00c2094ff9

SHA1
965a00a5a8bb05b35fbaa357951779ea3b71e392

SHA256
65d6f18e1b366aff5343c3f6628041329e7c1375d18ba57076b19bf5f48bc483

SHA512
0cb1396822c7350057cfc7280e1c67ccf1e1a2206347a10025e285f00e9364563685ba5282775960a9329511fd321a631222c87ae7ca8106eca00fb78722b20f

Download Submit
C:\Program Files (x86)\PremierOpinion\pmropn64.exe

Filesize
304KB

MD5
ae5bbcc69b05359d0d5cc72ca6a1262e

SHA1
6843bd883d50216be44065411a983a4bcccdcc91

SHA256
12bfd1007634138b22c56ead24db02a1fe3a4d4b7fe04d30cd07a0ff5d4c8425

SHA512
6417aaeb4ccd86504bc1f83e32c91a60920e98fff833c02fdbef974819a3288cab0c96d6b114ceed4432c305d49120cacbc7e0da69c911f4035aadfbec7a91de

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\3231ae299a0af0b2\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\assistant_installer.exe

Filesize
2.0MB

MD5
3b103a9ba068fb4f932d272d19f5619f

SHA1
8270adf6a18d0101ce54afb77179d55a78a35fc7

SHA256
7e9f5f137372bf9e13383dc06c71139d92a4a7efcb5c64c570311999ecafab15

SHA512
83011d2315dfdd8838d62b66f576259882033e28e58ffb1931f97bb0a105cce5f03a4ca6c1de88611876d038f7e2ca7be626d4e0fb689d1ed8c99c6ce9adda4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\dbgcore.DLL

Filesize
166KB

MD5
612a3bebcf72256296103e034ace0236

SHA1
4e722e00e3294194224ae348477e3898c01b47b3

SHA256
3e20d38b7f1ab5dcbb1057f06f4dabf64e57b71d12a7335b4c5601b5b4a6047c

SHA512
dde0aabbe0905408c8df74fb51232b322e233dc43fc34f4ddac9a5e626359d7e4948d41f3fcbb95f0a635cbd229953757ba456a095b2b3523bb7a851663e6302

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202410150736471\assistant\dbghelp.dll

Filesize
1.7MB

MD5
3f68b6ab3dcfd45911952ed4f5d75197

SHA1
c24c63d36a26f2320ae1c70b282769fae1e18b48

SHA256
e2f7ff92d8b959239e535b1824eac0bcf21b3134418a7b0411fa0c92ab6259e4

SHA512
5e6e031c5b802f667dc846f5dddd3c3ff5ad810b6274633bf519aa07d6a4eb7cd1c810b04f9fd552e0f6c7bb7285db0d3dc64b7a5690899583ae30bdc4e3c09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A88F887\setup.exe

Filesize
5.3MB

MD5
d2b32d2ca95b09c440db5f37788a3829

SHA1
d0f5f06b9050ee2cc9202e6eae18349ab1257d70

SHA256
6cab004538645353524008c307f897f76a1b46282ea6761cc88fdd4b6fe3e9ca

SHA512
cc091d48ff9abf5add640bfdf99148b466cfded3cafc8451f87cf3723fd4b7f096e4b518216fbf7482f34167dc8deea5de251fe369bccd28ce2bf56b09163a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410150736463741548.dll

Filesize
4.8MB

MD5
a0a086eadb30b33d556ace427e6fe3b5

SHA1
ccd76ed307469d0e2ec59a57f4b9ef5f6db42123

SHA256
99ad2bef393791036eb600f35cd5ba5c7d9cdb28676ceb5fb6fbb748515e2f16

SHA512
f2208b5ad4180d7bfb1b6eab3f18f52692505d5fc84ef34118e16659421a099f11fad1ea49233951057bbdfcf173c13d9927fb2ea984629b8fe60cd91c8c14a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe

Filesize
3.8MB

MD5
bf6eed6cdc17a0130189a33a55ef5209

SHA1
e337f5a0931f69c464f162385f1330b4d27b372f

SHA256
ef2734657b11113a433abb7ebac962e2bf6bf685f05c5f672997f01875430168

SHA512
90d23fd84007343e85f9fc003cf826b112fd930216a24d8c1488468443ae2a4b0c3cc2426b91c81a8228e125050e922fce05672e010e65247709fc4a7b856f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~osDBE5.tmp\pmservice.exe

Filesize
4.2MB

MD5
4ef95918e313c7ca01084629416fc714

SHA1
5bdaba6920d3f4d1f8ea47ce693276530b5f2a9c

SHA256
303707068aab06ab0341178558c28ce1670d10f16c39522859c4f21097a87ee9

SHA512
75861731e9ec1a43741b2b84f60677e9fdf26d5db8d6e4e91297f826fc2c357272c18cede7f64c42798f5459900b33d693ababe4e1140e4cfc54ef7a04af633a

Download Submit
C:\Users\Admin\AppData\Local\opera.exe

Filesize
2.1MB

MD5
6e36001bb9dd12ef2405eca477018a12

SHA1
207fceca3a918145b6655d8001bc546695892471

SHA256
952a300a8bce36516380a28d90ebd0bf0cb3e9d98361970ff293c36cabc60bf2

SHA512
6802d54e5ffd6d3df81dc25a960c358aadc2c3ad09459f02f65f408e625052ee7eb1bf271c2b020f379ac9c6e42eb461092696903675bf14cb2e1a237b8dbde6

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
f59f1216ba3088858d8551ff7f5be553

SHA1
b5bb8690fa4547c451efb0d571f8de7d2be22b11

SHA256
0a012e85467e00cfc1d36c1cdfbcebb5b2f460c9bacd795774e0ad93c8a44a30

SHA512
ae0d5c6ad0cbb3e0536d8fbd04e0098679d5bff6df625d9f1fff920ca6f2a20c6d36ac68b5b9368195442bb355607c987af4bf713dc6153b790cd71b912663f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/2248-286-0x00007FFBCA7C0000-0x00007FFBCAEFF000-memory.dmp

Filesize
7.2MB

Download
memory/2248-281-0x00007FFBCA110000-0x00007FFBCA17B000-memory.dmp

Filesize
428KB

Download
memory/2248-283-0x00007FFBC80F0000-0x00007FFBC815A000-memory.dmp

Filesize
424KB

Download
memory/2248-285-0x00007FFBC88D0000-0x00007FFBC8901000-memory.dmp

Filesize
196KB

Download
memory/2248-279-0x00007FFBC9770000-0x00007FFBC982E000-memory.dmp

Filesize
760KB

Download
memory/2248-280-0x00007FFBC8D70000-0x00007FFBC9039000-memory.dmp

Filesize
2.8MB

Download
memory/2248-284-0x00007FFBBDA50000-0x00007FFBBDB58000-memory.dmp

Filesize
1.0MB

Download
memory/2248-282-0x00007FFBBD4A0000-0x00007FFBBD970000-memory.dmp

Filesize
4.8MB

Download
memory/4112-367-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-363-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-366-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-368-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-365-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-364-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-357-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-358-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4112-359-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4984-232-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-233-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-239-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-237-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-240-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-238-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-243-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-242-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-241-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4984-231-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download