Analysis
-
max time kernel
1042s -
max time network
1040s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
08/11/2024, 23:07
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Downloads MZ/PE file
-
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\wintrust.dll pmropn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation Roblox Evon Exploit V4 UWP_10728997.exe -
Executes dropped EXE 21 IoCs
pid Process 5604 Roblox Evon Exploit V4 UWP_10728997.exe 332 OperaGX.exe 5240 setup.exe 5412 setup.exe 5340 setup.exe 5476 setup.exe 5536 setup.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 4436 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 5236 assistant_installer.exe 1064 assistant_installer.exe 5928 ContentI3.exe 3800 pmropn.exe 3852 pmservice.exe 3724 pmropn.exe 552 pmropn32.exe 472 pmropn64.exe 1540 pmropn.exe 1040 Process not Found 3300 Process not Found 6156 pmropn.exe -
Loads dropped DLL 28 IoCs
pid Process 5240 setup.exe 5412 setup.exe 5340 setup.exe 5476 setup.exe 5536 setup.exe 3852 pmservice.exe 400 rundll32.exe 1292 svchost.exe 3724 pmropn.exe 552 pmropn32.exe 472 pmropn64.exe 2912 unsecapp.exe 5340 NOTEPAD.EXE 3512 Process not Found 4300 chrome.exe 3180 Process not Found 2100 identity_helper.exe 3684 msedge.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 6156 pmropn.exe 5104 powershell.exe 5104 powershell.exe 5104 powershell.exe 5104 powershell.exe 5104 powershell.exe 5104 powershell.exe 5940 Process not Found 3696 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kbdusx.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\makecab.exe pmropn.exe File opened for modification C:\Windows\SysWOW64\mfcm120.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\msalacdecoder.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\tapisrv.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\cewmdm.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\d3d10_1core.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\gamechattranscription.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\iaspolcy.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdtuq.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\windows.graphics.printing.3d.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\applockercsp.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\desktopshellappstatecontract.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\migration\sxsmigplugin.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe pmropn.exe File opened for modification C:\Windows\SysWOW64\wscapi.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\dcomp.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\d3dscache.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\fxsapi.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdcr.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdne.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\mssign32.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\negoexts.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\nlsdata000a.dll pmropn.exe File created C:\Windows\system32\pmls64.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\smartcardcredentialprovider.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\windows.networking.vpn.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\wpdshext.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\nlsdata0010.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\Dism\sysprepprovider.dll pmropn.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\storfwupdate.inf_amd64_ccad14ca37132a1e\storfwupdate.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0007\_setup.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\wsmres.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\acwow64.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\uxlibres.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\webcamui.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\gameux.dll pmropn.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rdcameradriver.inf_amd64_fa52d0c0fe17b959\rdcameradriver.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdaze.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdntl.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdukx.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\mprmsg.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\msafd.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\windows.applicationmodel.store.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\dot3dlg.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\winrsmgr.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\winsyncproviders.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\windows.applicationmodel.store.preview.dosettings.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\fdbthproxy.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdtaile.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\keyboardfiltercore.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\ondemandbrokerclient.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\profext.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\searchprotocolhost.exe pmropn.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l2-1-0.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\imetip.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\atlthunk.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\clipc.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\040c\_setup.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\ir32_32original.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\kbdgeooa.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\robocopy.exe pmropn.exe File opened for modification C:\Windows\SysWOW64\cfmifsproxy.dll pmropn.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-security-lsalookup-l2-1-0.dll pmropn.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll pmropn.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\presentationframework.resources.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\uiautomationclient.resources.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\reachframework.resources.dll pmropn.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\microsoft.mashup.document.xmlserializers.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\system.xaml.resources.dll pmropn.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\net.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\msvcp120.dll pmropn.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\system.identitymodel.resources.dll pmropn.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\microsoft.build.engine.resources.dll pmropn.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\system.workflow.componentmodel.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll pmropn.exe File opened for modification C:\Program Files\Mozilla Firefox\wmfclearkey.dll pmropn.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\c2rintl.sv-se.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mip_core.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\stslist.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll pmropn.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe pmropn.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll pmropn.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll pmropn.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\microsoft.ceres.docparsing.formathandlers.pptx.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\reachframework.resources.dll pmropn.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll pmropn.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll pmropn.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\mimekitlite.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\system.windows.forms.primitives.resources.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\omraut.dll pmropn.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\system.data.services.design.resources.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\microsoft.office.interop.outlook.dll pmropn.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_bg.dll pmropn.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\system.web.entity.design.resources.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\msb1xtor.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\databasecompare.exe pmropn.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\reachframework.resources.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\system.windows.controls.ribbon.resources.dll pmropn.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll pmropn.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\mavinject32.exe pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\presentationui.resources.dll pmropn.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_kn.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\microsoft.hostintegration.connectors.dll pmropn.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\sensemirror.dll pmropn.exe File created C:\Program Files (x86)\PremierOpinion\pmropn.exe ContentI3.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\system.web.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\system.xml.readerwriter.dll pmropn.exe File opened for modification C:\Program Files (x86)\Windows Defender\eppmanifest.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\system.xaml.resources.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\rtc.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe pmropn.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\system.web.entity.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\system.linq.dll pmropn.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\microsoftedgeupdatebroker.exe pmropn.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\system.data.linq.resources.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\uiautomationclientsideproviders.resources.dll pmropn.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\Classification\mswb7001e.dll pmropn.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mraut.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\uiautomationclient.resources.dll pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msocr.dll pmropn.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\system.drawing.dll pmropn.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe pmropn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll pmropn.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_quz.dll pmropn.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-security-spp-tools_31bf3856ad364e35_10.0.19041.4355_none_c4a8103aa8bb56d8\f\licensingdiagspp.dll pmropn.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_ppi-ppiskype-c-a_31bf3856ad364e35_10.0.19041.3636_none_e69f3bd188919f86\f\msoidclim.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-winsetupui_31bf3856ad364e35_10.0.19041.746_none_3d057843247a13ec\f\winsetupui.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.3636_none_2a0c80dc4367a318\atl.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.4474_none_f2ad893ca3025732\r\twinui.dll pmropn.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\system.design.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.1237_none_4b16fb7fab206eb1\r\printui.exe pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-s..ity-netlogon-netapi_31bf3856ad364e35_10.0.19041.610_none_bb9e4c20e9170a1d\r\logoncli.dll pmropn.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-chsime-binaries_31bf3856ad364e35_10.0.19041.4474_none_f0378a287dbb751a\f\chsem.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-c..services-certca-dll_31bf3856ad364e35_10.0.19041.3636_none_82daaf76d3c3469e\f\certca.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.4355_none_bd2272dfb5942812\r\scrrun.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-com-complus-ui-comuid_31bf3856ad364e35_10.0.19041.3636_none_621f8f184f0db1d1\comuid.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-dtc-runtime-tm_31bf3856ad364e35_10.0.19041.1_none_4f899ba5ba1d68fd\msdtctm.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-video-tvvideocontrol_31bf3856ad364e35_10.0.19041.3636_none_6d9c8b756cce3f01\msvidctl.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_multimedia-voiceactivationmanager_31bf3856ad364e35_10.0.19041.4355_none_55eaf32578a75129\r\voiceactivationmanager.dll pmropn.exe File opened for modification C:\Windows\WinSxS\msil_microsoft.windows.d..iagreport.resources_31bf3856ad364e35_10.0.19041.1_it-it_c9a3f218a72e7163\microsoft.windows.diagnosis.commands.updatediagreport.resources.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.4355_none_6ac5affcd954693b\r\mccsengineshared.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..tion-wiatwaincompat_31bf3856ad364e35_10.0.19041.264_none_38c68dc04ed236b0\wiadss.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\r\audioendpointbuilder.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_10.0.19041.3636_none_3f281e9cec63d609\f\inkdiv.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.19041.3636_none_992c9ec89bce0c72\r\wscapi.dll pmropn.exe File opened for modification C:\Windows\WinSxS\x86_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_6723a46eefe53392\r\I386\ps5ui.dll pmropn.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.4355_none_a5fc4f6628b020f3\f\kerneltracecontrol.dll pmropn.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\wow64_microsoft-windows-wmi-view-provider_31bf3856ad364e35_10.0.19041.4355_none_d55d52be4fa8a0fd\f\viewprov.dll pmropn.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-s..owershell.resources_31bf3856ad364e35_10.0.19041.3636_zh-tw_20dbc741851f2736\f\microsoft.storagemigration.commands.resources.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-repadmin_31bf3856ad364e35_10.0.19041.1_none_b6b53473f278f7cc\repadmin.exe pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-w..cationcompatibility_31bf3856ad364e35_10.0.19041.3636_none_a74c0611816d1b51\portabledevicewiacompat.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..ncredentialprovider_31bf3856ad364e35_10.0.19041.1202_none_dfbb9429d8183336\facecredentialprovider.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.19041.1081_none_8f1e438c6737a711\r\wscproxystub.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..console-nodemanager_31bf3856ad364e35_10.0.19041.3636_none_ff1bfe6d0abd8851\f\mmcndmgr.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.3636_none_f14e63f5b12916d3\winnsi.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.19041.1202_none_cd68049c9076546f\f\mighost.exe pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-perceptionapi-stub_31bf3856ad364e35_10.0.19041.1023_none_f01fe2bd09cb41aa\r\windows.perception.stub.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\rdpsaproxy.exe pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.3636_none_61a03e172ceea000\f\wshqos.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wia-automation_31bf3856ad364e35_10.0.19041.4355_none_7a2c73aa7918978e\r\wiaaut.dll pmropn.exe File opened for modification C:\Windows\WinSxS\msil_microsoft.hyperv.powershell.resources_31bf3856ad364e35_10.0.19041.388_en-us_dc185f8f79b9bb03\f\microsoft.hyperv.powershell.resources.dll pmropn.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1041\microsoft.visualbasic.activities.compilerui.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ddriverprovider-dll_31bf3856ad364e35_10.0.19041.1110_none_e75d71f769f6f55b\r\signdrv.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-proquota_31bf3856ad364e35_10.0.19041.1_none_e80cafad6623705f\proquota.exe pmropn.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\system.appcontext.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..rtcards-phone-winrt_31bf3856ad364e35_10.0.19041.4355_none_d6b844af5b5a5733\f\windows.devices.smartcards.phone.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..on-aad-wamextension_31bf3856ad364e35_10.0.19041.1151_none_de426c505bd0f24f\r\aadwamextension.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.3636_none_f9aa3bcc8e7d4381\r\printdialog.exe pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-opengl_31bf3856ad364e35_10.0.19041.1081_none_8df7863e72e7400c\f\glu32.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_localuserimageprovider_31bf3856ad364e35_10.0.19041.4355_none_4b4418bbe0125286\r\microsoft.localuserimageprovider.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\r\xbox.tcui.exe pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dskquoui_31bf3856ad364e35_10.0.19041.4355_none_f2e89996698f475e\dskquoui.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ime-korean-commonapi_31bf3856ad364e35_10.0.19041.844_none_b78eaf7eaa01dcca\imkrapi.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_e8b8012dee3ba92e\finger.exe pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-onecoreuap-wlansvc_31bf3856ad364e35_10.0.19041.4355_none_c1ee8421dbecf85c\r\wfdprov.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmanhttpconfig.exe pmropn.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-hello-face_31bf3856ad364e35_10.0.19041.3636_none_75e45d5ce800fafc\f\facerecognitionsensoradaptervsmsecure.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..esources-mrmindexer_31bf3856ad364e35_10.0.19041.746_none_46afd7212e24de92\f\mrmindexer.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_windows.networking.vpn_31bf3856ad364e35_10.0.19041.4355_none_abae3c27d5ab2ae4\r\cmintegrator.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.19041.1_none_5f3561098cddf682\sxsoaps.dll pmropn.exe File opened for modification C:\Windows\WinSxS\msil_microsoft.windows.d..perlicense.commands_31bf3856ad364e35_10.0.19041.1_none_b0c9ac3ce15e1f45\microsoft.windows.developerlicense.commands.dll pmropn.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\wow64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_11.0.19041.4474_none_0a61cfd89f99f5bc\f\iertutil.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mitigation-client_31bf3856ad364e35_10.0.19041.1081_none_e15c172231b1940f\mitigationclient.dll pmropn.exe File opened for modification C:\Windows\WinSxS\msil_microsoft.windows.d..otingpack.resources_31bf3856ad364e35_10.0.19041.1_it-it_13a9d0fbc172843a\microsoft.windows.diagnosis.troubleshootingpack.resources.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-icacls_31bf3856ad364e35_10.0.19041.1_none_f2fa56e679b879d1\icacls.exe pmropn.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\system.web.dynamicdata.resources.dll pmropn.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..al-people-relevance_31bf3856ad364e35_10.0.19041.4355_none_cf40c04afb55665c\windowsinternal.people.relevance.dll pmropn.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wlan-dialog_31bf3856ad364e35_10.0.19041.746_none_f7fc6a3480d4f2d5\f\wlandlg.dll pmropn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ContentI3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmropn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaGX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Evon Exploit V4 UWP_10728997.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmservice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Evon Exploit V4 UWP_10728997.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assistant_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CheckNetIsolation.exe -
Checks SCSI registry key(s) 3 TTPs 44 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\ClassGUID pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Class pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\mfg pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A pmropn.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A pmropn.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\Class pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Class pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Class pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName pmropn.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM pmropn.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A pmropn.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\mfg pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\ClassGUID pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ClassGUID pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\ClassGUID pmropn.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\mfg pmropn.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Class pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\mfg pmropn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\ClassGUID pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Class pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\Class pmropn.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc pmropn.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\Class pmropn.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs pmservice.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" pmropn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ pmropn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs pmservice.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix pmropn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" pmropn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs pmservice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" pmropn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs pmservice.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755810053277758" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" pmropn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" pmropn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs pmservice.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" pmropn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs pmservice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs pmservice.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Opera GXStable Roblox Evon Exploit V4 UWP_10728997.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable Roblox Evon Exploit V4 UWP_10728997.exe Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings Roblox Evon Exploit V4 UWP_10728997.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D pmropn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmropn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 19000000010000001000000012cab0233db2f09a0336851de92237df0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 5c000000010000000400000000080000140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c7619000000010000001000000012cab0233db2f09a0336851de92237df2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a58102000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb pmservice.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D pmservice.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 405266.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5776 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3844 msedge.exe 3844 msedge.exe 3684 msedge.exe 3684 msedge.exe 2100 identity_helper.exe 2100 identity_helper.exe 5264 msedge.exe 5264 msedge.exe 3800 pmropn.exe 3800 pmropn.exe 3800 pmropn.exe 3800 pmropn.exe 3852 pmservice.exe 3852 pmservice.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 4300 chrome.exe 4300 chrome.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe 3724 pmropn.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 400 rundll32.exe Token: SeDebugPrivilege 3852 pmservice.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeTcbPrivilege 3852 pmservice.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeShutdownPrivilege 4300 chrome.exe Token: SeCreatePagefilePrivilege 4300 chrome.exe Token: SeTcbPrivilege 3852 pmservice.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 6156 pmropn.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5776 NOTEPAD.EXE 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe -
Suspicious use of SendNotifyMessage 50 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 4300 chrome.exe 3724 pmropn.exe 3724 pmropn.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 5604 Roblox Evon Exploit V4 UWP_10728997.exe 5604 Roblox Evon Exploit V4 UWP_10728997.exe 5604 Roblox Evon Exploit V4 UWP_10728997.exe 5604 Roblox Evon Exploit V4 UWP_10728997.exe 5604 Roblox Evon Exploit V4 UWP_10728997.exe 332 OperaGX.exe 5240 setup.exe 5412 setup.exe 5340 setup.exe 5476 setup.exe 5536 setup.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 4436 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 5236 assistant_installer.exe 1064 assistant_installer.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5972 Roblox Evon Exploit V4 UWP_10728997.exe 5928 ContentI3.exe 3800 pmropn.exe 552 pmropn32.exe 552 pmropn32.exe 552 pmropn32.exe 472 pmropn64.exe 472 pmropn64.exe 472 pmropn64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3684 wrote to memory of 2016 3684 msedge.exe 82 PID 3684 wrote to memory of 2016 3684 msedge.exe 82 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 624 3684 msedge.exe 83 PID 3684 wrote to memory of 3844 3684 msedge.exe 84 PID 3684 wrote to memory of 3844 3684 msedge.exe 84 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 PID 3684 wrote to memory of 3680 3684 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Loads dropped DLL
PID:1292
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://filedm.com/8jA2z1⤵
- Loads dropped DLL
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbf5e046f8,0x7ffbf5e04708,0x7ffbf5e047182⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:82⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff721e25460,0x7ff721e25470,0x7ff721e254803⤵PID:4364
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:12⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3656 /prefetch:82⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:82⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5264
-
-
C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_10728997.exe"C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_10728997.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5604 -
C:\Users\Admin\AppData\Local\OperaGX.exeC:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:332 -
C:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exe --silent --allusers=0 --server-tracking-blob=ZWYyMmVkODZjYTBjMTdiMmEwMTFkNzZlYTYwNzdmNWMwNzRmMDdlMWFiZDBlZTMxYzUyOTE5NjRhYjBiOTUwZDp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD1iNmZkNzU0MTFiODg0NjI5YTBhMjQ0NjNlMTdiOWY2ZiZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInRpbWVzdGFtcCI6IjE3MzExMDczMTYuODE0MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9QQjVfMzU3NSIsImNvbnRlbnQiOiIzNTc1X0ZpbGVETSIsImlkIjoiYjZmZDc1NDExYjg4NDYyOWEwYTI0NDYzZTE3YjlmNmYiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiIwZDVlYjdlOS1hMDQ3LTRlZDctYTU5Yi0xNTNlOGFlNGJjZGUifQ==4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.159 --initial-client-data=0x30c,0x33c,0x340,0x338,0x344,0x70e68c5c,0x70e68c68,0x70e68c745⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5412
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5340
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5240 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241108230844" --session-guid=04151f13-ca1a-4713-89be-b4286f33b8eb --server-tracking-blob=NGEyMGJhZmJlZTZiNDhkNGY3OGQzNGMyZmQ1NGI3YWRhOGRjNTkzZTM2NGRiMGMyMjMzMWJhMjRjYjljNjFkMTp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD1iNmZkNzU0MTFiODg0NjI5YTBhMjQ0NjNlMTdiOWY2ZiZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczMTEwNzMxNi44MTQyIiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiJiNmZkNzU0MTFiODg0NjI5YTBhMjQ0NjNlMTdiOWY2ZiIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjBkNWViN2U5LWEwNDctNGVkNy1hNTliLTE1M2U4YWU0YmNkZSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=28060000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exeC:\Users\Admin\AppData\Local\Temp\7zSC41C1728\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.159 --initial-client-data=0x32c,0x330,0x334,0x304,0x338,0x70048c5c,0x70048c68,0x70048c746⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5536
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x694f48,0x694f58,0x694f646⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1064
-
-
-
-
-
-
C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_10728997.exe"C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_10728997.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5972 -
C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe"C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5928 -
C:\Program Files (x86)\PremierOpinion\pmropn.exeC:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:InstallUnion -bid:hbpOU_c04U48uuQsyKPOPN -o:04⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3800
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:5776
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3968120248205444355,13562626829786216699,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4940 /prefetch:22⤵PID:5772
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2268
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:636
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\7a0b5c6cac6e4c92a1bc5d785ff1c2fc /t 5608 /p 56041⤵PID:5892
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\3562676530c44e769d16b0f749a695e7 /t 2716 /p 59721⤵PID:3936
-
C:\Program Files (x86)\PremierOpinion\pmservice.exe"C:\Program Files (x86)\PremierOpinion\pmservice.exe" /service1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\pmls64.dll,UpdateProcess 12922⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\SysWOW64\reg.exereg.exe EXPORT "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~2\PREMIE~1\RData.reg /y2⤵
- System Location Discovery: System Language Discovery
PID:1276
-
-
\??\c:\program files (x86)\premieropinion\pmropn.exe"c:\program files (x86)\premieropinion\pmropn.exe" -boot2⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3724 -
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -s3⤵
- System Location Discovery: System Language Discovery
PID:3252
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -s3⤵
- System Location Discovery: System Language Discovery
PID:6240
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-AppxPackage3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
-
C:\Windows\SysWOW64\cmd.exe/C C:\PROGRA~2\PREMIE~1\pmropn32.exe 37242⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\PROGRA~2\PREMIE~1\pmropn32.exeC:\PROGRA~2\PREMIE~1\pmropn32.exe 37243⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:552
-
-
-
C:\Windows\SysWOW64\cmd.exe/C C:\PROGRA~2\PREMIE~1\pmropn64.exe 37242⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\PROGRA~2\PREMIE~1\pmropn64.exeC:\PROGRA~2\PREMIE~1\pmropn64.exe 37243⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:472
-
-
-
\??\c:\program files (x86)\premieropinion\pmropn.exe"c:\program files (x86)\premieropinion\pmropn.exe" -updateapps2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:4728
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:3536
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=f46d4000-fd22-4db4-ac8e-4e1ddde828fe_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:3504
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.aad.brokerplugin_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:6132
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.accountscontrol_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:816
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.asynctextservice_8wekyb3d8bbwe3⤵
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.bioenrollment_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:3504
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.creddialoghost_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.ecapp_8wekyb3d8bbwe3⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.lockapp_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1548
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.microsoftedge.stable_8wekyb3d8bbwe3⤵
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe3⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.win32webviewhost_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.apprep.chxapp_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1548
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1164
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.callingshellapp_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1132
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.capturepicker_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.contentdeliverymanager_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:5740
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.narratorquickstart_8wekyb3d8bbwe3⤵
- System Location Discovery: System Language Discovery
PID:5044
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:448
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.parentalcontrols_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:788
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.peopleexperiencehost_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:976
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:3320
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.search_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:6132
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.sechealthui_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:4756
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.shellexperiencehost_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:2460
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:4064
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.xgpuejectdialog_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1236
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoft.xboxgamecallableui_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoftwindows.client.cbs_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=microsoftwindows.undockeddevkit_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:976
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=ncsiuwpapp_8wekyb3d8bbwe3⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=windows.cbspreview_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:5740
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=windows.printdialog_cw5n1h2txyewy3⤵
- System Location Discovery: System Language Discovery
PID:2460
-
-
C:\Windows\SysWOW64\CheckNetIsolation.exeCheckNetIsolation.exe LoopbackExempt -a -n=windows_ie_ac_0013⤵
- System Location Discovery: System Language Discovery
PID:6188
-
-
-
\??\c:\program files (x86)\premieropinion\pmropn.exe"c:\program files (x86)\premieropinion\pmropn.exe" -installmenu:PremierOpinion -v:NONE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4300 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffbe2f0cc40,0x7ffbe2f0cc4c,0x7ffbe2f0cc582⤵PID:5956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2012 /prefetch:22⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2148 /prefetch:32⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2376 /prefetch:82⤵PID:6124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3148 /prefetch:12⤵PID:2908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:3812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:2188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4704 /prefetch:82⤵PID:752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:5472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4380,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4888 /prefetch:12⤵PID:5936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5140,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5420,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:5112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5584,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5596 /prefetch:82⤵PID:5576
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\How To use Evon.txt2⤵
- Loads dropped DLL
PID:5340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5200,i,11371200937158406170,13002522692090489556,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:816
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2420
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
- Loads dropped DLL
PID:2912
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD577eb3ade4c5b0db67c6e8a26f131073c
SHA1ad9e8c00174cc2e707f59df671f89a9d7fc2ffc7
SHA2569f19e7a7139cca8373b516ab1ae49c644aa1c8048e8c7aa5784774a081dcbb87
SHA51220eb7d34c80bb8d8a415bcdccf8e46cb36396c095ed1468b69c0cb91da915e3a14c7fd55247f68e64ff71cf8d336cc286c3662710ca6281840fdc2f1eb7ac6a1
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize2KB
MD511ac7dd43740d11bfd283cae4f566b57
SHA19c9be0c45d5d3d5e75e9ecde435093cfd68304c8
SHA2562c406d4d9ad8603606dd12a70c260e353bed90145775ad5755109b8e2d1cc0bc
SHA51234d14f5717388aa158c026a6c399920b12196b2af2087de1ca3e735acf406dad0950fe6d252860506873d06ea009f11dcda5aa8ae51742b03d7cbece52202469
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\174A7705F9EB36DBEC7A426BB49E6993_6AE44E5AA6164155452A8CAFF25FFD1E
Filesize471B
MD5d83cff6b7b59ae3598c86a5738d03f5f
SHA15195dc0f258771b81bc036cfbebeebb2f3aa82e2
SHA256a00bb459b1a5125c603648f494560d5387bcad7588119ac51c1a434dbc9a225c
SHA5123de763f295e0616157817d6a5983e4940c36316d03a87fbb00b792b8f3c97e5d84920c9f5ce7d14c5ba08c93aa0492b34480d4c6586dbc701fe6a0604392ec8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD504aa1b25f53682aa1f27b48d0115d3c5
SHA120f5ab3031f8d17a834977341eb8d62576286625
SHA2560630fe3c74cf55473780bdcb0faa1f8c3c1be86375341d2fd143ee8722dcd663
SHA5127e1da3066e73145782a00fd77f3b6be1c494c7f866785995065348bd6a0cf6e263e2335b723158eeb1edfef3658ab1c980f7a6dd5830055fc37d4a1f72616c2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\683777F22CA5F117A17AED22F9EC628A_31A59FE3E1C95A9B7E3A97BFDB0F6EEE
Filesize472B
MD5f15adb91b466d74350975736e759311f
SHA1bf6e27fba9273db64488f509f2bf739476ad30d7
SHA25665f891dc47d26c937e9fa88f8ed815fe9275b0d92b77834a4e635f48797b696f
SHA5120680d6fa2bd15edf8e214afd9ca2b0cd609a09f0e9f591b1c92921b0be8af4bdb2a301ac6c91eb75e4286be0115c9dda0d436e6ad9237d0a4e0d2b0732eae748
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize1KB
MD5d524192b6683264adff2ce02d0e82b81
SHA1637ab2592d23a51d7a8908d861946da8026525d2
SHA256150efdb8fffab026ef9cf5d263f708eeb582c2f035b20a255e9d6f4b202950c3
SHA5122645fa319d6cf862162fad7ec027dbfd6040dec3528c5bf8cd2d1f242732027809b69ac6de5bdf47b38555158e174e14f1e12cef16107919627dd8dd5bbd60fa
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD57194820cc46c7516fb0c7b7c4fb99060
SHA1f5f7a0000ed9f8a3fbfb01f55f2cb080b14a13bd
SHA256c7498628b06e8b53daac1f2fcff44b618e596a8803318ddb8fd14ea7cb5befdb
SHA5126908548f7038790c2d651e61a68918a99132d7946003f2a3947f50b247f580d8f3973f098ddd49ffaa6bd9ed67a2069bf82921f19d460b636aa640f2847990a3
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize2KB
MD5bc7a1e9e6639edc61db35d66a98e1f18
SHA1c2b836cc38882393ecc6b644bf65e1b50aff2eb2
SHA25654a4efca8302df466e09f1b9ef0ba29354da670a02c9442a396a0b31420bfd97
SHA5121ba3eb29aadaa7c98482d0954e4c8290262019b4f382c94a86f2fd71d3ca24bf94a97feee8e86ed58d2ea9d64d60924fe7c65d4f7f090bb93966f26bf1a10967
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD5b72ff6e13e79d64bf24c1496ccc86e56
SHA1f5f78c54935863c1a9e6ea4335744b2071d07e40
SHA2563286d9e0ed24911570d72a81283694e28186f6c18b6d691c86c039df0e3a5571
SHA5126e12c206ebcd74bdb68572795bedc9d7775b2f4b4e66c968006a1ad8b6f6a1920955844a42178ee137b02227c6b60d770b4e74cb4c4861134549da3f3aad69f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD521b92bc3ccac781687465f6ce9a0011f
SHA1b3d65f1bd1943dd12384b3a263483942514d0ab2
SHA256f81fdcb9cafeef40e896ecff1c4c5f07ece0f56c5abe737c91a2c31eb17ee485
SHA5124643f13de61e6d327cce508cb5e064ada8c5dc21e818e6cfcfa9cdc01a7a8997a9f24ae0a8c36989c028b26796ea636966cf01b8bd904285abb7fed9e4f56223
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize488B
MD5301b55ffe86df1731e7807d71cddd9ae
SHA1b136dd925fc96f9838ee31eac3d0f131eaef7c27
SHA2560f6136dc95451c01d01506e8c9251cfcc700d071a06186fdacd5063bfa6e9b9d
SHA512b7892d7fc9a98158e9546624e20ceaa8ccb5ca6ac57733d3b0cd1e0f263227f7f1f5a3d0d7a57c486bcf4d021623a2666c1c0c29c65f6a3091244016faec82e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\174A7705F9EB36DBEC7A426BB49E6993_6AE44E5AA6164155452A8CAFF25FFD1E
Filesize422B
MD518483c506cd3f87d51d0268be85c6ace
SHA14d8bd3f1ac9c5b1e0f4189b450ae7fa051243979
SHA256774c332eee1add50ca1278e06b5267b4cedbea2bb71fa298d3c0e776cfd8afec
SHA512d2717f0e98414f25bb2b83be4694ba0c3e4bf2940aaedaa986b3d9144539ef9f54d82000cc79816e264383b1289ef30ef64d1d5abf94d5aed1f1ffea1cb34c6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD54ce880569c9b963c6b285b70c610c546
SHA1a87a23f622e9ae746470550907b6ef331f5ba464
SHA256f01a316408fc81af2635c220a31416a33110e64dc4a832ff5aac900799756b1e
SHA512f9c34f25508271ec7b58658b6ba4b84b512cd729a1c983d055a5563d8be874733ad86bb79f114e29900cb730de8157df18323122647896a437befc3c49d42350
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\683777F22CA5F117A17AED22F9EC628A_31A59FE3E1C95A9B7E3A97BFDB0F6EEE
Filesize410B
MD5623c2ea2e22258c91ebd474aefec24ef
SHA115c9327f3c3bea4cc360f5a31417544098cf4fe9
SHA256209b5ee35da14ded78beefb6c7d7242aa6c07e0c7ecce56bbc1fd68f49b072b8
SHA512d4fe53c30912328f2fc41e85402978c75321a622953ce6e288e4c85914490361fc40a96b49d781ebe69f34897a932d4499f7d0a5c5e7a71a8b90ad94a7856030
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize434B
MD522fca9cfcc5af78689b99c38d3bd50f6
SHA170454d30c5479e75ed3b03f874a8e70f1cfaf0dc
SHA2564a68ad323e844b41dbfbd5dbe48848335abcd9ab4a21c4dfd96bb124378923a4
SHA512ffbef628d985376fe9633c13a9cb8b8dd5cacfe3f4cac2c4a63f03228e95d8de87bd275d3aa436c4022e1b79d5843d06887a4baa6392b84d918aca48ac0b5ef7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5515e8ff66cff03528774780cfabc3934
SHA18a68b07cd14f7e7b132f92c5c775a41b1524b3c4
SHA25605bf50b77f362c22617da8ef72d21a3bdd73f5385c01158021ac7667b719e78d
SHA5121fdf050203e82376cf7373956e7df8b9e4ab5b72d9bc17b9060f229bc5222d6a06b6f8a88db58e3b29c66fc6f57a081d061d3a5eab18f0102d81aca9e4bb804e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5e86d393b69e7289f89d90f6c16d149de
SHA13d589886ff747eb2b44d69aac8521f5e9b430f58
SHA2561368237b5e212b310cdb7c6e383d6acff1a86f7b347891f64a666cb2d97bc021
SHA512c0f435486637265b2c9cb833cff71387fa32ee39ae861d1a58cfaf5b227f5bf85ecb3e6ce4f950fdc16d6bd329a6b58f49631883f89ace5b9fa1f08c22283347
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5a0a80c3ca0bc0ea0d6f7c17a81b55b0a
SHA1a30fb6db5f489ee6215dc75a716ab6b3cc360b10
SHA256d026f7967472084e8f26c07e216d38bf1d8596a389f5f6ac06bdbbf724d519c2
SHA5121689974f4c8dcd2b8e3f2f59b1c7e007418dcde5404c473dab08d15ff1f3af75501366de7d469026f2ed9a77829dc7becd24b091267cc2fffdcc85eb45b09bcd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD571198a9c1cba2986ba8190f961fa70ae
SHA14811559ce1ec0548d851235c6776f53a32e23ac1
SHA2560e06d13135b17f442c4b195047040954c898245bc432d9c71d7a6a95d7e33268
SHA5124f745371a2ad380e29189108c752e4209f550b626b94658c124622a97c602494aa19f236537741453cf0933ce8fd23fe4deefb8cb18f4efe93867e592daba06a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD5d95525f69c701c0a3a21c8309295d86e
SHA1cd4cec4d3ac56af1670a38171f3972561221f2a5
SHA256af48317758755ea2f9184c67381aa5abf625aa33cc82fe7657f08c363d445813
SHA5128db4f4c0a2995f46835195e545e8ca0bfb12a41b856367772f4b61b8cb19df4dc4d756b2b39f7467ab51607e4548aecc8723b95c2ec51e0f32924c2f4b2e909c
-
Filesize
64KB
MD547fbdb32feb8262d56358d80f812e2e7
SHA1f55a5fc552101bc348dd4a219d19ff2af75f2b6c
SHA256114df311ec1d3b5042373e417a2a460039795708e279dd9523cc189b41274ee8
SHA512376527c76a1b6e9a578bbaea9b71f28bbc91e92cb1b0335eb536ab7d4227f707bb5d3410a234786e15e2aa24249f18ba243992eae344b72ba0eb6030a43e5c4e
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
976B
MD5d28a3a348e8e69a24f524f62189c7421
SHA187185b6e4ffcc180220281881d69f5b93a6508e9
SHA256071ae84ea408e68d627e0ade481632806dff9853d4c892f58a7c228815a01cfa
SHA5120b20c587fd3d9b8acc2af77d2bf60b6d4caf34b65c2f92856166c1f91947ffc205a1f5832d6d5547d6bfa7e86541c5a74bf82134a9acb5ea42b2bdae255754e5
-
Filesize
649B
MD59cdea01ace88b0e143f393543de84d77
SHA1f5a2f70125573469f5f4b11d74bd7d2b981fede1
SHA2569e561fafcad5580dbf1392fc1ff71aa0db01b5ba1b00542b647bdff04d1f7000
SHA5127d397322aa85ea28979cf415adfea58bd71976f2213501c44d2bb45ae9540bf2032a2aa9fae543be80e8e73292e1e025bfac24a8ee6c27b9169198dab5adbddf
-
Filesize
216B
MD50b352be5435a341156d0548a1e85718c
SHA140f07fa808b781596c18207c7e04093490be701a
SHA25625149aa39ce5ce30f5de15e59491b500dc0f33f88f906c0a795f898cdc45fff9
SHA5123d4d509acbf88f22ce58a7423173dc542b8c3255669302422e7b5b72fc4c2fed988a45eb5f937bafc7681dcc2cab27d1899138eae6d16f1f9bfa4adb9cb41a4e
-
Filesize
3KB
MD5de629c30c2478fd6869d9daada41326e
SHA1b9d2d3b95e208baf338275f95c0130a06711637a
SHA2562e7b7b54c6d10737ef2d7facb9a3e85b5df91ae3aae30ef62559e5e9e5ffbe0a
SHA512dc07e6542f536aaa8719ab781e5a68a2c78c770a8dc12853e4f45ac9abc90372638f9b3a0f9c585ca3de4fe7f424f7e7067a8b07732ae06232071323162152b2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
520B
MD537e7aae1ceb0309711385c5cd6ce8c59
SHA1d464b7eba38a2cddd1fa02c8282849c3390c5654
SHA256d4b527338926bc10dd93af8d47e746d60e215f6c406444280c9fb89cf9f7c9e7
SHA512f69d5bd9e182c1b6e24609d64066d77f8a3d8d26b73b5e8dc40bc9549de0be56a2a047d1d4b2367fb78e28c340ff092a3605042b50572be6fdb4f0ca233673bd
-
Filesize
354B
MD5a07cc8a04509c2b1fd76fb8caf3035c1
SHA127de63664a47d2e675cf102df5f641dbbde51d14
SHA2560697a59aad3a54a3df92b98ace04dffabbfeef829ee7883c961af507f5e4c432
SHA512136b98a1bcc96b7399735ddec2c42d46ddc56de9bd07326d7e019d5a2901ed9be7c52fb8eaa3d4d6b670776d470c0f568fd199bf52be77932680c5bf575056eb
-
Filesize
9KB
MD55a7f568cb0116678fb9e3cfc8f7d2eaf
SHA1b071505d1fd11ffa7e78d210d19ce2685c7b1f02
SHA25663f1ef3b5f3a300da4e295d2ca115ab563fe96899f39168cd07ce2333b9c1bbd
SHA5126e99a9047ba14b2a1feb669c83a4482adb9a74602fd761a7dafc212f9c26fd83b9fd3e4500eebb4526e7135f61187a1c7c4ac22c4c542be7ed331feb82010e71
-
Filesize
9KB
MD547877ea6f662105b5df7627207832bfa
SHA102b19fcbcebd7d0e9615850ec0f9e1cd00808fd4
SHA25642dfc0a9c7953c2f7d3c185f6835b260fb0bd3587c01f338cb27558601bde997
SHA51221acb8d0d6d6b5a335580629bf9a37b40017131f8a305cb35c651b4d4cc995e02790998bae354fc3efd9b14f79c795a1b3cd4122d55214f7baf74f00bcfbf529
-
Filesize
15KB
MD5cd3bfd2c182381d22658fbcbccf0a9dd
SHA1f16089ae6b6d340025292aa8fef033207e912faa
SHA256f4df6e990bdd84515b64d2f5e5eba923217496519e682632e78bb9a05a34d5c2
SHA5129ed34b719cf233a86e615cafda626e9e547c164b9962c113b73eb6a336817f51c7ec94ec4c03ff63c126b77e52d92208469f9533eef7e10d34e155f51ecfa0fd
-
Filesize
234KB
MD5c0a923ffab212cc679fae5e1b422a1a4
SHA15360ad7e66caff5781eda3518170e170674a18d0
SHA256b76d237f340d145147187565af597255618944e54c4b1902753257fee913f3fb
SHA512207df6ea63d140dbf4f26c56b9d17bc8c14b7aa0c15bcad9fa599e53d9a5ea674989d639866aaf416c6ab0c09755b1429346a4f21f917a011da3555738b549d1
-
Filesize
234KB
MD549397b6b903e5f6b10d7e6d36b87e6a9
SHA12c22e754f7644964cb8cefd1b6abf6ab17aafc94
SHA25690a0243e6651abc3da22a09d9d488ed60661a31c49d0c2fdf971c20f6fd75b67
SHA51235349b4d12b182e453ee883ce18cdbb151806409f293f98d6dfa0f720b217519af1245db10d4b7dd839ff93eb7ade2ba79c52ecb26fe0504e4e6c3b28782aa3b
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD5b5fffb9ed7c2c7454da60348607ac641
SHA18d1e01517d1f0532f0871025a38d78f4520b8ebc
SHA256c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73
SHA5129182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7
-
Filesize
152B
MD532d05d01d96358f7d334df6dab8b12ed
SHA17b371e4797603b195a34721bb21f0e7f1e2929da
SHA256287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e
SHA512e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD5f174cb6407533df137653046386bd7f3
SHA181b697018884156b254e7fa28bfacd43ec9431a1
SHA256465c2d3db358a7697d7e54a96a83eb3c6ef1eed755ffb95a5874954689f55253
SHA5121d554c9acb20941d88658f16e722f5808783557c6982489067e24aea749e8563c271125d6b07cbba5ec78383e0f81b6390d97c6d310759e362c5bb0e2851d9f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5c5fbe3dad6588fc0ed4c7c8631db3ab4
SHA1836a81b3aedee61a4d0b3d3f9f5ed77e5e07c3df
SHA256505393e7bacf76c7e4bf748397589d6921e267242791b81c5608caafacdb60bb
SHA512942bc3a5e7bbfd5611610fcbc2a43eecd1d68f3a0f57505799b7ae8fee7fa3c36c9688e31f701022544cf3b50fa742e9ff4966ac8bad08c1ede8f044d39dfe9d
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD54570311e595895cd13b6b1c08378ba5c
SHA1bd1e177e893ac45b1cd68102cfc32cbea9117fa7
SHA256ef96de6a22285475bccd4b5beb79f2905455d0c876d85d06ac5cbf1ca6146724
SHA5129ed4d83883d2de06518165f07d4a72b153222810cae4848f211a953407b4cd419c116be886e39053ae13b825d44434a8b461d317d909db1d676b3454ad78e71d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe588e12.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD534f687377b19cc9a6b1c19754e922322
SHA1a0bdb6dc77ef0111ffc2d373bbc8834165649b28
SHA256b4381dc19e93277dd849812dd0db7a39bd94b1a20bec9f107192a1db1438add8
SHA5128a53246818fbb94d7f7691ecbc0233b38bf6dda6cbf9627c64863cb18597319f02bb1d771ebf48e30dad8ce7679652503b10243b4668887274682df82e15da72
-
Filesize
5KB
MD53221f80cc48eed92c137093761fa3793
SHA1ba7a95aff072d8058f0907b2a245a0e35a263a85
SHA2567ae3f4ba00dc672a83514c46e5ce8fda48ffc6c9edca3c198c19096f0e7d2ff0
SHA512b065ff63bf6be5d77e5304cfbeaa9b307cbcf8107ae64eec02ab97f439e23618db5ac082f0fa081e824de1c1aef39fca1db5efcc21da090b6dfd290817bc50e3
-
Filesize
6KB
MD51f94d82d8f2a27e180699536f8c0edf8
SHA16c252f75be2f7c05df394b06aeda585ead758f5e
SHA2561f77fa4dc28b08420341937bab05b8d35e5af18bd8176759822bf50e78aaf209
SHA51262dee6802526ceaeaa481f7bb19189772b4b474a06633fbad454ed2f57819767c53954c4bce1f8eb2477182416f9ac9c1a2d07d4899716f5e0ffeaac925f6961
-
Filesize
6KB
MD5dbf06263d92c2ed17949bfe3b692b2de
SHA18d9167c28575a8d514f71325d4dac6f1e71aff37
SHA2567d05e6b7b48f685b3e6f14a375e20bedaaea8353e926913f07ffc99d82d662c2
SHA5126a0453478704e662298b142240b8308c9e99a32ed3fd6a1634946ebe598c420508a555627c555c49207bc537a497811b8b3be1f96f7d2237685f8cb7db803957
-
Filesize
24KB
MD5ac2b76299740efc6ea9da792f8863779
SHA106ad901d98134e52218f6714075d5d76418aa7f5
SHA256cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199
SHA512eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77
-
Filesize
24KB
MD56e466bd18b7f6077ca9f1d3c125ac5c2
SHA132a4a64e853f294d98170b86bbace9669b58dfb8
SHA25674fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc
SHA5129bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5f58c7cca4e3c2dbc606dfffa8e08c3de
SHA1af4014b1962439042d23e6a56bb2e159eb4b797d
SHA256f09dc3ab730f9d3a1a68358405b652fe1dc42c184a70fd418722237e9a7e2686
SHA51289f71a955d469541a97c63f92c8089712d77d106702cf3c9ef6fa5d8637f2546699c488ce7b075deceacc19beebbe418f27d1afa48d8592e276042926c62297a
-
Filesize
11KB
MD5975cc567ce39a7ebeab053b301bcfa08
SHA184a426bb767249a49fa5b6f71f26ef488c94fb9f
SHA256ee61f7dea745704359bd36a660e80076a012210c5bf37784d450e95da9f89fdb
SHA512964a1a74bf4ffdf966dec40efe23099a37fc05fcbad5a5fd39f0766ad3be26e68afebfc36da1989a0b69949e5a53cda3e72e751941dadce8907fd3d7bd10aef5
-
Filesize
8KB
MD55448cdd6aecd25286c2c9c1ebddad615
SHA17ab1ca479a8b3e1a149529eb051c61c6a4cbef7e
SHA25649dcf2a94972e5263b54915be2ca860c8a4028c4ceddfa917d0b4322bfa11f26
SHA51299b2cbcc952525269f33cb9672e104f5555130e22faae2cb43bfc551b0e842ae0dc586c1a2ce6b8c4b082cf61ccc25578798e17a9b97c6a8dd7f212c861c8500
-
Filesize
1KB
MD52d4e9e8198f0c3eade53c619cd1fe4ea
SHA180b29f8dd0c4951ce7cad0db1fad1d9fdb275fc9
SHA256c97e703578120c1f7a570acac3b461178a5e051ce16be9e266c1789c1d610ac0
SHA512afef06bfc6bf857a1b7966a04a8779aabf3e8a6d79b4c51867335190959acc469a4e1929b4c66430a3eece1aa5d1decddad005b326ec830c2b3a57179f3c626e
-
Filesize
4KB
MD53ef9efb5c3c17e2b685057beac484e0b
SHA192e7ae0ebf2b57d72ea4091f065f29187cdf76fa
SHA25620b0f94844860501e115fccd5c1462b2e2c932041d7989dc51c6d885b3429d8a
SHA5126631ba4269375b502eccbcf601b0daccc98538f36bc0e1e2e5e48a28b4b9f523e06cb46d14b7ac2c60f70ce258b873fc42e31ebfb5237cb43cba7fb6a428eafc
-
Filesize
13KB
MD5fcbf2eabfc15730a7c441a01d4eae2de
SHA1995991ddae2088f7791c894b8b600646af1af138
SHA256df3b48bac33b50c5a36a9e7ed2b2f6bd09f82772558c4ba8c5a2067dc8162074
SHA512eb32d2ccdc2c80fe3dc713a0fa59eafa1f823521aa2d49c1c8ef7a471965a8c892088b388cc883e5d376eab35d74ccea4ab7ef1790373beb4439c79581ea755d
-
Filesize
18B
MD507e33330912a955172e2ca95d7851016
SHA17dd7d1042dfb9dfc5e3247577262f0ce3ce135a9
SHA256e0fdb959411dc284f2d7b009cf7fe6781c6ebd9d545cb458f336a107c86f52bb
SHA512903b95fe85ef148dfe5c07d6a293ec4eb0485a93da3dd8c62276f8c961dfe03fe5655b15636428d9fe03e10c50f19be375ef4ba7a19050847560d427c2c82b11
-
Filesize
5B
MD540a18b7f7d0ff313ba759cdd576ebc29
SHA1f9b4e19755ded63c8917bdc361cb62e4ae5d2ca0
SHA256b63b3956d5ca52540aab6fe0723d84d9310400d274d0b4efb461016952bf2c16
SHA51217b661b277c899eaf49d46598d403297240e8a6f2d0a421f464321793bafcc37daaf2c24495bff14d7ad83439fea0887652278ddc94375e6b320b4ef11da0567
-
Filesize
3.2MB
MD54909165d9cfe09f897db7acb860beff5
SHA16e5284f5f2760bd7ebb766cb19f9339ce2e71a58
SHA2567f512f778a463c2fc17872d11093d92e9aa903d55420efbf41c18187a2f62ad3
SHA51260512b7cd9ee54993f82ef91baeb8df05777ec508f4438c8809a9329a96a8474533e3c9a53a8cd081743d405ef36d194f4d49493ff898c6543c7f90fc4026326
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\additional_file0.tmp
Filesize1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202411082308441\assistant\assistant_installer.exe
Filesize1.8MB
MD54c8fbed0044da34ad25f781c3d117a66
SHA18dd93340e3d09de993c3bc12db82680a8e69d653
SHA256afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a
SHA512a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481
-
Filesize
6.5MB
MD5dcc0d15e77a7872758e65deb0bfc6745
SHA11efb89e143bf5edd34d46ae8370ecc13d4c3339f
SHA25687a168a04a254b1cf1adfe732e8b7b08d5c3e76ddca4e8b7fb4e58ebef85fe64
SHA5129cb972bcd99fd03a924bbff79e8989a040d1202a77c9d8f62ea862cc6b1d258778410ad9a4de5f2aab43062f5e9fe17d7ab9baa000de98d22a47f1471d1de778
-
Filesize
6.0MB
MD51b07ce60bc1c77f0cadf13c2e62b1383
SHA1ca70d0ef99ae5d1ebf85880ee669ad1145e4d79d
SHA256e48eb19ca0210f9063f4e77c2f14293ee940eeaef2ecb9efceac7f6336cc203f
SHA51294c358b6dfef0fcb0012a3a43235292b18ebf897043baef0c110570e91cc73721b12f1f771df6d000b4097f3c0cc22dcc65330a9153c7a9643787d24da6108f0
-
Filesize
15KB
MD5f6dd4cc1b21bbad0d7b8f47db0c38388
SHA18f9f6bc3a26143585b203feb9b1454d1191e78d4
SHA256aa679f51259117fea9baa4fec16286c211087c2d177104b347f6f0fb6515ea87
SHA512b65a9e333bc29c5481779f2b93982e99c041bdfbd4eaeac0eeb1ffbb9b5cd5e807ab98ecd5dd5798ac0884d2a3ac49be983e3cc97aa9c7bdc9672e1d1c3cb836
-
Filesize
3.8MB
MD5bf6eed6cdc17a0130189a33a55ef5209
SHA1e337f5a0931f69c464f162385f1330b4d27b372f
SHA256ef2734657b11113a433abb7ebac962e2bf6bf685f05c5f672997f01875430168
SHA51290d23fd84007343e85f9fc003cf826b112fd930216a24d8c1488468443ae2a4b0c3cc2426b91c81a8228e125050e922fce05672e010e65247709fc4a7b856f1d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
885KB
MD550a0c6c01cdc5d2690ccd1f1541f6670
SHA1c5e017a468efb70eabb1f861784edac62acb0e17
SHA256f9a853830949bb22d6f4d128d71a0ab923d9b5549c0dc8785c7de7d1a4eabf99
SHA512028d5a56c581d3751628c7503e83aa52c332678495943c3648049ae0b26a7190e98395ad205cf60896140d1a802c14a346a2d1553e7b53090c3f5beefd66e9b1
-
Filesize
1.1MB
MD5aa56cb7fd83150c3a75cd6a0de97eb78
SHA134415c5c8e57cfe9a7b4a498eacfe1403f3191ec
SHA256034e066829d28bbc81604250f6df721a35ab1c0898ab82bef6305ffada240765
SHA512765f12e5e060db934d0f4e8159bb9bd10cdbe797d79488a0dc88215a73e49101e279ca69e10c1775a5e161bb4dd02585724c7c87bbefdcdd047adb4277804fa2
-
Filesize
807KB
MD59d96ccb0d5ab5541b61d5c138d91796f
SHA1cf3ee3e66c8f9c23e3efd29978215461347e650d
SHA256379a1f1f02c8cb704f248c2f1ff79c8986f73c350a3bf6d9bbc93aeacd286e36
SHA51269ca7d96896d872eefa63f0c0bd9613526a914e99c4cf12b5d221315277aa64894d99d0f5ce9c5e0ef640d61c9202cd3d51ddb2ab4c55f8fdf60d24a8c1ff6ac
-
Filesize
6.7MB
MD5f27f98c1a877f9ca6f06c23bed4014ca
SHA125a231319659c30d6f86a5c9cdd1747d7c471542
SHA2561ed47933c9f33c4860ecc0bf1ba7525212aa00054037a9a51a8d8f5ce3b821bd
SHA512f054a618d2f8e7a829c26548312b436e21058ee1ff64b40e7c19be2bde037003c21332af3c60e2fd92675af80526ef6faf84b8c1d7a095bb2c4d0b799e66599c
-
Filesize
245KB
MD56e4d6b68e9565c4cc7791b00c2094ff9
SHA1965a00a5a8bb05b35fbaa357951779ea3b71e392
SHA25665d6f18e1b366aff5343c3f6628041329e7c1375d18ba57076b19bf5f48bc483
SHA5120cb1396822c7350057cfc7280e1c67ccf1e1a2206347a10025e285f00e9364563685ba5282775960a9329511fd321a631222c87ae7ca8106eca00fb78722b20f
-
Filesize
304KB
MD5ae5bbcc69b05359d0d5cc72ca6a1262e
SHA16843bd883d50216be44065411a983a4bcccdcc91
SHA25612bfd1007634138b22c56ead24db02a1fe3a4d4b7fe04d30cd07a0ff5d4c8425
SHA5126417aaeb4ccd86504bc1f83e32c91a60920e98fff833c02fdbef974819a3288cab0c96d6b114ceed4432c305d49120cacbc7e0da69c911f4035aadfbec7a91de
-
Filesize
4.2MB
MD54ef95918e313c7ca01084629416fc714
SHA15bdaba6920d3f4d1f8ea47ce693276530b5f2a9c
SHA256303707068aab06ab0341178558c28ce1670d10f16c39522859c4f21097a87ee9
SHA51275861731e9ec1a43741b2b84f60677e9fdf26d5db8d6e4e91297f826fc2c357272c18cede7f64c42798f5459900b33d693ababe4e1140e4cfc54ef7a04af633a
-
Filesize
57B
MD5ce0a312502066224ba84dca4ba7b9132
SHA18b4b9ed966451188863515f8d4d587f46598f97e
SHA256711ba30fcd74f65387889d555527f862e574aaefb0dd8947d9d92fa7b6695f66
SHA5122a9c864999cc27268b7641723366c8cdc58dd3a03c246206c333a34e7dc9bdd0d0a5c4dd86f61cf8198bb5c50ef8139b889b875157cf30e330a19df31aa995e8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD50414d1b3e78f94eb8fe90070e590e12b
SHA1689d1a20b1d2b6e451535e2ff89752a0c34e570d
SHA256da222ba4b73f3e020d39e42acf64455007094a34bffff88a3a16f8e22f647fc8
SHA51266c2438e805076d13b3a7250db6c9d47c95f8dc28157518fefb99c1a5ae8df4e377649e5bb2de2efaa3595feb99996f768378be449cc5744f3283423913731b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5d469f11171737acef3e46f8bcd4ca33e
SHA1984647e7b7de65df51d3152d19e1ff374de9596d
SHA2567e4d155e404efc24bb9229bea5da49fa6876986817417b66130ca58848a962ae
SHA512dfcc96475098091eab99bca4aa97ebde1e2064f549f4c9a04fae5650189ef93bb6d90a950758d47e0ea854565173b5e455ac9f6f467ba9d7036454feb89db4d4
-
Filesize
40B
MD50a63266624899e0d0ad74ba6cedf94ea
SHA13722015c630dfa2a381c79949e330e9fd5f77cc5
SHA256dddd12e273a2e1312610102253688a936f747a553c4212227355688377dc9277
SHA512674a5b48859a5775b3df6a644f32b6cfeb0ddc0f88eb0d4e496e6f2ccd64427d3b89db7549d0b1087882a348096a4c115bebc4fc675befee928f26820d5f4f6c
-
Filesize
40B
MD51029ff83a0b1405d830447dd740b1026
SHA1ac1dc91e40efb830c8d57bd7294f10867a1dc796
SHA2560aa3b6a4c65d1d8fed31f37c4e25593278535ad809e759fe52257441121e1a7e
SHA5122d473917c02b8a39713b64d026160dee46fa9afbf8f267cabb5d87f4d795e4628aac34e8eea2d95e58dc6f19d517cf0c34de5cd4c184d2510c75b3b3253ff84a
-
Filesize
205B
MD5f9f39abb0e0a9c8953aef46733b24a23
SHA1533799df62153dc93d3c3e48c20e00b4d8a1c65c
SHA256e630fc474a3d55666a3757c84d9ac06d23d824d290e48b8cc369d032ccaeda51
SHA51202bf96316f7181bfb1c23da73ea833134719d8c07000fbd8baeb2633979e9f7f44fafb092b24924227d31fb6f90b88365bce436ddf04ecd0f4b4b22a5a7d9ad8
-
Filesize
5.7MB
MD515d1c495ff66bf7cea8a6d14bfdf0a20
SHA1942814521fa406a225522f208ac67f90dbde0ae7
SHA25661c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42
SHA512063169f22108ac97a3ccb6f8e97380b1e48eef7a07b8fb20870b9bd5f03d7279d3fb10a69c09868beb4a1672ebe826198ae2d0ea81df4d29f9a288ea4f2b98d8
-
Filesize
3KB
MD54838ee953dab2c7a1bf57e0c6620a79d
SHA18c39cd200f9ffa77739ff686036d0449984f1323
SHA25622c798e00c4793749eac39cfb6ea3dd75112fd4453a3706e839038a64504d45d
SHA512066782b16e6e580e2861013c530d22d62c5ba0f217428cc0228ad45b855e979a86d2d04f553f3751cf7d063c6863cb7ea9c86807e7f89c7e0ae12481af65af76
-
Filesize
3KB
MD58e64ab95d5d2c4c1e7a757624cb1fffa
SHA19889f93ad60bacb07683b4a23c40aa32954646d8
SHA256dff8902430dcae2fba05fc7f54157c4bc8a7445ed488c1d5727947a0c07075d6
SHA5123ecc166686c1d7d61e91ec972244118980bf626a88123b87136695ac206e159933ad9f9feb3fd565713dd5d99038f427b845637c51a57497f0ac716de3a7973c
-
Filesize
3KB
MD5c6086d02f8ce044f5fa07a98303dc7eb
SHA16116247e9d098b276b476c9f4c434f55d469129c
SHA2568901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0
SHA5121876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a
-
Filesize
3KB
MD539b9eb9d1a56bc1792c844c425bd1dec
SHA1db5a91082fa14eeb6550cbc994d34ebd95341df9
SHA256acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692
SHA512255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51
-
Filesize
2KB
MD54ac1741ceb19f5a983079b2c5f344f5d
SHA1f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA2567df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd
-
Filesize
2KB
MD5a9124c4c97cba8a07a8204fac1696c8e
SHA11f27d80280e03762c7b16781608786f5a98ff434
SHA2568ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392