Malware Analysis Report

2024-12-07 13:02

Sample ID 241113-smpvlsthlc
Target DLL Injector_51084141.exe
SHA256 61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42
Tags
discovery spyware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42

Threat Level: Shows suspicious behavior

The file DLL Injector_51084141.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Downloads MZ/PE file

Drops file in System32 directory

Drops file in Program Files directory

Loads dropped DLL

Checks installed software on the system

Executes dropped EXE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Reads user/profile data of web browsers

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:14

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 15:14

Reported

2024-11-13 15:17

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlsft.com udp
US 35.190.60.70:443 www.dlsft.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 70.60.190.35.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 dlsft.com udp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
US 8.8.8.8:53 filedm.com udp
US 104.21.60.113:443 filedm.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 113.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:14

Reported

2024-11-13 15:17

Platform

win7-20241023-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

Signatures

Downloads MZ/PE file

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SYSWOW64\pmls.dll C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
File opened for modification C:\Windows\SYSWOW64\pmls.dll C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
File created C:\Windows\system32\pmls64.dll C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmls64.dll C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmropn.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File opened for modification C:\PROGRA~2\PREMIE~1\RData.reg C:\Windows\SysWOW64\reg.exe N/A
File created C:\PROGRA~2\PREMIE~1\RData.reg C:\Windows\SysWOW64\reg.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn64.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmropn32.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\PROGRA~2\PREMIE~1\tms.bin C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
File created C:\PROGRA~2\PREMIE~1\snt.dat C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmoci.bin \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmls.dll C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmls64.dll C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmropn64.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmph.dll C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmph.dll C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File opened for modification C:\PROGRA~2\PREMIE~1\snt.dat C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
File created C:\Program Files (x86)\PremierOpinion\readme.txt \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmls.dll C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File opened for modification C:\Program Files (x86)\PremierOpinion\pmropn32.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
File created C:\Program Files (x86)\PremierOpinion\cacert.pem C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
File created C:\Program Files (x86)\PremierOpinion\catrust.pem C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
File opened for modification C:\PROGRA~2\PREMIE~1\snt.dat.bac C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
File created C:\Program Files (x86)\PremierOpinion\pmocid.bin \??\c:\program files (x86)\premieropinion\pmropn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\PROGRA~2\PREMIE~1\pmropn64.exe N/A
N/A N/A C:\PROGRA~2\PREMIE~1\pmropn32.exe N/A
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\wbem\unsecapp.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\PREMIE~1\pmropn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 19000000010000001000000012cab0233db2f09a0336851de92237df0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a58102000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 140000000100000014000000c04d850dcd7a8e9bc67e8f20375eb747fd3d397e040000000100000010000000d7331d40fc0ca9d2f4e45d8a280a5810030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c762000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A8AED8642F8AB55F26212D915C615BDAB8C0DE7D\Blob = 0f000000010000002000000059b45fa897dc38a658a39e65922901f06e83ad128e69a13503a586f0ddb29c76030000000100000014000000a8aed8642f8ab55f26212d915c615bdab8c0de7d2000000001000000bf040000308204bb308203a3a003020102020900b8bc215aa037539d300d06092a864886f70d01010b05003081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d301e170d3139303932363230303231305a170d3439303931383230303231305a3081d9310b30090603550406130255533111300f06035504080c0856697267696e6961310f300d06035504070c06526573746f6e311b3019060355040a0c124469676974616c205265666c656374696f6e3131302f060355040b0c284469676974616c205265666c656374696f6e20436572746966696361746520417574686f72697479311e301c06035504030c154469676974616c205265666c656374696f6e2043413136303406092a864886f70d0109011627737570706f72742d7465616d406469676974616c7265666c656374696f6e70616e656c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d54e84e4ff6a497854211480176680c606b4e72935884775798aed7f7480686feeb63b1389feccf931e081c22000052094a03d257cfefa99dec2669f2ef4b79bd593dc3ad1e934156ffc803118f25525e055fce0fb21ba59156f915dd1bf73e5070940542be08d2ffe9757a07d9767086872503996a84f4576a4baea04c007326dfdd7d4742b9e17d6218a2f63fe2967a446792e4c1fda227fc6ca1efbbff315d88577d27bcc555e40af8f888caba76dd92dcdd3bbcbb8c0a1ac9153cc3661278858627666d8e4afab2b30ad19e6eb593c3e2febe478a5bff871cd29616bff8b1ce371fbbf375fcd8e869f89062167d855354803291513fb9668d7afbf24b9cb0203010001a38183308180301d0603551d0e04160414c04d850dcd7a8e9bc67e8f20375eb747fd3d397e301f0603551d23041830168014c04d850dcd7a8e9bc67e8f20375eb747fd3d397e300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b05000382010100bd8eb4a6bf99cb1d410709db71e2c933bfd76226013472f23a52da23652ab968e946bfdb495a20736b86ffb900f5ee2ccb1be25ae5eecec9ee47bfe75ccd143a76909febd45d3e240d4492e2b81d66622afb5de284683eb8455570961fa2b7ee899ff19d2f30c31d450a64d4f80b0658a37ebd37e9331f5eb9add40df722a141526c089bf7ce8f7559f766562fded7c78ef0ca231bd006db812b637d56e56805cef2106cec8e388b8d30e1510a1f00e45a55dad1859a6d7907fe5dba2465ec757277b85479dd8e3af211e6d247d51b3144705c7e18fc5bf7ac83f0e2e2bc080f6c27efe89c997156339e7d482411f34c401678651f2ea3c9ca4542769a28beeb C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmropn.exe N/A
N/A N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\premieropinion\pmropn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
PID 1972 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
PID 1972 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
PID 1972 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
PID 1972 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
PID 1972 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
PID 1972 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe
PID 1972 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1972 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1972 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1972 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe C:\Program Files (x86)\PremierOpinion\pmropn.exe
PID 980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe C:\Program Files (x86)\PremierOpinion\pmropn.exe
PID 980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe C:\Program Files (x86)\PremierOpinion\pmropn.exe
PID 980 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe C:\Program Files (x86)\PremierOpinion\pmropn.exe
PID 1144 wrote to memory of 1672 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 1672 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 1672 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 1672 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 1000 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe \??\c:\program files (x86)\premieropinion\pmropn.exe
PID 1144 wrote to memory of 1000 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe \??\c:\program files (x86)\premieropinion\pmropn.exe
PID 1144 wrote to memory of 1000 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe \??\c:\program files (x86)\premieropinion\pmropn.exe
PID 1144 wrote to memory of 1000 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe \??\c:\program files (x86)\premieropinion\pmropn.exe
PID 1144 wrote to memory of 588 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 588 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 588 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 588 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2748 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2748 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2748 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2748 N/A C:\Program Files (x86)\PremierOpinion\pmservice.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn64.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn64.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn64.exe
PID 2748 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn64.exe
PID 588 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn32.exe
PID 588 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn32.exe
PID 588 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn32.exe
PID 588 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~2\PREMIE~1\pmropn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe

"C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe" -c:1538 -t:InstallUnion

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt

C:\Program Files (x86)\PremierOpinion\pmropn.exe

C:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:InstallUnion -bid:hKzStseX4zRHIQ6GvkPOPN -o:0

C:\Program Files (x86)\PremierOpinion\pmservice.exe

"C:\Program Files (x86)\PremierOpinion\pmservice.exe" /service

C:\Windows\SysWOW64\reg.exe

reg.exe EXPORT "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~2\PREMIE~1\RData.reg /y

\??\c:\program files (x86)\premieropinion\pmropn.exe

"c:\program files (x86)\premieropinion\pmropn.exe" -boot

C:\Windows\SysWOW64\cmd.exe

/C C:\PROGRA~2\PREMIE~1\pmropn32.exe 1000

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

/C C:\PROGRA~2\PREMIE~1\pmropn64.exe 1000

C:\PROGRA~2\PREMIE~1\pmropn32.exe

C:\PROGRA~2\PREMIE~1\pmropn32.exe 1000

C:\PROGRA~2\PREMIE~1\pmropn64.exe

C:\PROGRA~2\PREMIE~1\pmropn64.exe 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlsft.com udp
US 35.190.60.70:443 www.dlsft.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 dlsft.com udp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 filedm.com udp
US 104.21.60.113:443 filedm.com tcp
US 8.8.8.8:53 dpd.securestudies.com udp
FR 52.222.201.113:443 dpd.securestudies.com tcp
FR 52.222.201.113:443 dpd.securestudies.com tcp
FR 52.222.201.113:443 dpd.securestudies.com tcp
FR 52.222.201.113:443 dpd.securestudies.com tcp
US 8.8.8.8:53 post.securestudies.com udp
US 8.8.8.8:53 www.ovardu.com udp
US 165.193.78.234:80 post.securestudies.com tcp
US 172.67.174.4:443 www.ovardu.com tcp
US 165.193.78.234:80 post.securestudies.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
US 165.193.78.234:80 post.securestudies.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
N/A 127.0.0.1:49496 tcp
N/A 127.0.0.1:49500 tcp
N/A 127.0.0.1:49503 tcp
US 8.8.8.8:53 rules.securestudies.com udp
DE 207.120.58.24:443 rules.securestudies.com tcp
US 8.8.8.8:53 www.premieropinion.com udp
US 165.193.78.250:80 www.premieropinion.com tcp
US 165.193.78.250:443 www.premieropinion.com tcp
N/A 127.0.0.1:49598 tcp
N/A 127.0.0.1:49648 tcp
US 165.193.78.234:443 post.securestudies.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
N/A 127.0.0.1:49669 tcp
N/A 127.0.0.1:49683 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49687 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49691 tcp
N/A 127.0.0.1:49695 tcp
N/A 127.0.0.1:49699 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49703 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49707 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49711 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49715 tcp
N/A 127.0.0.1:49719 tcp
US 8.8.8.8:53 oss-survey.securestudies.com udp
US 165.193.78.210:443 oss-survey.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49723 tcp
N/A 127.0.0.1:49727 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49731 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49735 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49739 tcp
N/A 127.0.0.1:49744 tcp
N/A 127.0.0.1:49748 tcp
N/A 127.0.0.1:49752 tcp
N/A 127.0.0.1:49756 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49760 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49765 tcp
N/A 127.0.0.1:49769 tcp
N/A 127.0.0.1:49773 tcp
N/A 127.0.0.1:49777 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49781 tcp
N/A 127.0.0.1:49785 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49789 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49793 tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
DE 207.120.58.24:443 rules.securestudies.com tcp
N/A 127.0.0.1:49798 tcp
N/A 127.0.0.1:49802 tcp
N/A 127.0.0.1:49808 tcp
N/A 127.0.0.1:49813 tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabD9AE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDA4D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\PremierOpinion\ContentI3.exe

MD5 bf6eed6cdc17a0130189a33a55ef5209
SHA1 e337f5a0931f69c464f162385f1330b4d27b372f
SHA256 ef2734657b11113a433abb7ebac962e2bf6bf685f05c5f672997f01875430168
SHA512 90d23fd84007343e85f9fc003cf826b112fd930216a24d8c1488468443ae2a4b0c3cc2426b91c81a8228e125050e922fce05672e010e65247709fc4a7b856f1d

C:\Users\Admin\AppData\Local\link.txt

MD5 3b226ac559aa75462620d15924c4b03e
SHA1 970ee2661dfe67df8c78312f381199b2abd2be7e
SHA256 2d08379362058d38979d3a0854a13c4250ddf691e453a04a12d1debaf395f58c
SHA512 4836a84c59b97f67bb408fbca6534307422fd1707aebfb9db9a0e5d7f114ccdbad3dabb5221adca7653c51b57336775c006319187aed10c25b7231cea97d3a3e

\Users\Admin\AppData\Local\Temp\~os78BA.tmp\pmservice.exe

MD5 4ef95918e313c7ca01084629416fc714
SHA1 5bdaba6920d3f4d1f8ea47ce693276530b5f2a9c
SHA256 303707068aab06ab0341178558c28ce1670d10f16c39522859c4f21097a87ee9
SHA512 75861731e9ec1a43741b2b84f60677e9fdf26d5db8d6e4e91297f826fc2c357272c18cede7f64c42798f5459900b33d693ababe4e1140e4cfc54ef7a04af633a

\Users\Admin\AppData\Local\Temp\~os78BA.tmp\pmls.dll

MD5 50a0c6c01cdc5d2690ccd1f1541f6670
SHA1 c5e017a468efb70eabb1f861784edac62acb0e17
SHA256 f9a853830949bb22d6f4d128d71a0ab923d9b5549c0dc8785c7de7d1a4eabf99
SHA512 028d5a56c581d3751628c7503e83aa52c332678495943c3648049ae0b26a7190e98395ad205cf60896140d1a802c14a346a2d1553e7b53090c3f5beefd66e9b1

\Users\Admin\AppData\Local\Temp\~os78BA.tmp\pmls64.dll

MD5 aa56cb7fd83150c3a75cd6a0de97eb78
SHA1 34415c5c8e57cfe9a7b4a498eacfe1403f3191ec
SHA256 034e066829d28bbc81604250f6df721a35ab1c0898ab82bef6305ffada240765
SHA512 765f12e5e060db934d0f4e8159bb9bd10cdbe797d79488a0dc88215a73e49101e279ca69e10c1775a5e161bb4dd02585724c7c87bbefdcdd047adb4277804fa2

\Users\Admin\AppData\Local\Temp\~os78BA.tmp\pmropn64.exe

MD5 ae5bbcc69b05359d0d5cc72ca6a1262e
SHA1 6843bd883d50216be44065411a983a4bcccdcc91
SHA256 12bfd1007634138b22c56ead24db02a1fe3a4d4b7fe04d30cd07a0ff5d4c8425
SHA512 6417aaeb4ccd86504bc1f83e32c91a60920e98fff833c02fdbef974819a3288cab0c96d6b114ceed4432c305d49120cacbc7e0da69c911f4035aadfbec7a91de

\Users\Admin\AppData\Local\Temp\~os78BA.tmp\pmropn32.exe

MD5 6e4d6b68e9565c4cc7791b00c2094ff9
SHA1 965a00a5a8bb05b35fbaa357951779ea3b71e392
SHA256 65d6f18e1b366aff5343c3f6628041329e7c1375d18ba57076b19bf5f48bc483
SHA512 0cb1396822c7350057cfc7280e1c67ccf1e1a2206347a10025e285f00e9364563685ba5282775960a9329511fd321a631222c87ae7ca8106eca00fb78722b20f

C:\Program Files (x86)\PremierOpinion\pmph.dll

MD5 9d96ccb0d5ab5541b61d5c138d91796f
SHA1 cf3ee3e66c8f9c23e3efd29978215461347e650d
SHA256 379a1f1f02c8cb704f248c2f1ff79c8986f73c350a3bf6d9bbc93aeacd286e36
SHA512 69ca7d96896d872eefa63f0c0bd9613526a914e99c4cf12b5d221315277aa64894d99d0f5ce9c5e0ef640d61c9202cd3d51ddb2ab4c55f8fdf60d24a8c1ff6ac

\Users\Admin\AppData\Local\Temp\~os78BA.tmp\pmropn.exe

MD5 f27f98c1a877f9ca6f06c23bed4014ca
SHA1 25a231319659c30d6f86a5c9cdd1747d7c471542
SHA256 1ed47933c9f33c4860ecc0bf1ba7525212aa00054037a9a51a8d8f5ce3b821bd
SHA512 f054a618d2f8e7a829c26548312b436e21058ee1ff64b40e7c19be2bde037003c21332af3c60e2fd92675af80526ef6faf84b8c1d7a095bb2c4d0b799e66599c

memory/2632-351-0x0000000000C30000-0x0000000000C3A000-memory.dmp

memory/2632-352-0x0000000000C30000-0x0000000000C3A000-memory.dmp

memory/2632-353-0x0000000000C30000-0x0000000000C3A000-memory.dmp

C:\PROGRA~2\PREMIE~1\RData.reg

MD5 c7f85880eb65784e0801c89eff69c693
SHA1 270badfb51651656d5bfc41ed3c503e9756f13c7
SHA256 86d73baa10f8273e61af08ae661d0220984d5fbf4b8c5f653a784539f844fa95
SHA512 db2eaf390b95edd796016a1c5795dc00407a03e7372076afc5284f98cb4983ed9f70db8cf416d652e94e95d3c4b5b0f44a0c982c07c058568ff9209ed3b6dca8

C:\PROGRA~2\PREMIE~1\snt.dat

MD5 0aeb4e18770808fa2fb51bd01e73039c
SHA1 79ae91bf712b74858cd372bc7b803cc31e97ac75
SHA256 2825a0e3c1610a91471f894a9650a4038046ba9706ac2169ee49a2dcb5ceaaf1
SHA512 5300895ee9e29f872731d8ce2dc5280e3e501d6bfaa16d06c0119649a3f5e24a90cc2fc3df06a499fc4180368ff4561dab796607605fc9ca8667a7b761fe9b76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 484f7862942d9ba965e092cd9d3452a0
SHA1 a2f823a16d0db01306313c72af558a8ef058861c
SHA256 b6b1c30d0a834beb088ab7edd018e930c47d18fb92a1cedba7501dd8e03722fa
SHA512 b09e8e8123145c93588da3fcdd1601efcdf71e26adea2425e57620e1dc8ec409f0ba1c3ed3ab1328fbafc1fbac9bebd5d31e1fd1f6f44a9dc73ceb4858cdf596

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 3cc0d5937762deb6bfb20e13c73e0344
SHA1 e2ed10338749308e6ce8cc7bc543215fc91c09c0
SHA256 67e3437216ae66182bebfbfd9f5bff3c49b661e507900f93ae1bcbfc7174f894
SHA512 128d09b85e503099da58399926cb6cc01ce36aaae4dded2abd8b969091039a071fec7562d8dc64c558e9c8b3b25fea514072fbe13a92b543d8bf53d968613cf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 797d5b91c6e74338609d6365b9ee6381
SHA1 c0b4770246dedce6aab4c46e5bae2de3e92e9027
SHA256 3580290869f2dad83905dd300473e7b8bbc15547d770631943a41cdb4248d4f8
SHA512 2bd9368fdf4e61c6a903df7e3c51b61ae8299f3e5527c8b02d316ad04ab926cc144a310536e39c2635c0a26a821e0ff70ae4a24110c35ad2277f4820fdb8a2c1

memory/2632-427-0x0000000000C30000-0x0000000000C3A000-memory.dmp

C:\Program Files (x86)\PremierOpinion\cacert.pem

MD5 77eb3ade4c5b0db67c6e8a26f131073c
SHA1 ad9e8c00174cc2e707f59df671f89a9d7fc2ffc7
SHA256 9f19e7a7139cca8373b516ab1ae49c644aa1c8048e8c7aa5784774a081dcbb87
SHA512 20eb7d34c80bb8d8a415bcdccf8e46cb36396c095ed1468b69c0cb91da915e3a14c7fd55247f68e64ff71cf8d336cc286c3662710ca6281840fdc2f1eb7ac6a1

memory/1000-450-0x0000000000B80000-0x0000000000B8A000-memory.dmp

memory/1000-449-0x0000000000B80000-0x0000000000B8A000-memory.dmp

memory/1000-451-0x0000000000B80000-0x0000000000B8A000-memory.dmp

memory/1000-467-0x0000000000B80000-0x0000000000B8A000-memory.dmp

memory/1000-473-0x0000000000B80000-0x0000000000B8A000-memory.dmp

memory/1000-494-0x0000000003AB0000-0x0000000003ABA000-memory.dmp

memory/1000-496-0x0000000003AB0000-0x0000000003ABA000-memory.dmp

memory/1000-495-0x0000000003AB0000-0x0000000003ABA000-memory.dmp

memory/2292-498-0x00000000764F0000-0x0000000076537000-memory.dmp

memory/2292-501-0x0000000076B70000-0x0000000076BA5000-memory.dmp

memory/2292-504-0x0000000073610000-0x0000000073668000-memory.dmp

memory/2292-503-0x0000000073FD0000-0x000000007400C000-memory.dmp

memory/2292-502-0x0000000074DA0000-0x0000000074F64000-memory.dmp

memory/2292-500-0x0000000075550000-0x000000007619A000-memory.dmp

memory/1000-505-0x0000000003AB0000-0x0000000003ABA000-memory.dmp

memory/1000-507-0x0000000003AB0000-0x0000000003ABA000-memory.dmp

memory/1000-506-0x0000000003AB0000-0x0000000003ABA000-memory.dmp