3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2022 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini.exe
Size

1.5MB
MD5

858ee6ceb590822f57d2d98a32e3c5af
SHA1

0cd9e539e919dd0367c1d04e2644bc3e8ad109e5
SHA256

3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb
SHA512

ad624bba251a6131471a662e31a676c6facb335aef433b0c2313adb57c2ca4701590845c3c237d190a1817fa43daeaaeb3731c91e19045691523cccf9cbbd198
SSDEEP

24576:AD1YS7FpyUxT3DC2O1zj1SqdAGFQZIxvC45UJoenm9x:TQ5xT3DDWzjYq+ZIxL5UJoew

Score

10^/10

bootkit discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2240 bcdedit.exe
3844 bcdedit.exe
Downloads MZ/PE file

pid	process
2240	bcdedit.exe
3844	bcdedit.exe

Drops file in Drivers directory 12 IoCs

Processes:

360TS_Setup.exeEaInstHelper64.exeQHActiveDefense.exeQHActiveDefense.exe

description	ioc	process
File created	C:\Windows\system32\drivers\BAPIDRV64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360netmon.sys	360TS_Setup.exe
File opened for modification	C:\Windows\system32\drivers\360elam64.sys	EaInstHelper64.exe
File created	C:\Windows\system32\drivers\360FsFlt.sys	QHActiveDefense.exe
File created	C:\Windows\SysWOW64\drivers\360AvFlt.sys	QHActiveDefense.exe
File created	C:\Windows\system32\drivers\360AvFlt.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360AntiHacker64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360Box64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360elam64.sys	EaInstHelper64.exe
File opened for modification	C:\Windows\system32\drivers\360FsFlt.sys	QHActiveDefense.exe
File opened for modification	C:\Windows\SysWOW64\drivers\360AvFlt.sys	QHActiveDefense.exe
File created	C:\Windows\system32\drivers\360Camera64.sys	360TS_Setup.exe

Executes dropped EXE 23 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exeWscReg.exePowerSaver.exeWscReg.exeWscReg.exeEaInstHelper64.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exeQHWatchdog.exePopWndLog.exeQHSafeTray.exePopWndLog.exeQHWatchdog.exeQHSafeTray.exeDesktopPlus.exeDesktopPlus64.exeKB931125-rootsupd.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exe

pid	process
4008	360TS_Setup.exe
5068	360TS_Setup.exe
4476	WscReg.exe
2532	PowerSaver.exe
1480	WscReg.exe
1376	WscReg.exe
4300	EaInstHelper64.exe
4688	QHActiveDefense.exe
2296	QHActiveDefense.exe
3152	QHSafeTray.exe
3868	QHWatchdog.exe
3700	PopWndLog.exe
1384	QHSafeTray.exe
4968	PopWndLog.exe
3204	QHWatchdog.exe
5088	QHSafeTray.exe
4516	DesktopPlus.exe
3832	DesktopPlus64.exe
344	KB931125-rootsupd.exe
4072	updroots.exe
4996	updroots.exe
3420	updroots.exe
2108	updroots.exe

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KB931125-rootsupd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}	KB931125-rootsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ = "RootsUpdate"	KB931125-rootsupd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\IsInstalled = "1"	KB931125-rootsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Version = "41,0,2195,0"	KB931125-rootsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Locale = "*"	KB931125-rootsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ComponentID = "Windows Roots Update"	KB931125-rootsupd.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Sets service image path in registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EaInstHelper64.exeQHSafeTray.exe360TS_Setup.exeQHActiveDefense.exeQHActiveDefense.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360elam64\ImagePath = "system32\\DRIVERS\\360elam64.sys"	EaInstHelper64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360netmon\ImagePath = "system32\\DRIVERS\\360netmon.sys"	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\drivers\\360AvFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360elam64\ImagePath = "system32\\DRIVERS\\360elam64.sys"	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BAPIDRV\ImagePath = "system32\\DRIVERS\\BAPIDRV64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHProtected\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\WscReg.exe\""	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360Box64\ImagePath = "system32\\DRIVERS\\360Box64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360Camera\ImagePath = "System32\\Drivers\\360Camera64.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AntiHacker\ImagePath = "System32\\Drivers\\360AntiHacker64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys"	360TS_Setup.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QHSafeTray.exeDesktopPlus.exe360TS_Setup_Mini.exe360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	QHSafeTray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	DesktopPlus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Loads dropped DLL 64 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exeregsvr32.exePowerSaver.exeWscReg.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exe

pid	process
4692	360TS_Setup_Mini.exe
4008	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
3452	regsvr32.exe
4176	regsvr32.exe
2532	PowerSaver.exe
1376	WscReg.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
3152	QHSafeTray.exe
3152	QHSafeTray.exe
2296	QHActiveDefense.exe
3152	QHSafeTray.exe
2296	QHActiveDefense.exe
3152	QHSafeTray.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
3152	QHSafeTray.exe
2296	QHActiveDefense.exe
3152	QHSafeTray.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 104.192.108.109
Destination IP 104.192.108.109
Destination IP 104.192.108.109
Destination IP 104.192.108.109

description	ioc
Destination IP	104.192.108.109
Destination IP	104.192.108.109
Destination IP	104.192.108.109
Destination IP	104.192.108.109

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

360TS_Setup.exeQHActiveDefense.exeDesktopPlus64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start"	360TS_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start"	QHActiveDefense.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	DesktopPlus64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360DesktopLite = "\"C:\\ProgramData\\360TotalSecurity\\DesktopPlus\\DesktopPlus64.exe\" /auto"	DesktopPlus64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	360TS_Setup.exe

Checks for any installed AV software in registry 1 TTPs 37 IoCs

Security Software Discovery

T1063

Processes:

360TS_Setup.exeQHActiveDefense.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName = "LocalSystem"	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	QHActiveDefense.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type = "16"	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	360TS_Setup.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	360TS_Setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start = "2"	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group = "TDI"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Alias	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info	QHActiveDefense.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\NOD\CurrentVersion\Info	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName = "360 Total Security"	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl = "1"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	QHActiveDefense.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

360TS_Setup.exeQHActiveDefense.exeQHSafeTray.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QHActiveDefense.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QHSafeTray.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

QHActiveDefense.exe

description	ioc	process
File opened (read-only)	\??\h:	QHActiveDefense.exe
File opened (read-only)	\??\p:	QHActiveDefense.exe
File opened (read-only)	\??\y:	QHActiveDefense.exe
File opened (read-only)	\??\e:	QHActiveDefense.exe
File opened (read-only)	\??\f:	QHActiveDefense.exe
File opened (read-only)	\??\m:	QHActiveDefense.exe
File opened (read-only)	\??\s:	QHActiveDefense.exe
File opened (read-only)	\??\z:	QHActiveDefense.exe
File opened (read-only)	\??\j:	QHActiveDefense.exe
File opened (read-only)	\??\l:	QHActiveDefense.exe
File opened (read-only)	\??\n:	QHActiveDefense.exe
File opened (read-only)	\??\q:	QHActiveDefense.exe
File opened (read-only)	\??\t:	QHActiveDefense.exe
File opened (read-only)	\??\u:	QHActiveDefense.exe
File opened (read-only)	\??\i:	QHActiveDefense.exe
File opened (read-only)	\??\k:	QHActiveDefense.exe
File opened (read-only)	\??\r:	QHActiveDefense.exe
File opened (read-only)	\??\v:	QHActiveDefense.exe
File opened (read-only)	\??\w:	QHActiveDefense.exe
File opened (read-only)	\??\x:	QHActiveDefense.exe
File opened (read-only)	\??\g:	QHActiveDefense.exe
File opened (read-only)	\??\o:	QHActiveDefense.exe

Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

360TS_Setup.exeQHActiveDefense.exeQHSafeTray.exeQHSafeTray.exePopWndLog.exeQHSafeTray.exeDesktopPlus64.exe360TS_Setup_Mini.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe
File opened for modification	\??\PhysicalDrive0	QHActiveDefense.exe
File opened for modification	\??\PhysicalDrive0	QHSafeTray.exe
File opened for modification	\??\PhysicalDrive0	QHSafeTray.exe
File opened for modification	\??\PhysicalDrive0	PopWndLog.exe
File opened for modification	\??\PhysicalDrive0	QHSafeTray.exe
File opened for modification	\??\PhysicalDrive0	DesktopPlus64.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini.exe

Drops file in System32 directory 2 IoCs

Processes:

QHActiveDefense.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat	QHActiveDefense.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat-journal	QHActiveDefense.exe

Drops file in Program Files directory 64 IoCs

Processes:

360TS_Setup.exeQHSafeTray.exe

description	ioc	process
File created	C:\Program Files (x86)\360\Total Security\filemon\360avflt64.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\libsdi.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\TS.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\tr\deepscan\DsRes64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\ipc\appmon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\libvi.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\deepscan\cloudsec3.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\DiagScanTips.tpi	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\hookport.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\AVE\360ave_ex2.def	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\it\safemon\bp.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\it\safemon\360procmon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\deepscan\dsurls.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\fr\safemon\360SafeCamera.tpi.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\UrlSettings.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\acls.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\ipc\360ipc.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\deepscan\dsconz.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\libaw.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\ImAVEng.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\sites.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\deepscan\DsRes64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\SafeWrapper.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\spsafe64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\ipc\filemon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\spsafe.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\deepscan\DsRes.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\safemon\Safemon64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\360hvm64.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\ipc\360ipc.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\360SafeCamera.tpi.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\it\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\ipc\NetDefender.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\scanproxy.dll	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg	QHSafeTray.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\wduicfg.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\CheckSM.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\rmt.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\deepscan\DsRes64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\deepscan\dsurls.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\dswc.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\deepscan\ssr.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\deepscan\DsRes.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\safemon\360procmon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\safemon\spsafe64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ja\deepscan\art.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\deepscan\dsconz.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\Utils\cef\2623\icudtl.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\QHFileSmasher.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\360calaInt.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\dsconz.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\ipc\filemon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\safemon\wdi18n.sign	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\safemon\safemon.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\360boxld.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\ipc\360netr.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\deepscan\dsconz.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\ipc\filemon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\AntiAdwa.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\7z.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\safemon\CameraProtect\CameraGuard\bkg\pic_01.jpg	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\router.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\chrome\manifest.json	360TS_Setup.exe

Drops file in Windows directory 2 IoCs

Processes:

EaInstHelper64.exe

description	ioc	process
File opened for modification	C:\Windows\ELAMBKUP	EaInstHelper64.exe
File created	C:\Windows\ELAMBKUP\360elam64.sys	EaInstHelper64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	360TS_Setup.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

QHActiveDefense.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan	QHActiveDefense.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan\NetProbe\1 = "1"	QHActiveDefense.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan\NetProbe\5 = "1"	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	QHActiveDefense.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\360Safe\360Scan\NetProbe	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan\NetProbe	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	QHActiveDefense.exe

Modifies registry class 61 IoCs

Processes:

regsvr32.exeQHSafeTray.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\360\\Total Security"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\360TotalSecurity.ext.1\shell	QHSafeTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\ = "MenuEx 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.TotalSecurity	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID\ = "MenuEx.SD360MN.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\360TotalSecurity.ext.1\shell\open\command	QHSafeTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer\ = "MenuEx.SD360MN.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\360TotalSecurity.ext.1\shell\open	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\ = "SD360MN Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ = "SD360MN Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\360TotalSecurity.ext.1\shell\open\command\ = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHSafeTray.exe\" %1"	QHSafeTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\ = "SD360MN Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID\ = "MenuEx.SD360MN"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\360TotalSecurity.ext.1	QHSafeTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\.TotalSecurity\ = "360TotalSecurity.ext.1"	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

updroots.exeupdroots.exeupdroots.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\335A7FF00927CF2DF278E2C9192F7A4D5534F80C	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\40B331A0E9BFE855BC3993CA704F4EC251D41D8F	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52\Blob = 0300000001000000140000000b77bebbcb7aa24705decc0fbd6a02fc7abd9b5209000000010000000c000000300a06082b060105050703030b000000010000001200000056006500720069005300690067006e000000200000000100000006030000308203023082026b021032888e9ad2f5eb1347f87fc4203725f8300d06092a864886f70d01010505003081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732034205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b301e170d3938303531383030303030305a170d3238303830313233353935395a3081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732034205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b30819f300d06092a864886f70d010101050003818d0030818902818100baf0e4cff9c4ae8554b90757f98fc57f6811f8c417b044dce33073d52a622ab8d0cc1ced285b7ebd6adcb39124ca41623cfc0201bf1c1631940597766ea2adbd61176c4e3086f051372a50c7a86281dc5b4aaac1a0b46eeb2fe557c5b12b4070db5a4da18e1fbd031fd803d48f4c9971bce282cc58e8983a86d38638f300291f0203010001300d06092a864886f70d010105050003818100858c12c1a7b950157acb3eacb8438adcaadd14ba89817e013c237121882f82dc63fa0245ac4559d72a58445bb79f813b92683de23724f57b6c8f76359609a8599db9ce23ab74d683fd327327d8693e4374f6aec5899ae7537ce97bf64bf3c16583de8d8a9c3c888d3959fcaa3f228da1c1665081724ced22644f4fca8091b629	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\64902AD7277AF3E32CD8CC1DC79DE1FD7F8069EA	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\20D80640DF9B25F512253A11EAF7598AEB14B547	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F24C630CDA418EF2069FFAD4FDD5F463A1B69AA\Blob = 0300000001000000140000001f24c630cda418ef2069ffad4fdd5f463a1b69aa090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003800000047006c006f00620061006c005300690067006e002000450043004300200052006f006f00740020004300410020002d0020005200350000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c02000000001000000220200003082021e308201a4a0030201020211605949e0262ebb55f90a778a71f94ad86c300a06082a8648ce3d040303305031243022060355040b131b476c6f62616c5369676e2045434320526f6f74204341202d20523531133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3132313131333030303030305a170d3338303131393033313430375a305031243022060355040b131b476c6f62616c5369676e2045434320526f6f74204341202d20523531133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e3076301006072a8648ce3d020106052b810400220362000447450e96fb7d5dbfe939d121f89f0bb6d57b1e923a48591cf062312dc07a28fe1aa75cb3b6cc97e745d458fad1776d43a2c08765340a1f7addeb3c33a1c59d4da46f4195387fc91e84ebd19e49928794870c3a854a669f9d59934d976106864aa3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604143de629489bea07ca21444a26de6eded283d09f59300a06082a8648ce3d0403030368003065023100e56912c96edbc631ba0941e197f8fbfd9ae27d12c9ed7c64d3cb05258b56d9a0e75e5d4e0b839c5b7629a00926216a62023071d2b58f5cea3be1780985a875923bc85cfd48ef0d7422a808e26ec549cec70cbca76169f1f73be12acbf92bf3669037	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\786A74AC76AB147F9C6A3050BA9EA87EFE9ACE3C	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\67650DF17E8E7E5B8240A4F4564BCFE23D69C6F0	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3070F8833E4AA6803E09A646AE3F7D8AE1FD1654	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D6DAA8208D09D2154D24B52FCB346EB258B28A58	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 0b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e006700200043004100000009000000010000000c000000300a06082b0601050507030803000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd252000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\68ED18B309CD5291C0D3357C1D1141BF883866B1\Blob = 0b000000010000002000000058006300650072007400200045005a0020006200790020004400530054000000090000000100000016000000301406082b0601050507030406082b0601050507030103000000010000001400000068ed18b309cd5291c0d3357c1d1141bf883866b12000000001000000fc030000308203f8308202e0a003020102021100d01e40900000274b0000000100000004300d06092a864886f70d010105050030818c310b3009060355040613025553310d300b0603550408130455746168311730150603550407130e53616c74204c616b65204369747931183016060355040a130f586365727420455a20627920445354311830160603550403130f586365727420455a206279204453543121301f06092a864886f70d010901161263614064696773696774727573742e636f6d301e170d3939303731343136313431385a170d3039303731313136313431385a30818c310b3009060355040613025553310d300b0603550408130455746168311730150603550407130e53616c74204c616b65204369747931183016060355040a130f586365727420455a20627920445354311830160603550403130f586365727420455a206279204453543121301f06092a864886f70d010901161263614064696773696774727573742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad5418deb4bff7ade874aaed8b7c8fc2d4751ad584b9b662fc89efe4976192fb1db8e15a47349e9e0622fbd3ea38cbb88b07f71aa01777075a301cd4293820d72740d8509343bfd218a229760572aa6bb66998ab791e1c65f56a8bfcc516aaa272da60ed4e6e19257a0a1d30e3509b423c44eba1b0201edb027efe3d1fbfd0008adb4076a618a515a757b652c2011798778f8a81c61ab46a2ae6afa9d600accfd815497cdb1ba1fe81fa87f9d390c102c0f9d042e99168255fc6bf8739e995006028bf832cc0e75eb6d73616e7608776e8e727b2250d8b7ae5aa1de559cdce0b0e6fc6c89ce310d98539d3b79bfac6ba7c74d25d7556ab74a4a251bf527cee710203010001a3533051300f0603551d130101ff040530030101ff301f0603551d2304183016801408206c66eb810a6c5cd5b5a63c41dd1c96912777301d0603551d0e0416041408206c66eb810a6c5cd5b5a63c41dd1c96912777300d06092a864886f70d010105050003820101005a87588f2dab76216b540cd9f141f64ecd2b9ee31f9ba32d7fd92b7d58c867a429f5e9ecd5bd963fa373f8c45b367cd0632c34399b48b83d6ff614c59e63e6a7346ed3e833b3c73c186e23ae4392993f98c56930f1363badb93082d6b6591696020b291261b41189f70c2f94908598289c536c7e63dd73f419ff4a81d1b25223fd3c4a34ce5a1be0508aed4f8195d860e7e4c40dbb583e58f74e686f3e67c9cb7a971627ec42611476bb00c5eb083d157f4bb6225d873b90f4f3c0fe37b3e9d9620cc0c359af60bd1f0ddba1341f30c43d8badb01d0493ed5fd5e4bf203004f448e93301d12e902752b39bde3a1caba9977f9bebc28dc26decdc13d346c5797c	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\27EED22AFD58A2C64A855E3680AF898BF36CE503\Blob = 0b00000001000000200000004300410020004400410054004500560020005300540044002000300033000000090000000100000020000000301e06082b0601050507030106082b0601050507030206082b0601050507030403000000010000001400000027eed22afd58a2c64a855e3680af898bf36ce50320000000010000000c04000030820408308202f0a00302010202107cc095ead59474e9c42d1a95ee219921300d06092a864886f70d0101050500303a310b30090603550406130244453111300f060355040a0c0844415445562065473118301606035504030c0f434120444154455620535444203033301e170d3134303530323035343035395a170d3232303830323037343035395a303a310b30090603550406130244453111300f060355040a0c0844415445562065473118301606035504030c0f43412044415445562053544420303330820122300d06092a864886f70d01010105000382010f003082010a0282010100ce9431391f921638c5b96d977ed42153f88c0882c95ed1acc4e7402fd96336e1ea1eaaff2db48a4ca8ac7d810551178897ecff9215edcbdc9b284163f3347fd2b554f9c23cbbd4dabb116b9e2204a38f86e86207a73475d4f90ae65e59b043472541bb60a13897e643e8266332522f9a0bd41abb8ec2d7f98c1f3995f2f7be5064c274f1e51ab64693196e53a88ba662845ef452ed47d047f70e2d8e1e7d621576a2d7a292be017343fc7e4927e7cf3fc8ef9c4c7e25e8bbde725e950496e98c107aef015991fa9a1c0e30cfbbd82a7a2f206817de34a747aa4ed3e509b6983087c49a1b46aa7246821f966b8f83cff6217b07141c8926a25e7d5b849dc120ad0203010001a382010830820104300e0603551d0f0101ff04040302010630710603551d23046a3068801422a1863b26bd5b14ff6a9185f52292fa71bedafca13ea43c303a310b30090603550406130244453111300f060355040a0c0844415445562065473118301606035504030c0f43412044415445562053544420303382107cc095ead59474e9c42d1a95ee219921301d0603551d0e0416041422a1863b26bd5b14ff6a9185f52292fa71bedafc30120603551d130101ff040830060101ff020100304c0603551d20044530433041060604008f7a01023037303506082b060105050702011629687474703a2f2f7777772e64617465762e64652f7a6572746966696b61742d706f6c6963792d737464300d06092a864886f70d0101050500038201010040008ba5ffc5170144d24be0933f7acb43b3600b9bd2cf5a42742629ad163c32e058d463ec8e2d5c904ae756f6806fe34523fbe1a232388de980327c26447d057834c1b5387d9171c6b3dfe515b231c6218cc0f0498ad4047a971d59468cefbf82556480ed7813517da0904d869db802f63cb4107376151d859505bd07c1d8474fe05e10e4b4cfac1fc5e35939602fc85d948bf36b64c7a95ce4bddb797984b2de1923abf2d3597f04c3fada62a6b7509fbcc56dd516e7f6d30d26b0b4c844aa0b22d5f100b614cbfea4983dce7f31396b5d543f2aefa8b0102cfde6c04917d724961483940c7adae55f798fcdcef1952cf6223bc3618ff18492d3f6e64db438	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5F3B8CF2F810B37D78B4CEEC1919C37334B9C774	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F5C27CF5FFF3029ACF1A1A4BEC7EE1964C77D784\Blob = 030000000100000014000000f5c27cf5fff3029acf1a1a4bec7ee1964c77d78409000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090b0000000100000014000000430065007200740052005300410030003100000020000000010000004e0400003082044a30820332a003020102020103300d06092a864886f70d01010505003041310b3009060355040613024b52310d300b060355040a13044b495341310f300d060355040b1306524f4f5443413112301006035504031309436572745253413031301e170d3030303330323135303030305a170d3130303330333134353935395a3041310b3009060355040613024b52310d300b060355040a13044b495341310f300d060355040b1306524f4f544341311230100603550403130943657274525341303130820122300d06092a864886f70d01010105000382010f003082010a0282010100cecfede1e8561dc94b32609b2ab7978761063468cb17aec078c5c6115b4b7c97abb96c4e2f00f6532ce9e19c5a906a3d7a3838355aad1c0a5985bbf563670913e9264fd83c5def5342de4562e43ecd72a4fab3c0e01f8e94e2652d55c115922c6ff343d43505053437a02cb4735bf12726949af5ba12ccfa7835a2ad54d5668f11eaa6194dd71335547b9197034763b0a90f68bed2f49eea8db57b44b5b92d38c900e3e5bfc675890399ff8c4b080fc20531a44d1711cec3750f6bb05fd0ac86ad7de9a088b9c612d6c03a2cd26f6c271daaff459bc603100269f906ef9f22a0383882c82411aca19e8f4dbe785fdfba3f83037d51a3f8c75da891681f1e72dd0203010001a382014b30820147301d0603551d0e04160414ff8a46723358e8488822aa1768da1648098b3591301f0603551d23041830168014ff8a46723358e8488822aa1768da1648098b3591300e0603551d0f0101ff04040302010630150603551d20040e300c300a06082a831a8c9a44020130300603551d1104293027a42530233121301f06035504030c18ed959ceab5adeca095ebb3b4ebb3b4ed98b8ec84bced84b030300603551d1204293027a42530233121301f06035504030c18ed959ceab5adeca095ebb3b4ebb3b4ed98b8ec84bced84b030120603551d130101ff040830060101ff020101300c0603551d240405300380010030580603551d1f0451304f304da04ba04986476c6461703a2f2f6469727379732e726f6f7463612e6f722e6b723a3338392f434e3d524f4f542d5253412d43524c2c204f553d524f4f5443412c204f3d4b4953412c20433d4b52300d06092a864886f70d010105050003820101002c3ca4236c42f8892847507ce3e6e7232d3636c6882a9198fb1e7c0fab9d11ad75ace45c6b31117433626fd4069111c67274982fb062fb3429af14f2c664e0bfabcb57b9619cf3624d3379d7662a51ccdc00540501567e8cb68e13f42d9951e19a78bc55514a49da5b0b82fb433ddacd9309cbb5a309c3b07d5948a29bd8fb37c36f0e37ea0597bfd26ea1c8e8c3fbf3ad32c855923442e0d412e5d4ed218ae79892ff5cd7a566aabff13a7c2dc2e0553505da916a0753d185b194c7260d1b682908c121930f6ba260b853af44d9645dd36e9b8412783118da73bfac24f8ab2dbf0e7eba7b09ca5a89a82c52cc4c74add95fb3b7d605f7415f71e56619062579	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E0925E18C7765E22DABD9427529DA6AF4E066428\Blob = 030000000100000014000000e0925e18c7765e22dabd9427529da6af4e066428090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030806082b060105050703090b000000010000002c00000048006f006e0067006b006f006e006700200050006f0073007400200052006f006f007400200043004100000020000000010000002f0300003082032b30820213a003020102020101300d06092a864886f70d01010505003045310b300906035504061302484b31163014060355040a130d486f6e676b6f6e6720506f7374311e301c06035504031315486f6e676b6f6e6720506f737420526f6f74204341301e170d3030303131363037343230305a170d3130303131363233353930305a3045310b300906035504061302484b31163014060355040a130d486f6e676b6f6e6720506f7374311e301c06035504031315486f6e676b6f6e6720506f737420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a5a291be3ce5363c4aef348f88fdba6d71a66272edc206bc7625bb8a5f15252738dde99191018a6f8ed55ba6bf3e23b363c354e1f1c30c964cfb7a0e271ef0231080d22868bd06958b7de929f9d427f6f2775f22ab25a8459797455661589c8724329d381d3dedb81c74053565a0a5910faf683d7a0f5c21fbe72c1bfe56865271736481d4e08480d09556bd49d03d24335d8e7a823854b66af4ba74692ebbd141701174e6376863af4ceadca220cdf68f4ce6d080082450991874e5ced607d07816065f3ddc85cb743f787f19c80d8e4854696a0580a96cb241feb404068bbab5a27e29a6aaaf41e91c4911b70d4808727f4b8398f3131a794bd14e14ce12330203010001a326302430120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820101009505191630569cb9984b40348d115b4f24f12c68c2b5acb5e0b484a04c6dec8a7661c1f3d574f1619f7cbe20922752fa3124b8d19ee0f36d50baade22daf28756be12aeff821cd3bcbc8321ed3ba59cf38e8f29078dd9e0844955f864f6a9bdca28be59ca6568b8665351c6c0cca1ea49e4e5c1293d278c8d869ea698626d4a4d38fad574a58f4ecc67f6cbbb4f2c792f2ce3cf442c32167866da54da03fc2f718ab57d6e8c792fa86a736050e1972bf06f0aca4444cac3ee8ef7d0b48c5c11b33e9c901d0cceffe61ed8ce8329accf5c9d9c93d78a600051d29eb26018e4bfe39acc592ffbe709a57c2f2cf21b8662edee0d4febbdbb44789927f18bc2c86b5	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7030AABF8432A800666CCCC42A887E42B7553E2B	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51A44C28F313E3F9CB5E7C0A1E0E0DD2843758AE\Blob = 0b000000010000002200000041002d00540072007500730074002d006e005100750061006c002d00300031000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b0601050508020206082b0601050507030903000000010000001400000051a44c28f313e3f9cb5e7c0a1e0e0dd2843758ae2000000001000000610300003082035d30820245a003020102020300e242300d06092a864886f70d01010505003055310b30090603550406130241543110300e060355040a1307412d547275737431193017060355040b1310412d54727573742d6e5175616c2d30313119301706035504031310412d54727573742d6e5175616c2d3031301e170d3034313133303233303030305a170d3134313133303233303030305a3055310b30090603550406130241543110300e060355040a1307412d547275737431193017060355040b1310412d54727573742d6e5175616c2d30313119301706035504031310412d54727573742d6e5175616c2d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100fff51c80119e9e1e6858ccd277dbc7f48e67525058ba12a46a3b16f78c734f4c8a4af36091eb3e659929d940d52e08f0fe86d6cd65f7ddd83295074e8d3b2675db370e302823e06b64668a84d333e93d3ddba68139e6791965efea5845ffeb8c33fcbff811d92f28348a1bf52c3fbe4cb660956399b6120ef7455151cf871c0483291de97897312a4a4743b59398e5f9e4ac4df7de1c7aee7c6adb5bd8f04c9ff0ee1f3d0e51b4df1ea2140270f435cfaca953547b37d8cf4699c8fb2ccc3a2c1ddfe41c2a11e2d66882ce8d2990e681d42c267ec4f2365f2a53434950bf536ba71e6bb5938704e25a8976c83f3c71dd9ccb7f3cc696cd91fac23e664d18ba150203010001a3363034300f0603551d130101ff040530030101ff30110603551d0e040a04084e59cec702328730300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100ebd23d475854f466e5f6f57b5bb007429509025140befd88b7f798f29da8b9050f55a4998a468ab4062b083fdaaf37d7078dd07adf9d33a0a91ec9fc8a4611bd029e3e35efdc4bdff82d5bc702408a6727655e96f9b34e4e9768f255e58f19267cdf99e52f97cef2b6b6d52d3f812d60e55ac47c3698f30d6ef0de63e7e82648819f72988c669b31a47c9a866aa1fe687e3e224bf5b26a64d9b62eaffdf2b19f5bc823efee5a47315790d3e7eafd1cba27d0d605d15837d7b5a1fa0583579f55668f9d7302436fe91e62a305628aa9efb4869191aee354bc346624418dd7f6b3474640db2dfa4a6039b2e8d6a7a4e1351075b5fec352140b38dea659289110c6	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7F8AB0CFD051876A66F3360F47C88D8CD335FC74	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C9A8B9E755805E58E35377A725EBAFC37B27CCD7	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000002a000000302806082b0601050507030106082b0601050507030406082b0601050507030206082b060105050703030b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8D08FC43C0770CA84F4DCCB2D41A5D956D786DC4	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\55A6723ECBF2ECCDC3237470199D2ABE11E381D1	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F99AA93FB2BD13726A1994ACE7FF005F2935D1E\Blob = 53000000010000002400000030223020060a2b0601040181e90c010a30123010060a2b0601040182373c0101030200c00b000000010000007e0000004300680069006e006100200049006e007400650072006e006500740020004e006500740077006f0072006b00200049006e0066006f0072006d006100740069006f006e002000430065006e007400650072002000450056002000430065007200740069006600690063006100740065007300200052006f006f0074000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070300000001000000140000004f99aa93fb2bd13726a1994ace7ff005f2935d1e2000000001000000fb030000308203f7308202dfa0030201020204489f0001300d06092a864886f70d010105050030818a310b300906035504061302434e31323030060355040a0c294368696e6120496e7465726e6574204e6574776f726b20496e666f726d6174696f6e2043656e7465723147304506035504030c3e4368696e6120496e7465726e6574204e6574776f726b20496e666f726d6174696f6e2043656e7465722045562043657274696669636174657320526f6f74301e170d3130303833313037313132355a170d3330303833313037313132355a30818a310b300906035504061302434e31323030060355040a0c294368696e6120496e7465726e6574204e6574776f726b20496e666f726d6174696f6e2043656e7465723147304506035504030c3e4368696e6120496e7465726e6574204e6574776f726b20496e666f726d6174696f6e2043656e7465722045562043657274696669636174657320526f6f7430820122300d06092a864886f70d01010105000382010f003082010a02820101009b7e73eebd3b78aa644341f550df94f22eb28d4a8e4654d22112c839324206e983d59f52ede567033b54c18c9999cce9c00fff0dd98411b2b8d1cb5bdc1ef9683164e19bfa74eb68b92095f7c60f8d47ac5a06dd61abe2ecd89f172d9cca3c35975571cd4385b14716f52c538076cfd30064bd4099ddccd8dbc49fd6135f41838bf90d879256346c1a100b17d55a1c9758843c841a2e5c91346e195f7f1769c565ef6b21c6d5503abf61b9058def6f343ab26f1463bf163b9ba92afdb72b386606c52ce2aa671e45a78d046642f68f2bef8820698f328c1473da2b869163229af2a7dbce898bab5dc714c15b306a1fb1b79e2e810102edcf965e63dba8e638b70203010001a3633061301f0603551d230418301680147c724b39c7c0db62a54f9baa183492a2ca838259300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c724b39c7c0db62a54f9baa183492a2ca838259300d06092a864886f70d010105050003820101002ac3c743378fddada4b20ceedc146d8f28a49849cb0c80eaf3ed2366757dc5d3216779d173c5b503b758ac0c542fc656130f31da06e7653b1d6f36dbc81df9fd8006caa33d6616a89d4c167dc09546b551e4e21fd7ea064d638d968cefe73357423aeb8cc179c84d767ddef6b1b781e0a0f9a17846171a5698f04e3dab1cedec39dc0748f763fe06aec2a45c6a5b3288c5c73385ac664247c2582499e1e53ee5752c8e43d65d3c781ea895822950d1d116baefc1be7ad9b4d8cc1e4c46e177b131abbd2ac8ce8f6ea15d7f037534e4ad8945545ebeae28a5bb3f7879eb73b30a0dfdbec9f756acf6b7ed2f9b2129c738b695c404f2c32dfd142a9099b907cc9f	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6724902E4801B02296401046B4B1672CA975FD2B\Blob = 0b000000010000007a000000530079006d0061006e00740065006300200043006c006100730073002000320020005000750062006c006900630020005000720069006d006100720079002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790020002d002000470034000000090000000100000016000000301406082b0601050507030206082b060105050703040300000001000000140000006724902e4801b02296401046b4b1672ca975fd2b2000000001000000ac020000308202a83082022da003020102021034176512403bb756802d80cb7955a61e300a06082a8648ce3d040303308194310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b314530430603550403133c53796d616e74656320436c6173732032205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204734301e170d3131313030353030303030305a170d3338303131383233353935395a308194310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b314530430603550403133c53796d616e74656320436c6173732032205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d2047343076301006072a8648ce3d020106052b8104002203620004d1d94a8e4c0d844a51ba7cefd3ccfa3a9ab5a763133d01e0493efac147c992b33ad7fe6f9cf79a3a0ff50e0a0ac33fc8e712148ed5d56d982cb371320aeb2abdf6d76a200b67459cd2b2bf532266095ddb11f3f1053358a3e2b8cf7ccd829bbda3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604143d32f33aa90c9084f9a28c690661542f8772fe05300a06082a8648ce3d0403030369003066023100c8a6a9af417fb5c911421668694c5cb82718b698f1c07f906d87d38c4617f03e4ffceab008c47a4bbc082fc7e2a76f65023100d659de86ce5f0eca54d5c6d0150efc8b9472d48e005853cf7eb14b0de55086eb9e6bdfff29a6d847d9a09618dbf245b3	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B6BD2D3884E46C80CE2B962BC598CD9D5D84013	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8025EFF46E70C8D472246584FE403B8A8D6ADBF5\Blob = 0300000001000000140000008025eff46e70c8d472246584fe403b8a8d6adbf5090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003a00000054004300200054007200750073007400430065006e00740065007200200043006c006100730073002000330020004300410020004900490000002000000001000000ae040000308204aa30820392a003020102020e4a4700010002e5a05dd63f0051bf300d06092a864886f70d01010505003076310b3009060355040613024445311c301a060355040a1313544320547275737443656e74657220476d624831223020060355040b1319544320547275737443656e74657220436c6173732033204341312530230603550403131c544320547275737443656e74657220436c6173732033204341204949301e170d3036303131323134343135375a170d3235313233313232353935395a3076310b3009060355040613024445311c301a060355040a1313544320547275737443656e74657220476d624831223020060355040b1319544320547275737443656e74657220436c6173732033204341312530230603550403131c544320547275737443656e74657220436c617373203320434120494930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4e0bb51bb395c8b04c54c791c23863110634355273fc645c7a43dec090d1a1e20c2561ede1b370730222f6ff106f1abadd6c8ab61a32f43c4b0b22dfcc396697b7e8ae4ccc03912904260c9cc3568eeda5f90565fcd1c4d5b5849eb0e014f64fa2c3c8958d82f2ee2b068e9223b7589d6441a65f21b97261d286dace8bd591d2b24f6d68403668824007860f1f8abfe02b26bfb22fb35e616d1adf62e12e4fa356ae519b95ddb3b1e1afbd3ff151408d8096aba459d1479607daf408a0773b39396d374348d3a3729de5cecf5ee2e31c220dcbef14f7f2352d95be264d99caa0708b545bdd1d031c1ab549fa9d2c3626003f1bb394a924a3d0ab99dc5a0fe370203010001a382013430820130300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414d4a2fc9fb3c3d803d3575c07a4d024a7c0f200d43081ed0603551d1f0481e53081e23081dfa081dca081d98635687474703a2f2f7777772e747275737463656e7465722e64652f63726c2f76322f74635f636c6173735f335f63615f49492e63726c86819f6c6461703a2f2f7777772e747275737463656e7465722e64652f434e3d5443253230547275737443656e746572253230436c61737325323033253230434125323049492c4f3d5443253230547275737443656e746572253230476d62482c4f553d726f6f7463657274732c44433d747275737463656e7465722c44433d64653f63657274696669636174655265766f636174696f6e4c6973743f626173653f300d06092a864886f70d010105050003820101003660e470f7062043d9231a42f2f8a3b2b94d8ab4f3c29a55317cc43b679ab4df4d0e8a934a178b1b8dca89e1cf3a1eac1df19c32b48e5976a241852537a013d0f57c4ed5ea96e26e72c1bb2afe6c6ef8919846fcc91b575beac81a3b3fb051983c07da2c5901da8b44e8e174fda768dd54ba8346ecc846b5f8af97c03b091c8fce72963d335670bc96cbd8d57d209a839f1adc39f1c572a31103fd3b425229dbe801f79b5e8cd68d864e19fabc1cbec521a5879e782e36db0971a37234f86ce30609f25e56a5d3dd98fad4e606f4f0b620634bea29bdaa82661efb81aaa737ad1318e692c381c133bb881ea1e7e2b4bd316c0e513d6ffb965680e23617d1dce4	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9078C5A28F9A4325C2A7C73813CDFE13C20F934E	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC\Blob = 0b000000010000008e00000041007500730074007200690061006e00200053006f0063006900650074007900200066006f007200200044006100740061002000500072006f00740065006300740069006f006e00200047004c004f00420041004c00540052005500530054002000430065007200740069006600690063006100740069006f006e00200053006500720076006900630065000000090000000100000074000000307206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030606082b0601050507030706082b0601050508020206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b06010505070309030000000100000014000000342cd9d3062da48c346965297f081ebc2ef68fdc200000000100000002080000308207fe308205e6a003020102020100300d06092a864886f70d01010505003081d4310b3009060355040613024154310f300d060355040713065669656e6e613110300e0603550408130741757374726961313a3038060355040a13314152474520444154454e202d20417573747269616e20536f636965747920666f7220446174612050726f74656374696f6e312a3028060355040b1321474c4f42414c54525553542043657274696669636174696f6e2053657276696365311430120603550403130b474c4f42414c54525553543124302206092a864886f70d0109011615696e666f40676c6f62616c74727573742e696e666f301e170d3036303830373134313233355a170d3336303931383134313233355a3081d4310b3009060355040613024154310f300d060355040713065669656e6e613110300e0603550408130741757374726961313a3038060355040a13314152474520444154454e202d20417573747269616e20536f636965747920666f7220446174612050726f74656374696f6e312a3028060355040b1321474c4f42414c54525553542043657274696669636174696f6e2053657276696365311430120603550403130b474c4f42414c54525553543124302206092a864886f70d0109011615696e666f40676c6f62616c74727573742e696e666f30820222300d06092a864886f70d01010105000382020f003082020a0282020100d21247ec5f98e80d861549c4ddec9ef16ccd51b6fb954f8bc4903d5333b1d313c548e2a5bff5f403840f9c7871f69297f15b5975183f270b512f5c68c7a1eb00f3f6953d69c37ec2acc40a36727a5ba6d0f7017b28c72ac73260ee59b8d70b27ddb345052b7b64a7735ce893029768ecfc84db9ed4d58147c69cc0ac97cb19ea87a50aa3b87524e750270dab16f9565db18101167df3e9e124f30821b9baac5d9ec748797f6acadf3977046d1b6e3acd7fce5c48ac123c59f26acf8048e1f600677820e0fdb5647b1797b3e527dd456b9b619906bef2e79ea46d8b3b6b0c81eeb46fa1be1a12414b9ead0ef946b45ad103009416c0c0f3acfb7cbc96c029d8f9331689a30e1d95d903d4210cdd56084965c88dab211f54bb99bcf1445b7b0018fd2a1958d205c9d9293625fe77ee6b59544f0814a299094557ad07de22fc871ca0efa079dd0a7dc07f35e80c664de3b56a1659715bf390b0525e9102c7a8b9c2046f9e4fb4002dec08ecae406ef029272239b6cda08610ba0b35ec7b5a0db679c3fac7adc1fbebed2b840deadef9eb9a59336cc12b128cb83ec53623381ad6779390d677756a581917a1158e6e760ea373e15c9549dbc10f9414c5d5621b99ab38d5676ed2a919e15a3a876a483f9196e3c6c5276b57743198f63e7171ed7edeb04d2cf3ee8fdb7b68d7104429adecab5059529a6c6a72144d161451f7d77e1f0203010001a38201d7308201d3301d0603551d0e04160414c001d5e0781f2f743ae3ebc02152a604ee26cba4308201010603551d230481f93081f68014c001d5e0781f2f743ae3ebc02152a604ee26cba4a181daa481d73081d4310b3009060355040613024154310f300d060355040713065669656e6e613110300e0603550408130741757374726961313a3038060355040a13314152474520444154454e202d20417573747269616e20536f636965747920666f7220446174612050726f74656374696f6e312a3028060355040b1321474c4f42414c54525553542043657274696669636174696f6e2053657276696365311430120603550403130b474c4f42414c54525553543124302206092a864886f70d0109011615696e666f40676c6f62616c74727573742e696e666f820100300f0603551d130101ff040530030101ff300b0603551d0f0404030201c630110603551d20040a300830060604551d2000303d0603551d11043630348115696e666f40676c6f62616c74727573742e696e666f861b687474703a2f2f7777772e676c6f62616c74727573742e696e666f303d0603551d12043630348115696e666f40676c6f62616c74727573742e696e666f861b687474703a2f2f7777772e676c6f62616c74727573742e696e666f300d06092a864886f70d01010505000382020100153b88835e0ede3ef03e5ddc2da14afa28a5d607a52448ce9e79e8799a5c248e5872144185c745ee3c28693849ae228dbb8c056dae65bb87b97e763b28636ad66f3330887e5505bab91503981d62d2cec00f6e1c9a34eee4af1f62d1ecb479cfcf69928a58fdc1c7760b5ccd5234486be50b7fc93212df980a16d93356168fdf433fd7bd3fc51ec5ad21ac872c9ae41c1f8503ac8bc7b7336249c1f8aa2b4e5d873e7652ae597e31e17cba528b5890d780460b3436deef11c95c2246c23ca77f62046fdf3e488eea0b3e08ac181a52d6f1f6d4622f03b99ad63c537f5526c6352b2174b0899054e401885c9c852a9a655e4b57f2801cec67349a46dc0276fe72377209b1f0238f58b3027dee780eb93d73122d559f1763afaed8ae73b6c7506a85c1db7dfb945970c6c3076c56c5b007fc4e7d931db927c0b095d5e77c05bcf70f0ab3f46e1557491bb51400a4302b5af45658bf7634a23dfe0126f0ddb86df0a4e7bc20f65108f6e337895736f6f72ffecdb864bdead7a6d0ff78ef7ee11c1e547e0f3419811073d2e3780617b6d251fb357876da778337413e2d46a87e86de56f4ca909eb4adb01e45183c34880287e8f03691ebf2e7b5d204b92eb85d8d1d9a2e0b1619cd76a4abfbd1e2a3a2dc847d7bea50eaf5b2043b89523ab2c3194fb926b1bcbc2cb2e181a6b361b5f445602f2c75c5c82d884b26bb70ee3b7f012d	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5D003860F002ED829DEAA41868F788186D62127F\Blob = 53000000010000004800000030463021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c00b000000010000003800000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300200049006e0063002e000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020300000001000000140000005d003860f002ed829deaa41868f788186d62127f2000000001000000820400003082047e30820366a003020102020100300d06092a864886f70d01010505003081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479301e170d3038303630323030303030305a170d3239313233313233353935395a3081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f2cc562a4de616375a97ea6d3538d1109bdbb8dca9040995332e09c5007b1a78428fc8f4058efed268831e4e99cd17db473e50f389d2e7dc98fb05f8aad663f4544dc17103b01f1b76b31a343073f128326083fdb49cd7b6d222377c19aa3bde1310696e5c06d36fa3f2665a764248af80d154593dd4b9d4dbedb9ab3999f4ee62abe178727bd8388d40b6ccdc120070438569d818e3ca57729fb4df3ffc22a84252f5775b99f0562d2670163612c2279e57a67cd023f179dca3935828383d9fad3643ee37fbf8f943adc856f294125e42eb73b8130dcba6d586b9aa286a5403a13f0f29eb0900e83f5ea27f173da12bf8bed0751da484e3ab1765065200afb10203010001a3633061300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414b4c67f1a43cc9b755d2fc44bf28b9810e9f15110301f0603551d23041830168014b4c67f1a43cc9b755d2fc44bf28b9810e9f15110300d06092a864886f70d01010505000382010100ac80bbc425050b58a4e47e297eafbc3bec2dc0442ef991e0d23b3227902df680095cc2ab6524da381046c449d2fd9aab28487788c6e96fd14791d5354f1409a85b40071d7c7156cb8942d4bf61c022f72edfabf372438b40e894ebb026dad113d3abd0362d2e3a95b3772e1539180c69baaa80edf1534e339b6804e2a0302ed7d15dd4a6669d84e6e7bb3c89bb369dfc17a93d552b8afb9bc44c84ffdfd2be691b74b0a8f6eab09cb22974814c683a9a7f732539f513e0669169d4574bb7eead45e02cc388d3be9449891fff70d55b6d3913b01dcb98e667630d63f6fbc3d7617283883f707e53c99e8954d64f7f7d71b9aef1608b7760ecf8bffa6aa39c0122	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5A4D0E8B5FDCFDF64E7299A36C060DB222CA78E4	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0456F23D1E9C43AECB0D807F1C0647551A05F456\Blob = 0b00000001000000540000004e004c00420020004e006f007600610020004c006a00750062006c006a0061006e0073006b0061002000420061006e006b006100200064002e0064002e0020004c006a00750062006c006a0061006e0061000000090000000100000056000000305406082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b060105050703090300000001000000140000000456f23d1e9c43aecb0d807f1c0647551a05f4562000000001000000bb030000308203b73082029fa00302010202043ec3868e300d06092a864886f70d0101050500301d310b3009060355040613025349310e300c060355040a130541434e4c42301e170d3033303531353131353234355a170d3233303531353132323234355a301d310b3009060355040613025349310e300c060355040a130541434e4c4230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf76753d0c7c403a665f4d8cfbdd3c2efe7d9464ed4ad44948a1ee9171b279c88e2b1faaf032b428b2a3c2754fa4e9a61af6a266612327612c6e17900bfade1e71520229049979acc0b0c066989811376410cf9cbc3b421c295c5590f67a224e56af3768bf743a6c3cc698cc6021bfe20827e4d92bbce38495d7d42460fc7e2d2f9d21eb9d91c6bba4d1ebc912ada3e8c8b57f554beb990254c4811c0cae39e46a7a05d84e70a0fa0377b3aed8b81492fb417713356ab7a2ca884bad2d51bc769a6cbb40bde7244c22a6e6fd4e087b9d0b10d612d2a6c6a16432f401739681e248b0c128633d3be767ac6ec514f51713a29c1f2b57f01527755dddb134d693110203010001a381fe3081fb301106096086480186f8420101040403020007303f0603551d1f043830363034a032a030a42e302c310b3009060355040613025349310e300c060355040a130541434e4c42310d300b0603550403130443524c31302b0603551d1004243022800f32303033303531353131353234355a810f32303233303531353132323234355a300b0603551d0f040403020106301f0603551d23041830168014ccbbbb86d66ff8beb4472277b3b6add70159964d301d0603551d0e04160414ccbbbb86d66ff8beb4472277b3b6add70159964d300c0603551d13040530030101ff301d06092a864886f67d0741000410300e1b0856362e303a342e3003020490300d06092a864886f70d010105050003820101001167cbcb9a6b2021dd6f6983d53f0dba9315974e7076265ce89e24e737fe3c50f4d4f92a2f0c13a15d04bcd0b0e9c203178505613dc0a7aa764cc3b83a83a986cf03f9770e2bb23d761b65d16a716071dbbbb87a8ef2f92183f8574ca8c7dd65c6eeef6fb3b699bbb4c3d0ab5fb2a07edd74212cc35aeb8da1cad8f0c817ed76ba84636e5bb9b5ca6dd7fc3439802fba4fdf8dd8fc18c43c8a352f778296ad209218b2e736f4ae3274b847d1d80fd82ccb6ac20075f92cf8420ecbfe7393a98fe1c7ae2137f3cab90cb4e7897e711c563420c3f134b9554bd35352f1072d2b3e5b19409f10edd32933c5af0f105687da3bc8b1ed38d919fb4bf0502da4cdd458	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0409565B77DA582E6495AC0060A72354E64B0192\Blob = 0300000001000000140000000409565b77da582e6495ac0060a72354e64b0192090000000100000074000000307206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030606082b0601050507030706082b0601050508020206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b060105050703090b000000010000001a000000480061006c0063006f006d00200043004100200046004f00000020000000010000001e0300003082031a30820202a003020102020301ba65300d06092a864886f70d01010505003035310b3009060355040613025349310f300d060355040a130648616c636f6d311530130603550403130c48616c636f6d20434120464f301e170d3035303630353130333333315a170d3230303630353130333333315a3035310b3009060355040613025349310f300d060355040a130648616c636f6d311530130603550403130c48616c636f6d20434120464f30820122300d06092a864886f70d01010105000382010f003082010a0282010100bca3260196e59dac1a0202397cacdc064c374aae074875e8271ca431fd0aa7235d7c3f0efaf08c916f5534840374cc033578cd71c1471bbbea216eb807de2192aaacb9de37a21ff49a1c1bc8ee1083d65343c8dde9f3904639720a4efc1229498158263a71130c7b538fdf66723c17dcdee1794a9fe9603e6d35e44d51d11cc01a305c063f7343c8cd36f41ec2878c4f489fda75572a4caf8d543c445f983c50dad018067c606ed284ff6785903d5ec6ebd87aa3b56d0cbe75b8a9da5671365aeeeb49533ee219767c42aba190f1f72fb8ba4a41b42ba42e6136e7d6da7ff59f8db84b5b843550c5bd05aaaac20c74416357198effe146e67b0524fe99dd31bd0203010001a3333031300f0603551d130101ff040530030101ff30110603551d0e040a040848201c620d585225300b0603551d0f040403020106300d06092a864886f70d010105050003820101005b75f5e63046588af70fd14f0b015804b964e4300d3e76d96b13ad1c6ec94cf06ce64211fdeb83ef50d8bb549db4918a5ab5840f8c46cd3c82a8a51e209cd0f54106ca012b98b0ea29501fe2747b5982ca0ae56e4eaeb037ed3eccba32d93f0b682cb2d33cdc38c511d61b33eeb9a26a44931b50ea611b795751569e32d03378b4cf472afbf7cdf1e76de0ba64fb159bbecab1f247017fe04cb7a541ac1ed91a6c91e1d0a84ac35e782b7a80c04fcd255f5027c6bc58759c1db59a5d9573f38466d3cd6d1dcde05ace2038ef9273785e02d68df974d4b789d88cfb7bd58b71d5191726d824493c55bc8287da63bb39d78e91cf34705c734fd050475afbe55a51	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\ACED5F6553FD25CE015F1F7A483B6A749F6178C6\Blob = 030000000100000014000000aced5f6553fd25ce015f1f7a483b6a749f6178c609000000010000004a000000304806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030706082b06010505070306060a2b0601040182370a030406082b060105050703080b000000010000005c0000004e00650074004c006f0063006b0020004b006f007a006a006500670079007a006f0069002000280043006c006100730073002000410029002000540061006e007500730069007400760061006e0079006b006900610064006f0000002000000001000000810600003082067d30820565a00302010202020103300d06092a864886f70d01010405003081af310b30090603550406130248553110300e0603550408130748756e676172793111300f06035504071308427564617065737431273025060355040a131e4e65744c6f636b2048616c6f7a617462697a746f6e73616769204b66742e311a3018060355040b131154616e7573697476616e796b6961646f6b313630340603550403132d4e65744c6f636b204b6f7a6a6567797a6f692028436c6173732041292054616e7573697476616e796b6961646f301e170d3939303232343233313434375a170d3139303231393233313434375a3081af310b30090603550406130248553110300e0603550408130748756e676172793111300f06035504071308427564617065737431273025060355040a131e4e65744c6f636b2048616c6f7a617462697a746f6e73616769204b66742e311a3018060355040b131154616e7573697476616e796b6961646f6b313630340603550403132d4e65744c6f636b204b6f7a6a6567797a6f692028436c6173732041292054616e7573697476616e796b6961646f30820122300d06092a864886f70d01010105000382010f003082010a0282010100bc748c0fbb4cf4371ea90582d8e6e16c70ea78b56ed138440da883ce5dd2d6d581c5d44be75b947026db3b9d6a4c62f771f364d6613b3deb73a337d9cfea8c923bcdf707dc667497f44522ddf45ce0bf6df3be6533e4153abfdb98905538c4eda655630bb07804f4e36ec13f8efc51781f929e83c2fed9b0a9c9bc5a00ffa9a89874fbf62c3e15390db60455a80e982042b3b125ad7e9a6f5d53b1ab0cfcebe0f37ab3a8b3ff46f663a2d83a987bb6ac85ffb0254f7463e71307a50a8f05f7c0646f7ea7278096ded42e8660c76b2b5e737b17e7913f640cd84b22342b9b32f2481f9fa10a847ae2c2ad973d8ed5c1f956a350e9c6b4fa98a2ee95e62a038cdf0203010001a382029f3082029b300e0603551d0f0101ff04040302000630120603551d130101ff040830060101ff020104301106096086480186f84201010404030200073082026006096086480186f842010d048202511682024d46494759454c454d2120457a656e2074616e7573697476616e792061204e65744c6f636b204b66742e20416c74616c616e6f7320537a6f6c67616c7461746173692046656c746574656c656962656e206c6569727420656c6a617261736f6b20616c61706a616e206b65737a756c742e204120686974656c65736974657320666f6c79616d617461742061204e65744c6f636b204b66742e207465726d656b66656c656c6f737365672d62697a746f73697461736120766564692e2041206469676974616c697320616c616972617320656c666f6761646173616e616b2066656c746574656c6520617a20656c6f69727420656c6c656e6f727a65736920656c6a61726173206d6567746574656c652e20417a20656c6a61726173206c656972617361206d656774616c616c6861746f2061204e65744c6f636b204b66742e20496e7465726e657420686f6e6c61706a616e20612068747470733a2f2f7777772e6e65746c6f636b2e6e65742f646f63732063696d656e2076616779206b65726865746f20617a20656c6c656e6f727a6573406e65746c6f636b2e6e657420652d6d61696c2063696d656e2e20494d504f5254414e5421205468652069737375616e636520616e642074686520757365206f662074686973206365727469666963617465206973207375626a65637420746f20746865204e65744c6f636b2043505320617661696c61626c652061742068747470733a2f2f7777772e6e65746c6f636b2e6e65742f646f6373206f7220627920652d6d61696c20617420637073406e65746c6f636b2e6e65742e300d06092a864886f70d01010405000382010100482446f7ba566ffac82803404ee531396b266b537fdbdfdff3713d26c0140ec6677b23a80c73dd01bbc6ca6e373955d5c78c56200e280a0ed22aa4b04952c63807febe0a098cd198cfcada1431a14fd239fc0f112c43c3ddab93c7553e477c181a00dcf37bd8f27f526c20f40b5f6952f4eef8b22960ebe34931210dd6b51041e241096ce21a9a564b7702f6a09b9a2787e8552971c2909f45781ae115643dd00ed8a0769faec5d02eead60f56ec647f5a9b145801277e1350c76b2ae6683cbf5ca00a1be10e7ae9e280c3e9e9f6fd6c119ed0e528272b543242148275e64af02b6675638ca2fb043e830e9b36f018e42620c38cf02807ad3c176688b5fdb688	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\132D0D45534B6997CDB2D5C339E25576609B5CC6	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2964B686135B5DFDDD3253A89BBC24D74B08C64D\Blob = 0b000000010000002000000041002d004300450052005400200041004400560041004e004300450044000000090000000100000040000000303e06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a03040300000001000000140000002964b686135b5dfddd3253a89bbc24d74b08c64d2000000001000000d7060000308206d3308205bba003020102020100300d06092a864886f70d01010505003081cc310b30090603550406130241543110300e0603550408130741757374726961310f300d060355040713065669656e6e61313a3038060355040a13314152474520444154454e202d20417573747269616e20536f636965747920666f7220446174612050726f74656374696f6e31253023060355040b131c412d434552542043657274696669636174696f6e2053657276696365311830160603550403130f412d4345525420414456414e434544311d301b06092a864886f70d010901160e696e666f40612d636572742e6174301e170d3034313032333134313431345a170d3131313032333134313431345a3081cc310b30090603550406130241543110300e0603550408130741757374726961310f300d060355040713065669656e6e61313a3038060355040a13314152474520444154454e202d20417573747269616e20536f636965747920666f7220446174612050726f74656374696f6e31253023060355040b131c412d434552542043657274696669636174696f6e2053657276696365311830160603550403130f412d4345525420414456414e434544311d301b06092a864886f70d010901160e696e666f40612d636572742e617430820122300d06092a864886f70d01010105000382010f003082010a0282010100ddeb97232fa69dfe8160a6caf901f993aefdb5416a793f23959c4c7b0f1e3621eec3d2a8c560732fa2a4b0afb9b8aec66adc3eb1b0189ed10613cd0ff898358400cc7be16be55d1b73a412de0915b5f5025bf448bdf30cdfda31be6a8998e80f9c953b1fafa798bb6cabad6dbfd915262ff6e18e705d6de875eb7bdac179ec4a06eacefcc3405454b35c327812f5b659ce6746dff77a25b906828345ffc0dc8020495bfb7426b708cf2a695c8395b54cf33abad4f3acee5204f746d925e648c6ec3107a456fd1f47d3398d6ff3e811a1a3bada00343c28b2b205598f08157987b7280835d67ce7ca5783bf5f7cb8adc3735a17206623271d85a4a594bc0b80130203010001a38202bc308202b8301d0603551d0e04160414377f3e3e997160ca24d4911379d07429b4a824d83081f90603551d230481f13081ee8014377f3e3e997160ca24d4911379d07429b4a824d8a181d2a481cf3081cc310b30090603550406130241543110300e0603550408130741757374726961310f300d060355040713065669656e6e61313a3038060355040a13314152474520444154454e202d20417573747269616e20536f636965747920666f7220446174612050726f74656374696f6e31253023060355040b131c412d434552542043657274696669636174696f6e2053657276696365311830160603550403130f412d4345525420414456414e434544311d301b06092a864886f70d010901160e696e666f40612d636572742e6174820100300f0603551d130101ff040530030101ff300b0603551d0f0404030201e630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304301106096086480186f84201010404030200ff30510603551d20044a3048304606082a28001801010103303a303806082b06010505070201162c687474703a2f2f7777772e612d636572742e61742f63657274696669636174652d706f6c6963792e68746d6c303b06096086480186f8420108042e162c687474703a2f2f7777772e612d636572742e61742f63657274696669636174652d706f6c6963792e68746d6c30190603551d1104123010810e696e666f40612d636572742e6174302f0603551d1204283026810e696e666f40612d636572742e61748614687474703a2f2f7777772e612d636572742e617430450603551d1f043e303c303aa038a036863468747470733a2f2f7365637572652e612d636572742e61742f6367692d62696e2f612d636572742d616476616e6365642e636769300d06092a864886f70d0101050500038201010025f522f81f746dabbdfbf7e4ee3cbd212f71568476537c5121411d6cf7251028ce0cef681b701e48ca670b7997f0563ad8dbbc77d18c3b7b8a394111cc4e3ab342d5f7f2307c07ad7a6f7dfe98a50e709f198860441c5118861ccaabb845f45a4b8336048ac1e7ec817b36ede7816ae1e034655c4d81f5ae61eefd9c8ba4bc4ec894363c2cc0d43cd6deb5a4217f76a2027b95345d5ab6f1c142f55c68a7c679da43be3eff2d2923d24d12fee2736b6993079132991e75a2d69ac0b5fa8adf29379bb20ebd68c682c7ba3a8cd38d46647fed355a3dff3f93a839d9c1d9f585a342fba9db66f9ad6c46279af92d9e2f08f985e3e4f896eb6351801afe51ae4138	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B972C9EA6E7CC58D93B20BF71EC412E7209FABF	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AE3B31BF8FD891079CF1DF34CBCE6E70D37FB5B0	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\398EBE9C0F46C079C3C7AFE07A2FDD9FAE5F8A5C\Blob = 030000000100000014000000398ebe9c0f46c079c3c7afe07a2fdd9fae5f8a5c090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b00000001000000920000004100750074006f00720069006400610064002000640065002000430065007200740069006600690063006100630069006f006e0020005200610069007a0020006400650020006c0061002000520065007000750062006c00690063006100200042006f006c006900760061007200690061006e0061002000640065002000560065006e0065007a00750065006c006100000020000000010000009c0900003082099830820780a00302010202010a300d06092a864886f70d01010c05003082011e313e303c060355040313354175746f72696461642064652043657274696669636163696f6e205261697a2064656c2045737461646f2056656e657a6f6c616e6f310b30090603550406130256453110300e06035504071307436172616361733119301706035504081310446973747269746f204361706974616c31363034060355040a132d53697374656d61204e6163696f6e616c2064652043657274696669636163696f6e20456c656374726f6e69636131433041060355040b133a5375706572696e74656e64656e63696120646520536572766963696f732064652043657274696669636163696f6e20456c656374726f6e6963613125302306092a864886f70d010901161661637261697a4073757363657274652e676f622e7665301e170d3130313232383136343133365a170d3330313232333233353935395a3082011e313e303c060355040313354175746f72696461642064652043657274696669636163696f6e205261697a2064656c2045737461646f2056656e657a6f6c616e6f310b30090603550406130256453110300e06035504071307436172616361733119301706035504081310446973747269746f204361706974616c31363034060355040a132d53697374656d61204e6163696f6e616c2064652043657274696669636163696f6e20456c656374726f6e69636131433041060355040b133a5375706572696e74656e64656e63696120646520536572766963696f732064652043657274696669636163696f6e20456c656374726f6e6963613125302306092a864886f70d010901161661637261697a4073757363657274652e676f622e766530820222300d06092a864886f70d01010105000382020f003082020a0282020100c13bef1352f19956e3b46c05e11a691661268678af0efce540050ae3d938054ca8d4b5c0c62acf2f79aba1a450ef35111fee822417fca31cabfe07067f377f07585b13d97f005f2bb04fda9fc9b0583361e14fd015ce2e6be8248ce525be855bed4c3f01818ee699185226599b1298651c95be7599160c6444e1f7f27908b4e14757b14adc47429b704b3adaccd16991063fce68fbf9864d03dc83a2ba1516feacc9b60e67b3b1343a3bce448ba38e48ee0330b71a9667c564259902f3ea74757ea6921513d10015eb865cf47b19887fe82e11245e386b819dbc705ef731722a2f1d5fc8ce243c7d723898bf47bda73302fb0fe49dea6660234df94f1b875dcdbfb8ec177caaeb4e36890f3f09a7a0dd7acb0e93122090a5d18cff852b7cdede7e0d50844684646dcaf1232bde7fda0d36b7a3de6226151aeafaaee4b8f67d1101a492d3f2c96fa5f368001ed2698ed9ebe712ac482b0cb699944d3df0155b5977c029d6894c2bc8153a3ac6c570516b426fb4d303a2717bce4c704c6a20950156536fd4522f28be2c9d659732593b7a6adc84628818f7f0da28a3ed9935b3047224a09a283b617694726b9d49542f2d22fe630f92a9ac327b3c19b8049ba7b77fd2bbad439f5df35ce56ccb7727bc81e7aeeb4f622a232750f2a05693e7e65f38215fefc589d62c87f68afb367b5b2ebc90a1eecc4c3556a91ab790c6b3e5730203010001a38202db308202d730120603551d130101ff040830060101ff02010230370603551d120430302e820f73757363657274652e676f622e7665a01b060560865e0202a0120c105249462d472d32303030343033362d30301d0603551d0e04160414adbb221dc6e0d201a8fd76505293ed98c14daed3308201500603551d2304820147308201438014adbb221dc6e0d201a8fd76505293ed98c14daed3a1820126a48201223082011e313e303c060355040313354175746f72696461642064652043657274696669636163696f6e205261697a2064656c2045737461646f2056656e657a6f6c616e6f310b30090603550406130256453110300e06035504071307436172616361733119301706035504081310446973747269746f204361706974616c31363034060355040a132d53697374656d61204e6163696f6e616c2064652043657274696669636163696f6e20456c656374726f6e69636131433041060355040b133a5375706572696e74656e64656e63696120646520536572766963696f732064652043657274696669636163696f6e20456c656374726f6e6963613125302306092a864886f70d010901161661637261697a4073757363657274652e676f622e766582010a300b0603551d0f04040302010630370603551d110430302e820f73757363657274652e676f622e7665a01b060560865e0202a0120c105249462d472d32303030343033362d3030540603551d1f044d304b3024a022a020861e687474703a2f2f7777772e73757363657274652e676f622e76652f6c63723023a021a01f861d6c6461703a2f2f61637261697a2e73757363657274652e676f622e7665303706082b06010505070101042b3029302706082b06010505073001861b687474703a2f2f6f6373702e73757363657274652e676f622e766530400603551d20043930373035060560865e0102302c302a06082b06010505070201161e687474703a2f2f7777772e73757363657274652e676f622e76652f647063300d06092a864886f70d01010c050003820201001c5910e55ea451c147bb65b20b55e22fa9a327bce13c8ac76c0356a3a929a29b8a95d81ff7b6126016be7af4fd03814ffd8181aa4f81701e2eefc092127bbb0f8588c4f91d41b5ba242ac3282613caf900fbd7c35cf968e91bc11822c9a26c64c3f839c34e21ddd6c2dee5b62cc95c38f0de5e6ae427f4b833c4cb61923353a8ccfc9dcd53fb280befed7fb08f7422b6355780a8ae05ae290a3bb2a4fd3de3d4c190f63fcebce444fed1c17e282ffd0024322088c46f187b910e4890bc966260816d14001a51bab55d698d61471c2cac4e4520a94845a38749a37890dd36427fd8766ffd6d8301c6f97f98207f962e2260aba227c0b03524d0c9bf339922530e6e1f624c26fc2433cac103cca91761633324cc6840efafa2e285c38830d3451bee56ea560a0f0a479b3059d849d130900c272a2608285c321f27d7ad0b49e5175163cfe60d3b60511abd430950e691b563e66497aa0b97130106865ca51f95be508e0bb2d2647fdbab4ce643c6e4858d6afe8dfebb94551e91532708d3ba673d3aa1c9c1c514baf9435cc58e218c82a2fd2a3225d5168c1556c098fc2eb28e19a41671c34bdd71fe71ec221df0c18c988187b4bf02b8c4303147c2c0b0af7b33630addac459bc1cc8087f4d9985e9c86fe9a04ff664afc7b6154be57630507c6a7017559e46e393b00f4aa9df39f88bfcfd1252bdf7f73ed1686a990650f7029	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AEC5FB3FC8E1BFC4E54F03075A9AE800B7F7B6FA\Blob = 030000000100000014000000aec5fb3fc8e1bfc4e54f03075a9ae800b7f7b6fa090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b00000001000000300000004300410052004f004f00540020004600690072006d006100700072006f0066006500730069006f006e0061006c00000053000000010000002500000030233021060b2b06010401e6790a01030a30123010060a2b0601040182373c0101030200c020000000010000001806000030820614308203fca003020102020853ec3beefbb2485f300d06092a864886f70d01010505003051310b30090603550406130245533142304006035504030c394175746f72696461642064652043657274696669636163696f6e204669726d6170726f666573696f6e616c2043494620413632363334303638301e170d3039303532303038333831355a170d3330313233313038333831355a3051310b30090603550406130245533142304006035504030c394175746f72696461642064652043657274696669636163696f6e204669726d6170726f666573696f6e616c204349462041363236333430363830820222300d06092a864886f70d01010105000382020f003082020a0282020100ca966b8eeaf8fbf1a235e07f4cdae0c352d77db610c8025eb3432ac44f6ab2ca1c5d289a78111a695957afb52042e48b0fe6df5ba603922ff511e462d7327138d9040c71ab3d517e0f07df63055ce9bf946fc12982c0b4da51b0c13cbbad374a5ccaf14b360e24abbfc38477fda850f4b1e7c62fd22d598d7a0a4e96695202aa3698ecfcfa14830c371fc992377fd7812de5c4b9e03e34fe67f43e66d1d3f440cf5e62340f70063e20185acef7721b256c93741493a373b10eaa871023595f20051947ed688e9212ca5dfcd62bb2923c20cfe15faf20bea0767f76e5ec1a8661333ee77bb43fa00f8ea2b96a6fb987266f416c88a650fd6a630bf593161b198fb2ed9b9bc990f5010cdf193d0f3e3823c92f8f0cd102fe1b55d64ed08d3caf4fa4f3feaf2ad3059d7908a1cb5731b49cc890b267f41816933afc47d8d17896311fba2b0c5f5d99ad63895a242076d8dffdab4ea622aa9d5ee6278a7d6829a3e78ab8da11bb172d999d132446f7c5e2d89f8e7fc78f746d5ab2e872f5acee2410ad2f14daff2d9a467147be42dfbb01dbf47fd3288f31595bd3c902a6b452ca6e97fb43c508266f8af4bbfd9f28aa0dd545f3133a1dd8c0788f41673c1e9464ae7b0bc5e8d90188391a97866441d53b870c6efa0fc6bd4814bf394dd49e41b68f961d639693d995067831689e37063b808945613923c71b44a315e51cf89230bb0203010001a381ef3081ec30120603551d130101ff040830060101ff020101300e0603551d0f0101ff040403020106301d0603551d0e0416041465cdebab351e003e7ed574c01cb473470e1a642f3081a60603551d2004819e30819b3081980604551d200030818f302f06082b060105050702011623687474703a2f2f7777772e6669726d6170726f666573696f6e616c2e636f6d2f637073305c06082b0601050507020230501e4e0050006100730065006f0020006400650020006c006100200042006f006e0061006e006f00760061002000340037002000420061007200630065006c006f006e0061002000300038003000310037300d06092a864886f70d01010505000382020100177da0f9b4ddc5c5ebad4b24b5a102abdda5884ab20f554b2b578c3be531ddfec432f1e75b6496363218eca53277d7e344b6c0112a80b93d6a6e7c9bd3adfcc3d6a3e664297cd1e1381e822bff2765affb1615c42e7184e5b5fffaa447bd6432bbf62584a22742f520b0c2131011cd1015ba42902ad244e19626eb314812fd2adac906cf741ea94bd58728f97934923e2e44e8f68f4f8f353f25b339dc632a906b205fc452124e972c2aac9d97de48f2a366dbc2d28395a666a79e250fe90b3391650a5ac3d95412ddafc34e0e1f265e0ddcb38decd58170ded24f2405f36c4ef54c49668dd1ffd20b254148fe5184c642af8004cfd07e6449e4f2dfa2ecb14cc02a1de7b4b165a2c4bcf198f4aa700763b4b8da3b4cfa4022305b11a6f0050ec6020348ab869b85dddbddeaa27680737df59c04c4458de7b91c8b9eead775d172b1de7544e7427de2576b7ddc99bc3d8328ea80938dc54c65c17081b838fc4331b2f6033447b2acfb2206cb1edd17471c5f66b9d31aa2da11b1a4bc23c9e4be87ffb994b6f85d204ad45fe7bd687b65f2151ed23aa92de9d86b24ac97584447ad5918f1216570dece3460a840f1f33ca4c328238cfe27334340a0173cebea3bb072a6a3b94a4b5e1648f4b2bcc88c92c59d9fac7236bc3480346ba98b92c0b817edec7653f524018cb322e84b7c55c69dfaa314bb65856e6e4f127e0a3c9d95	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8250BED5A214433A66377CBC10EF83F669DA3A67\Blob = 0300000001000000140000008250bed5a214433a66377cbc10ef83f669da3a67090000000100000048000000304606082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b0601050507030606082b060105050703070b0000000100000012000000550043004100200052006f006f0074000000200000000100000088030000308203843082026ca003020102020109300d06092a864886f70d01010505003033310b300906035504061302434e3111300f060355040a1308556e6954727573743111300f0603550403130855434120526f6f74301e170d3034303130313030303030305a170d3239313233313030303030305a3033310b300906035504061302434e3111300f060355040a1308556e6954727573743111300f0603550403130855434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b35d07ca86267d6be2fb38090ecc82c26a1a00a2155fd6e9d401b7560301598ff538692476c25e2bc5f62bbfaffb41fd0f5afcabd783704d3098d19eb276bb92d6bbe9102869283644e8f12cd7587c24d67f023af0816b61603ff433de6de5ea28524ffca91d637c0bbaeaaec46846e4de8fc1a7b2b6585a6d1d2cd98c3ab788cb85d4f7e8035efdb24d50e8d61fffae023f8b4f96213c9bd725c91d3ffb98b159e4f0a93bafb3cd852ce26046cc6f8ea0ebf034c5f1421860ae12ed46751ce5d8a9965abede5ad67867965b937750f26e1bde96514aa6d64b437521668d77ec0284765c4410b61d616ce4a3207db78dba0f9175c78ddfbc0260a829a8bd3d430203010001a381a230819f300b0603551d0f040403020106300c0603551d13040530030101ff30630603551d25045c305a06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030506082b0601050507030606082b0601050507030706082b0601050507030806082b06010505070309301d0603551d0e04160414db1f35f36b4cff4231649bcdbb5a1e1d4810b7ee300d06092a864886f70d01010505000382010100386cb788f1adfa583774d1e870de9c2759cbe415d7a0c360d7888004c5304c3dd41aeb065e5947e6bc66cbe008fce835ec627dcac0dac178afe5466ffb8982238ff6d7536655a0de25123b713616551276fb3df8545b31ba0006f87d55e5a77683aa5c4a97a62a28dfbdc66c0b23958e337f1e5e401f13542c9ce5b50edd1728ae6b01d35229f5221f9039f4dc6268f03c8647ecb80545bbb70c9694c667cb2371d08e7422d641eb03a8b6eabec40112b5b35d40760620d464b82946068ace1f939a10eefbaa5ab4dc2fd52bcbf6d705849805910b84f73dfad6f97afa2c15ea368243b7b7b8e3f37101ed4343a20545c328050735e301a5381e80d4d7c3d9de	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7A74410FB0CD5C972A364B71BF031D88A6510E9E	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\FAAA27B8CAF5FDF5CDA98AC3378572E04CE8F2E0	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\61573A11DF0ED87ED5926522EAD056D744B32371\Blob = 5300000001000000220000003020301e0608608442011a01030330123010060a2b0601040182373c0101030200c00b000000010000002a0000004200750079007000610073007300200043006c0061007300730020003300200043004100200031000000090000000100000020000000301e06082b0601050507030106082b0601050507030206082b0601050507030403000000010000001400000061573a11df0ed87ed5926522ead056d744b32371200000000100000057030000308203533082023ba003020102020102300d06092a864886f70d0101050500304b310b3009060355040613024e4f311d301b060355040a0c14427579706173732041532d393833313633333237311d301b06035504030c144275797061737320436c61737320332043412031301e170d3035303530393134313330335a170d3135303530393134313330335a304b310b3009060355040613024e4f311d301b060355040a0c14427579706173732041532d393833313633333237311d301b06035504030c144275797061737320436c6173732033204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100a48ed774d92964de5f1f878091ea4e39e619c6440b80d50baf53078b12bde667f002b189f6608ac45bb042d1c021a8cbe19bef6451b6a7cf15f57480680490a058a2e674a653535548633f9256dd244e8ef8ba2bfff3348a9e28d7349fac2fd60ff1a42fbd52b249856d3935f04430934624f3b6e753fbbc61afa9a314fbc21717846ce07c88f8c91c572cf03d7e94bc259384e89a009a4505425780f44eced9ae39f6c853100c653a477b60c2d6fa91c9c6716cbd91873c918649abf30fa06c26765e1cac9b71e58dbc9b211e9cd6387e248015318296b149d362375b880c0a6234fea7487e99b1308b9037951ca81fa52c8df455c8dbdd590ac2ad78a0f48b0203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604143814e6c8f0a9a403f44e3e22a35bf2d6e0ad4074300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820101000167a38cc9253d13635d166feca13e095c91152a2ad980214f05dcbba589ab13332a9e38b78c6f027263c773771e0906ba3b287ba447c9616b080820fc8a058a1fbcbac6c2fecf6eec133371672e69faa92c3f66c012594d0b54029284bbdb12ef83707078c853fadfc6c6ffdc882f07c0499d325760d3f2f699295fe7aa01ccac33a81c0abb91c403a06fb634f986d3b3765498f44a81b3539d4d40ece5771345af5baa1fd82f4c827bfe2ac458bb4ffc9efd03651a2a0ec3a52016946b79a6a212b4bb1aa4237a5ff0ae8424e4f32bfb8a24a3279865da307576fc1991e8dbeb9b3f32bf40970726baccf394854a7a2793cf9042d4b85b16a6e7cb4003dd79	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\55C86F7414AC8BDD6814F4D86AF15F3710E104D0\Blob = 0b00000001000000180000004e0065007400720075007300740020004300410031000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b0601050508020203000000010000001400000055c86f7414ac8bdd6814f4d86af15f3710e104d020000000010000004d0400003082044930820331a00302010202043ac3f61f300d06092a864886f70d0101050500304d310b300906035504061302534731283026060355040a131f4e65747275737420436572746966696361746520417574686f72697479203131143012060355040b130b4e65747275737420434131301e170d3031303333303032323734355a170d3231303333303032353734355a304d310b300906035504061302534731283026060355040a131f4e65747275737420436572746966696361746520417574686f72697479203131143012060355040b130b4e6574727573742043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100e29ccfb5cb377648878ea715c51aa90ba419676e30b13701c201564800346814222fb712d783023fa364ea782dd0b26bccef9b0db0a8d5fbed6c5646251aa5d03ff03d70a6f0f9352dab44bac7790dae5135050a3296389ca5c3fb47e2b30946f1ecdc380cb93e5b95848df23a3fa7b6fb8bbb81e87ec4fa6a5307c5fae93ab2b13dd9f87448e1964b466479f2237139e0c007292bfe007bce7f5d044e60e66c40abe77a198c9cea82132858aaf8dd1abc576dd82fad3f8269fdce4a0dc0ce53ea05aad6f2a47436279189431b9d9f71e6e7032e4a82e144328f2b0afa51375025612f27574b9f4108ab1f98f5b4e23602c5c9a55f7d38d83d3d029388a027eb0203010001a382012f3082012b301106096086480186f8420101040403020007306f0603551d1f046830663064a062a060a45e305c310b300906035504061302534731283026060355040a131f4e65747275737420436572746966696361746520417574686f72697479203131143012060355040b130b4e65747275737420434131310d300b0603550403130443524c31302b0603551d1004243022800f32303031303333303032323734355a810f32303231303333303032353734355a300b0603551d0f040403020106301f0603551d230418301680141d4489b245267f6f6b92c53a7b7263cad2702add301d0603551d0e041604141d4489b245267f6f6b92c53a7b7263cad2702add300c0603551d13040530030101ff301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101006a075656c650055bc650042a92885064aabc731e0cb94d6cf77166f8d1539e5bf87c9df00101a3e64d4e005981d5f22fb60998c13130e7804a9e2b09a14ea5140223f3b6772af7d1be9f229fea34a9396d8b9ceadaf194acceac218e9d9fa4a0adaedb1313fe5be83e30b2f87fec6c89b5921b775fadff24b6dfa25359ff9494e71c109e9ac976b20b7985e79c0d67d974ef27c5f05823e218e996066db84777ffa70ee725adbdd0cf42ad0d7083bff684479352097bfbbbd616e0409a3594d68987c320b74dcbe437e3c397db200e887600a2d5c50d49aed79e478ab41b13463d669e4e3e2802fea1dcdf92dbd10920987cb898e38981d927afe3fd361a45bb	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AB9D58C03F54B1DAE3F7C2D4C6C1EC3694559C37	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2E14DAEC28F0FA1E8E389A4EABEB26C00AD383C3	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A7F8390BA57705096FD36941D42E7198C6D4D9D5\Blob = 030000000100000014000000a7f8390ba57705096fd36941d42e7198c6d4d9d5090000000100000020000000301e06082b0601050507030206082b0601050507030406082b060105050703080b000000010000003e000000530065007200610073006100200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020004900000020000000010000001504000030820411308202f9a003020102020829d77adf92aa4a46300d06092a864886f70d01010505003062310b300906035504061302425231143012060355040a130b53657261736120532e412e31143012060355040b130b5365726173612043412049312730250603550403131e53657261736120436572746966696361746520417574686f726974792049301e170d3034313132363134303234355a170d3234313132313134313234355a3062310b300906035504061302425231143012060355040a130b53657261736120532e412e31143012060355040b130b5365726173612043412049312730250603550403131e53657261736120436572746966696361746520417574686f72697479204930820122300d06092a864886f70d01010105000382010f003082010a0282010100d0bbdcb6e8b3be8c1c6d45dd942b8af3e173d86bbc8613c953db78d8635ebb5737a5881c2e80136b39ac989ed979b1ed27b100aa41727e8d55a944f30fb99849edb84f460f4cbc7f1120b099f2728f5f764505ccebc063c6c13dae9116b8720a39cea15cb647f967d7e5ee6221c6f275960e527acbdd634e89e23b3ba83fa8aec1a4547df30370d68e106c19d613c97f86e02861990f331efbccd6bafd1a79df4d444cad903762badf8e3b30b5d72902b0b0a4fc795f4c02c1f1753219e47689598e61df4b903c31ec7953a26ed60bf463776cba58db52559afc8eadafc898a5e119eef1e9844b927d887fba8a53cc9cf0b582a259bf91f35011a3ea99d1e41d0203010001a381ca3081c730270603551d250420301e06082b0601050507030406082b0601050507030206082b06010505070308305c0603551d1f045530533051a04fa04d864b687474703a2f2f7777772e636572746966696361646f6469676974616c2e636f6d2e62722f7265706f7369746f72696f2f73657261736163612f63726c2f5365726173614341492e63726c301d0603551d0e04160414f838ee5c6eedab96a045eb360fdcd9ab3a3158fd300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d0101050500038201010066d436e62d70fd928808a930aae021aab75067adc0c86c20931771c8aec8696b2cdd13bb7ce24c09b9d6d9b3196b57b06f7547ee759828e8a2dc2fd5e06a26298e3b7911b2d6690ab20ed64d307f35b94a5e9007a2e7257bcefb2aee72289ae80f5a916338b595be643aea18d29cfe64a7e6fa1c5287a58405bc597f3173ec1f0af36711f293201331954e25f9d2be131be32e928a859e5dcf851a52dba2e850e00514e14f8ac8cdb6a5e158035aa5789a8340f81235685dcc8701f9a712ad38f7b5f3ed30b73e8b6eea6ec99ec71b6b9d587c8c1efc1b6ffb72f8744ec55a9e00b9f7ffdbf04deaeac89a48cf2028270353260b9c572ad9e3335f3a5f607282	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E621F3354379059A4B68309D8A2F74221587EC79	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\84F2E3DD83133EA91D19527F02D729BFC15FE667\Blob = 03000000010000001400000084f2e3dd83133ea91d19527f02d729bfc15fe667090000000100000016000000301406082b0601050507030206082b060105050703040b000000010000007a000000530079006d0061006e00740065006300200043006c006100730073002000310020005000750062006c006900630020005000720069006d006100720079002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790020002d0020004700340000002000000001000000ac020000308202a83082022da0030201020210216e33a5cbd388a46f2907b4273cc4d8300a06082a8648ce3d040303308194310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b314530430603550403133c53796d616e74656320436c6173732031205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204734301e170d3131313030353030303030305a170d3338303131383233353935395a308194310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b314530430603550403133c53796d616e74656320436c6173732031205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d2047343076301006072a8648ce3d020106052b8104002203620004d766b51bdbaeb360ee46ea8863753b2a946df35f12f6e30f9eb60a14534852c8dc3ab3cb482026124efa8984d4df91e4297d2801d9db184369a11fb5d38616dcc77f6723dfdf313183033570b14bb7c817bb51cbdc9417dbea093b7612deaab5a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041465c08d25f50cba9777903f9e2ee05af5ced5e1e4300a06082a8648ce3d0403030369003066023100a5aee34653f89836e322fa2e28490dee307e33f3ec3f715ecc55897899acb2fddc1c5c338e29b96b17c81168b5dc83070231009cc844da69c236c35419108502da9d47ef41e76c269d093df76d90d105442fb0bc839368f20c454939bf99041cd310a0	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C09AB0C8AD7114714ED5E21A5A276ADCD5E7EFCB	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D2441AA8C203AECAA96E501F124D52B68FE4C375	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\20D80640DF9B25F512253A11EAF7598AEB14B547\Blob = 53000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c00b000000010000005600000045006e0074007200750073007400200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790020002d0020004500430031000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030803000000010000001400000020d80640df9b25f512253a11eaf7598aeb14b5472000000001000000fd020000308202f930820280a003020102020d00a68b79290000000050d091f9300a06082a8648ce3d0403033081bf310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230313220456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c79313330310603550403132a456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20454331301e170d3132313231383135323533365a170d3337313231383135353533365a3081bf310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230313220456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c79313330310603550403132a456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204543313076301006072a8648ce3d020106052b81040022036200048413c9d0ba6d417be26cd0eb555f66021a24f45b896947e3b8c27df1f202c59fa0f65bd58b0619864f53106d072427a1a0f8d54719614c7dca9327ea740cef6f9609fe63ec705d36ad6777aec99d7c55443aa263511ff5e362d4a947073ecc20a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414b763e71add8de908a65583a4e06a504165114249300a06082a8648ce3d040303036700306402306179d8e54247df1cae539917b66f1c7de1bf1194d1038875e48d89a48a7746de6d61ef02f5fbb5dfccfe4efffea9e6a702305b99d7853706b57b08fdeb278b4a94f9e1faa78e2608e87c92686d73d86f26ac2102b899b726415b2560aed0481aee06	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\06143151E02B45DDBADD5D8E56530DAAE328CF90\Blob = 03000000010000001400000006143151e02b45ddbadd5d8e56530daae328cf90090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030806082b0601050507030606082b06010505070307060a2b0601040182370a030406082b060105050703030b000000010000002e0000004d006100630061006f00200050006f0073007400200065005300690067006e00200054007200750073007400000020000000010000009a050000308205963082037ea003020102021052acbe07114997bb1fbf871b2517bfa4300d06092a864886f70d01010505003065310b3009060355040613024d4f31133011060355040a130a4d6163616f20506f73743141303f060355040313384d6163616f20506f737420655369676e547275737420526f6f742043657274696669636174696f6e20417574686f72697479202847303229301e170d3130303130363030303030305a170d3230303130353233353935395a3065310b3009060355040613024d4f31133011060355040a130a4d6163616f20506f73743141303f060355040313384d6163616f20506f737420655369676e547275737420526f6f742043657274696669636174696f6e20417574686f7269747920284730322930820222300d06092a864886f70d01010105000382020f003082020a0282020100b6f887a774cc5d235eaeab96dcd724281da41466d7a0688c5e9d45d4d429d3b30bebad16ea9d5211c9a4e170e5ddbe0e1c1177eb9fa37078178fb93e175369a9ebf555f99597e9df39769e1f5217b41b0012d0cd3ce3aa49d19e413736f561cd230f57b1f64dd3db0d42530288f4f0a9868b57cf720ad5944b5ada37e53d475967bed38e56d55739d027db9f494fa81654bf785fcf1c9d5ea10b8c8303b30c14c95aa9bbffc6ae59cff5651f238901538ad55b179d9bff98510f4349f7aa2cede5e9863a335073dc52a56b6384e913a27cc7771af3aaa90d0b4e4e1d44c3723b9959e741223b2c545e123196684119d5ed75a7b9575b11f69aa4492f62f30b98511bb33342d2ccd46119c3d3dc9bfb93b262cd36fb8ce91a6e1ab139248e5dd93e3b867c88e6b72703f89551b0bf5037fef84e13011b272d9b92d07257d7a39a56e86ba3f755de405de2081f5cbb51a69eb4dd0ea61a596267867310959d95cdbabfd89c2a0e8b769993d44bb0e8543f0dd88af980cf41fd017a457c7dd63d4ef9624f41257caa6d58561b07b473aa1f111f3cba5323e0ed4acd9689dc48d04d62cb9307f6a0ae53177c5f5c071c054cab4c6aaac20fa0196b7979c27cb3a9fd3dfbcc7c71c5bbbe256d21a7fbd6be60f3b5a9a96c74183fa89e426041f2392d1dc20d73f2e0b1b64a1a18bd776919d7d27ab1dc96359ad8268583b61329c2e30203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604140281b7b666f892456dc271d29fec2fd3ba1fb9ff300d06092a864886f70d0101050500038202010058538bbecf41b24fb6d5de4a68cd65cfc6408aac4b9a5b636dbdf13f595042d0df9ae35f5691b35b9bd9450643ef931bfd33771d06543848f1548c3a536b3b7135097665e9570f43f6919ade10bbba68922a25cb6744096bbf9d9766cba945b6be37991d7525be3d3c636cbfa91347c7728ccbc3cff4f68705998917a83420f1dfa12767d3a723efab59833d1ad82acdc2ad4a300c063a208ba4f8da4637432eb4891d84738a60be64312742c0eb72616dccde7c732be8bf39425e7991ec801baa36764e21e88604970928cb47e740d42c5e1a5e48faaec7e904ea47249bbef1479ed5d57ad15ed485f20b230498d42b9a5672464c419a33f092b4bf41d4bd9bb0b3f1f513d6af5bd4f2d141f0475d7abc7a59f17d6068940e4a4f819222aa1fc43cbe1c3a3a4cf070a17fbb9fdcd2c5a4f1266ee1f326a970fbf1899662155c59a0b523fa966ab21a923d0d244a2bb808fe6fdfdcc2ee96ffcebf7bb8f984ef413be44db98791bac65fc8edf0cb8bd30f91f620de9198c6e74864d1ce5312eec4156ddc80501b13604f795bfc1a9cfea29fa0113391c94b6d3a66962dd338f8d99981b444267fb1e79e706d1d6df52209e4ac1936fb2705d87a9bd9bc9e1bda1937d8f1dd1598641b8f53f0289dac14ba5f69cf9623ee56ac99cd3a8fd55e19e662133a5feb8b5f16c03be1d1938f56613705d0791bfda8bc0f79d2b3e6d366	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9656CD7B57969895D0E141466806FBB8C6110687	updroots.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WscReg.exe360TS_Setup.exeEaInstHelper64.exeQHActiveDefense.exe

pid	process
4476	WscReg.exe
4476	WscReg.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
4300	EaInstHelper64.exe
4300	EaInstHelper64.exe
5068	360TS_Setup.exe
5068	360TS_Setup.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

360TS_Setup.exe

pid process

5068 360TS_Setup.exe

pid	process
5068	360TS_Setup.exe

Suspicious behavior: LoadsDriver 24 IoCs

Processes:

360TS_Setup.exeQHActiveDefense.exe

pid	process
656
656
5068	360TS_Setup.exe
5068	360TS_Setup.exe
656
656
656
656
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
656
656
2296	QHActiveDefense.exe
656
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
2296	QHActiveDefense.exe
656
656
2296	QHActiveDefense.exe
656

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exeDesktopPlus.exe

description	pid	process
Token: SeManageVolumePrivilege	4692	360TS_Setup_Mini.exe
Token: SeLoadDriverPrivilege	5068	360TS_Setup.exe
Token: SeLoadDriverPrivilege	5068	360TS_Setup.exe
Token: SeDebugPrivilege	5068	360TS_Setup.exe
Token: SeDebugPrivilege	5068	360TS_Setup.exe
Token: SeDebugPrivilege	4688	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeShutdownPrivilege	3152	QHSafeTray.exe
Token: SeCreatePagefilePrivilege	3152	QHSafeTray.exe
Token: SeBackupPrivilege	3152	QHSafeTray.exe
Token: SeSecurityPrivilege	3152	QHSafeTray.exe
Token: SeSecurityPrivilege	3152	QHSafeTray.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeDebugPrivilege	3152	QHSafeTray.exe
Token: SeDebugPrivilege	2296	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	2296	QHActiveDefense.exe
Token: SeAssignPrimaryTokenPrivilege	4516	DesktopPlus.exe
Token: SeIncreaseQuotaPrivilege	4516	DesktopPlus.exe
Token: SeDebugPrivilege	2296	QHActiveDefense.exe
Token: SeDebugPrivilege	3152	QHSafeTray.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

360TS_Setup_Mini.exeQHSafeTray.exePopWndLog.exe

pid	process
4692	360TS_Setup_Mini.exe
4692	360TS_Setup_Mini.exe
4692	360TS_Setup_Mini.exe
3152	QHSafeTray.exe
3152	QHSafeTray.exe
3700	PopWndLog.exe
3152	QHSafeTray.exe
3152	QHSafeTray.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

360TS_Setup_Mini.exeQHSafeTray.exePopWndLog.exe

pid	process
4692	360TS_Setup_Mini.exe
4692	360TS_Setup_Mini.exe
4692	360TS_Setup_Mini.exe
3152	QHSafeTray.exe
3152	QHSafeTray.exe
3700	PopWndLog.exe
3152	QHSafeTray.exe
3152	QHSafeTray.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exeWscReg.exeWscReg.exeQHActiveDefense.exeQHSafeTray.exePopWndLog.exeQHActiveDefense.exeDesktopPlus64.exeKB931125-rootsupd.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exe

pid	process
4008	360TS_Setup.exe
5068	360TS_Setup.exe
4476	WscReg.exe
1480	WscReg.exe
4688	QHActiveDefense.exe
3152	QHSafeTray.exe
3700	PopWndLog.exe
3152	QHSafeTray.exe
2296	QHActiveDefense.exe
3832	DesktopPlus64.exe
344	KB931125-rootsupd.exe
4072	updroots.exe
4996	updroots.exe
3420	updroots.exe
2108	updroots.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exeWscReg.exeQHActiveDefense.exeQHSafeTray.exePopWndLog.exeDesktopPlus.exeDesktopPlus64.exe

description	pid	process	target process
PID 4692 wrote to memory of 4008	4692	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4692 wrote to memory of 4008	4692	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4692 wrote to memory of 4008	4692	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4008 wrote to memory of 5068	4008	360TS_Setup.exe	360TS_Setup.exe
PID 4008 wrote to memory of 5068	4008	360TS_Setup.exe	360TS_Setup.exe
PID 4008 wrote to memory of 5068	4008	360TS_Setup.exe	360TS_Setup.exe
PID 5068 wrote to memory of 4476	5068	360TS_Setup.exe	WscReg.exe
PID 5068 wrote to memory of 4476	5068	360TS_Setup.exe	WscReg.exe
PID 5068 wrote to memory of 4476	5068	360TS_Setup.exe	WscReg.exe
PID 5068 wrote to memory of 2240	5068	360TS_Setup.exe	bcdedit.exe
PID 5068 wrote to memory of 2240	5068	360TS_Setup.exe	bcdedit.exe
PID 5068 wrote to memory of 3844	5068	360TS_Setup.exe	bcdedit.exe
PID 5068 wrote to memory of 3844	5068	360TS_Setup.exe	bcdedit.exe
PID 5068 wrote to memory of 3452	5068	360TS_Setup.exe	regsvr32.exe
PID 5068 wrote to memory of 3452	5068	360TS_Setup.exe	regsvr32.exe
PID 5068 wrote to memory of 3452	5068	360TS_Setup.exe	regsvr32.exe
PID 3452 wrote to memory of 4176	3452	regsvr32.exe	regsvr32.exe
PID 3452 wrote to memory of 4176	3452	regsvr32.exe	regsvr32.exe
PID 5068 wrote to memory of 2532	5068	360TS_Setup.exe	PowerSaver.exe
PID 5068 wrote to memory of 2532	5068	360TS_Setup.exe	PowerSaver.exe
PID 5068 wrote to memory of 2532	5068	360TS_Setup.exe	PowerSaver.exe
PID 5068 wrote to memory of 1480	5068	360TS_Setup.exe	WscReg.exe
PID 5068 wrote to memory of 1480	5068	360TS_Setup.exe	WscReg.exe
PID 5068 wrote to memory of 1480	5068	360TS_Setup.exe	WscReg.exe
PID 1376 wrote to memory of 4300	1376	WscReg.exe	EaInstHelper64.exe
PID 1376 wrote to memory of 4300	1376	WscReg.exe	EaInstHelper64.exe
PID 5068 wrote to memory of 4688	5068	360TS_Setup.exe	QHActiveDefense.exe
PID 5068 wrote to memory of 4688	5068	360TS_Setup.exe	QHActiveDefense.exe
PID 5068 wrote to memory of 4688	5068	360TS_Setup.exe	QHActiveDefense.exe
PID 2296 wrote to memory of 3152	2296	QHActiveDefense.exe	QHSafeTray.exe
PID 2296 wrote to memory of 3152	2296	QHActiveDefense.exe	QHSafeTray.exe
PID 2296 wrote to memory of 3152	2296	QHActiveDefense.exe	QHSafeTray.exe
PID 3152 wrote to memory of 3868	3152	QHSafeTray.exe	QHWatchdog.exe
PID 3152 wrote to memory of 3868	3152	QHSafeTray.exe	QHWatchdog.exe
PID 3152 wrote to memory of 3868	3152	QHSafeTray.exe	QHWatchdog.exe
PID 3152 wrote to memory of 3700	3152	QHSafeTray.exe	PopWndLog.exe
PID 3152 wrote to memory of 3700	3152	QHSafeTray.exe	PopWndLog.exe
PID 3152 wrote to memory of 3700	3152	QHSafeTray.exe	PopWndLog.exe
PID 3152 wrote to memory of 1384	3152	QHSafeTray.exe	QHSafeTray.exe
PID 3152 wrote to memory of 1384	3152	QHSafeTray.exe	QHSafeTray.exe
PID 3152 wrote to memory of 1384	3152	QHSafeTray.exe	QHSafeTray.exe
PID 3700 wrote to memory of 4968	3700	PopWndLog.exe	PopWndLog.exe
PID 3700 wrote to memory of 4968	3700	PopWndLog.exe	PopWndLog.exe
PID 3700 wrote to memory of 4968	3700	PopWndLog.exe	PopWndLog.exe
PID 3152 wrote to memory of 4056	3152	QHSafeTray.exe	regsvr32.exe
PID 3152 wrote to memory of 4056	3152	QHSafeTray.exe	regsvr32.exe
PID 3152 wrote to memory of 4056	3152	QHSafeTray.exe	regsvr32.exe
PID 2296 wrote to memory of 3204	2296	QHActiveDefense.exe	QHWatchdog.exe
PID 2296 wrote to memory of 3204	2296	QHActiveDefense.exe	QHWatchdog.exe
PID 2296 wrote to memory of 3204	2296	QHActiveDefense.exe	QHWatchdog.exe
PID 2296 wrote to memory of 5088	2296	QHActiveDefense.exe	QHSafeTray.exe
PID 2296 wrote to memory of 5088	2296	QHActiveDefense.exe	QHSafeTray.exe
PID 2296 wrote to memory of 5088	2296	QHActiveDefense.exe	QHSafeTray.exe
PID 3152 wrote to memory of 4516	3152	QHSafeTray.exe	DesktopPlus.exe
PID 3152 wrote to memory of 4516	3152	QHSafeTray.exe	DesktopPlus.exe
PID 3152 wrote to memory of 4516	3152	QHSafeTray.exe	DesktopPlus.exe
PID 4516 wrote to memory of 3832	4516	DesktopPlus.exe	DesktopPlus64.exe
PID 4516 wrote to memory of 3832	4516	DesktopPlus.exe	DesktopPlus64.exe
PID 3832 wrote to memory of 2644	3832	DesktopPlus64.exe	Explorer.EXE
PID 3832 wrote to memory of 2644	3832	DesktopPlus64.exe	Explorer.EXE
PID 3832 wrote to memory of 2644	3832	DesktopPlus64.exe	Explorer.EXE
PID 3832 wrote to memory of 2644	3832	DesktopPlus64.exe	Explorer.EXE
PID 3832 wrote to memory of 2644	3832	DesktopPlus64.exe	Explorer.EXE
PID 3832 wrote to memory of 2644	3832	DesktopPlus64.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4008

C:\Program Files (x86)\1672330468_0\360TS_Setup.exe
"C:\Program Files (x86)\1672330468_0\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1 /TSinstall
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\1672330488_00000000_wscreg\WscReg.exe
/regas:1_1
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set {bootmgr} flightsigning on
5⤵
- Modifies boot configuration data using bcdedit
PID:2240

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set flightsigning on
5⤵
- Modifies boot configuration data using bcdedit
PID:3844

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
6⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4176

C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
"C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe" /installsrv
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe
"C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious use of SetWindowsHookEx
PID:344

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"
5⤵
PID:4364

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"
6⤵
PID:628

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe
"C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe" /Install_run
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
/showtrayicon
2⤵
- Executes dropped EXE
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /install
3⤵
- Executes dropped EXE
PID:3868

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /ExShowTrayIcon
4⤵
- Executes dropped EXE
PID:4968

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /ExShowTrayIcon
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1384

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\safemon\safemon.dll"
3⤵
PID:4056

C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe
"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516

C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe
"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe" /lowrun
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /watch
2⤵
- Executes dropped EXE
PID:3204

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5088

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\bdfltlib.dll"
2⤵
PID:4320

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\scan.dll"
2⤵
PID:3368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1672330468_0\360TS_Setup.exe

Filesize
92.8MB

MD5
4b78ca0f2616ea2062401e4aab555433

SHA1
c9b3c66e9198f0a8dc640c53dd08af346cc63027

SHA256
a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f

SHA512
978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1

Download Submit
C:\Program Files (x86)\1672330468_0\360TS_Setup.exe

Filesize
92.8MB

MD5
4b78ca0f2616ea2062401e4aab555433

SHA1
c9b3c66e9198f0a8dc640c53dd08af346cc63027

SHA256
a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f

SHA512
978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll

Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360NetBase.dll

Filesize
1.4MB

MD5
14c6b4bbd31f6fd13530bc941cc71d1a

SHA1
ce4e38ac82a54f64d318507ddc28f9ffbb378f0f

SHA256
401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5

SHA512
c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

Download Submit
C:\Program Files (x86)\360\Total Security\360TSCommon.dll

Filesize
483KB

MD5
fd9ec3f6ae3ec4e72c7d8adb9d977480

SHA1
304b83eb514354a86c9b136ac32badcec616fed8

SHA256
deddae3c60a724e167107cda7d4ad0481d8ab451f61081eff7730d0f114da918

SHA512
22a47674c2000c175594e8b9f95d23665481a2f2c84f8870a4ad58095aa107b9a0ba61a5315ebdfcd1ec6a4b3031bb3e21ee6e2624d57daae20c587592cce5fd

Download Submit
C:\Program Files (x86)\360\Total Security\CrashReport.dll

Filesize
170KB

MD5
94a08d898c2029877e752203a477d22f

SHA1
d8a4c261b94319b4707ee201878658424e554f36

SHA256
07ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169

SHA512
79a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6

Download Submit
C:\Program Files (x86)\360\Total Security\CrashReport.dll

Filesize
170KB

MD5
94a08d898c2029877e752203a477d22f

SHA1
d8a4c261b94319b4707ee201878658424e554f36

SHA256
07ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169

SHA512
79a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6

Download Submit
C:\Program Files (x86)\360\Total Security\I18N.dll

Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\I18N.dll

Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll

Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll

Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll

Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\QHVer.dll

Filesize
22KB

MD5
8338ded55a057f285dd476d0a65961d1

SHA1
40e80790eec0300a1bb3a90bc3dd3a058dcdb58d

SHA256
9f48f5b3d0086c61ec00a54d14bb48f55d118045a96c7f0e153ed187c2247202

SHA512
54073a45b5fcd4bfbe8e2b8d632eaeaa1669bd69ba3f728dff13f5a3cd20713eb3e96b16d8b45bac6ca9bcafbdbc727214824a165bbb4b43ea74e08a0ec817e1

Download Submit
C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe

Filesize
146KB

MD5
bebc39160a8446ec0e9693f5da3e8380

SHA1
9c4a2817429159eb4357ead9fca2d07d9d7c3f21

SHA256
ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56

SHA512
67281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718

Download Submit
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe

Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe

Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
C:\Program Files (x86)\360\Total Security\config.ini

Filesize
146B

MD5
259b45ba3e50c2921cbe47da65d08651

SHA1
e694804d77e49bdf69943501fab96533e281b653

SHA256
6228e04578135ea2b289038dbb9cd3e854626ddcc77905c955783f505d67511c

SHA512
9d4cb718772dd4131ce937ed72a634cf06798b7f5363e93d711228aea01454fb6ae50071d79023897993d2891fa7f3654b781eafd15389fd53de88ab4c1bcab2

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\360FsFlt_win10.sys

Filesize
527KB

MD5
0e91072224732381b04b5b7001cce459

SHA1
5d1c1ed761d99d7356641672bc38e4efb74ecafc

SHA256
726a10a2f2e03bd5d85ba58d877606c42338245f7471aed88442dffd807605b1

SHA512
5f453a45d7a2ab3e10898ab6d17526864c6ee8217f0825092a5a5288089cd310e0a33eb93c1b828987f5977229bfe8e0f39180050a47b26b6c24624b4cb0957a

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\BAPI.dll

Filesize
247KB

MD5
c9dcd0eb8bc1ac4abb1e978de496d11a

SHA1
43ed0869766dc114ab05baa2095c907dea5a1827

SHA256
a173bd0c2bc2b1626c721da9530f3a1b2f2e3006383b533899a78edebab78c74

SHA512
151fe785153aef21b262347212cc035ba606ae86e24021ee436cded6b5746c4e0b7239664ee9aff5add0f2402a95f6035d9cd003b504c8e08554569b3659966a

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\qutmload.dll

Filesize
111KB

MD5
b2fd7b345d3683210a2a465a886ddb9e

SHA1
2aa774cbae5c9460945ffb850b990d3159c091f6

SHA256
eed8df7dc1f0e59b367cf49aa53c91f05953d0164f2d0900ab8ec738a413e5e1

SHA512
62e29140ae56b9aaa1872a070ef343e085802fc9dd46245456326a67288d452e81d986672ea30d232c9241011412af728672d6b6844b481037f448e8c180cf4c

Download Submit
C:\Program Files (x86)\360\Total Security\filemon\360AvFlt.dll

Filesize
53KB

MD5
da5e35c6395a34acaa5a0eb9b71ff85a

SHA1
5da7e723aaa5859ab8f227455d80d8afa7696e22

SHA256
5e11c25e4d6e146c5e10fcbc21b2cdb5e97ec47f25c416e5d263985f3d964172

SHA512
49660339594abff9b0590bc3f401634a514834cf98fa8715b05a57a3cea575d74859681984d8c2c601d5fe947701f8f110450fac764a5d32096e24d7eadcdd2c

Download Submit
C:\Program Files (x86)\360\Total Security\filemon\AVCheck.dll

Filesize
321KB

MD5
0fc2f13d9e0cfbd4903a77051348d16a

SHA1
c1df2fe56cbd15271020e48751c39ab482f6eaca

SHA256
7b79ca1ec9ea05d6549218af8c646f8cb25c563e66d810ca8890340066cff72b

SHA512
6977514116a2fa2c0a884b46975cfa048d966448e493c1415467d6be8719c6b40db0181a861f9e0ef53aa90a3b04012e02e6aecb70230745c487355170416efc

Download Submit
C:\Program Files (x86)\360\Total Security\i18n.dll

Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\en\UrlSettings.dll.locale

Filesize
22KB

MD5
627cbb9d1671cd7a553cb9e59e765bbf

SHA1
4a4916f14c4ca7d26dac88ff4a5884761d8c5a70

SHA256
063e660b1e32cbaefb8b928f1fa638853bbcb6b996bb08496fc861fc5425a840

SHA512
cfe0246353d9670ac7d77994633e8c55aca4a3ecc889c52d09949e427d5e5e06056678de15ecc3017af81ca6ca1333f624f8652a7488dd4e317c6a46c8719237

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\en\safemon\360procmon.dll.locale

Filesize
106KB

MD5
7bdac7623fb140e69d7a572859a06457

SHA1
e094b2fe3418d43179a475e948a4712b63dec75b

SHA256
51475f2fa4cf26dfc0b6b27a42b324a109f95f33156618172544db97cbf4dddd

SHA512
fbed994a360ecff425728b1a465c14ffe056c9b227c2eb33f221e0614984fd21670eddb3681c20e31234a57bfe26bcf02c6a3b5e335d18610d09b4ed14aa5fb2

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\i18n.ini

Filesize
246B

MD5
dfc82f7a034959dac18c530c1200b62c

SHA1
9dd98389b8fd252124d7eaba9909652a1c164302

SHA256
f421332fd132d8405cad34871425c9922e4a1b172d74f86b9e4e7ee750205919

SHA512
0acb2a043303ab1c033313d62b9b4dad8ca240e345195c87776f99f129a93946036835872b336a8efd996657c37acf56da7c01d68add340408e8fce72fc66fe5

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\360Box.dll

Filesize
50KB

MD5
f398c9c333589ed57bb5a99eb2d32d13

SHA1
1fcac85e06506f332cae1d29451abe6808d8d39b

SHA256
1587d34c58ff2376384a0f3b279248d080724809eaf5f251cc2dda7896f04602

SHA512
0282f9ab1084fe093e097b6c33adfe2de59d4ed3a9eae12698df7295498ba56d4e8250a130af9f7284cd962691340246a15b3d32e9bf1df22ddd128f44d1205c

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\360hvm.dll

Filesize
23KB

MD5
e540bc23b3f5934dee4d7b7b39fc3ac2

SHA1
465f0b0e4fe49b81a43980dd0cf40e068e98abed

SHA256
e794c636a50b5f51e0bd233c59c9144277a94792d3537460123a39c583d01421

SHA512
39412ddea1f7b16ae1b6d89db7f7c24b92b1b310f3d9191ab82bfa01283044d3c4e991a5fd4efee98d00c1e65d76328bd396138e5dfc90f44ed49ed605f8e764

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\DrvUtility.dll

Filesize
171KB

MD5
bc8917f469a0e356c015ad6a31acc134

SHA1
a2e0fbcff53018ed92754065beb0a16e35339cf3

SHA256
4f798cf1e27dd355709c4ebe11a24b17ee832b4051f8952d9ae12942e0ccc5a9

SHA512
f9039ea609c18174dd76f5a89b6af4908573fe194cfaf412430c755da0626dce7b92f668e5cac6b195c91f17cc4eaf4ddb963b95bc6de7483c05436f7f4f59c8

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\X64For32Lib.dll

Filesize
59KB

MD5
bdce31fc701c9aa16ca392a561ba102d

SHA1
58bbdeb96e7819b00d60f0e6580dfc455774a9f7

SHA256
3305ad2718c9bb9bd1db19cde17a184e0d7e497ff3930050c74875bc50f9690b

SHA512
2a16cc0a0bf718f661a3abe8f36b87c8b13716d5bdaa4c2768840734321f879de3d60255b67b2b858eabd627cf4302d7be0a29648bb65bedbfb5f838c9b96863

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\sbmon.dll

Filesize
366KB

MD5
c0805da6b17d760418fd2fd031880934

SHA1
f9cf240f7bd4dbd31bc57913ab6517f0dc17d7a5

SHA256
edf443a3751d042fe16b8b11b484357a1b4702310bb50fb7aba9d68725803612

SHA512
f1c458ac3c1eb6ec67b4b0c54aaef09258e41ad4fbd3cd429da3bde278dba09c2419a79625aa39bb231ef277f803cf5ea568c82eaf028cd7a23a6a2fe74306ae

Download Submit
C:\Program Files (x86)\360\Total Security\netmon\360netctrl.dll

Filesize
382KB

MD5
30c9d5470142edf4d69b00aff040f822

SHA1
7c21ed33749b58c10ad7e1d95c922244eec62fcf

SHA256
b76103ff3d6faa46537d3db213270a086ae3b5b58fe6841b03cd5f9f73c54247

SHA512
c385b70414823107903fc1eec608b064360337114dc8a6d307f2caad9ec5ec7e53a2850f26b5374deaa97b2c727206f08a0a2037d12550e6449632d165b03b7f

Download Submit
C:\Program Files (x86)\360\Total Security\netmon\netmstart.dll

Filesize
169KB

MD5
b1f70f9be9df8bb186c5bc5159690a1f

SHA1
0c9347ac3245cdeb8dcea9b3edf01fe4cfd33fe2

SHA256
ce993f7583b1f253c6d82027b89fd867390ea1563564da75684d293539edc6a2

SHA512
188419d1cbc4f1b1bec99bf77f716bb004a0228d3d36eca9d2e479735efae8970dff62f5df42f01e8174173537f0d68ae37b9d5b70b0698b52f50ee0aacc5231

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360HipsPopWnd.dll

Filesize
790KB

MD5
c77481cac4c9411aa1ead1de68c7798d

SHA1
f2288af2ee58e25de2a11da09589bb61e94ae5cb

SHA256
eb04cc2139f21f62107afaf03939c49515730cce4ed0f0e6d12199445b5f377a

SHA512
bbde3700933d5264ec024f866dc1c6b5d7e51d6368f3614aa95fbbe93fb9ee593e87f61e7f945d141d883d4d2a07c22114bb98e262f2afbccc7ec485cffde3cc

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360SPTool.exe

Filesize
165KB

MD5
259affe7b271b29d4b04d678c94bc776

SHA1
073f326b4ce111ace97df011f8ffb78bbefcdbd2

SHA256
92d35442715cb9c7dee115e146daa72bbb5c408ae03bb6bb5b6f834ff1867444

SHA512
e042c2ecb0f2f53a2d1555799d30aff474dfeea01033761f7f9298fa5575f5c23db5819bd850209c1b916ba3d7bd8f32a31c8b81ab9ac65a0d0a27be353aeb63

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll

Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll

Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll

Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe

Filesize
1.1MB

MD5
7e0bce805d94db8b88971a0fe03ec52e

SHA1
f4ce366ed9958d1f25426e5914b6806aa9790a33

SHA256
e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2

SHA512
d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe

Filesize
1.1MB

MD5
7e0bce805d94db8b88971a0fe03ec52e

SHA1
f4ce366ed9958d1f25426e5914b6806aa9790a33

SHA256
e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2

SHA512
d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe

Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe

Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe

Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\softmgr\360elam64.sys

Filesize
16KB

MD5
67e72ee5dcd6e2c69d9c1f457fd0e3c9

SHA1
1da65ca2fd47f10ec7eac55fdb5bfce19bb90de3

SHA256
7f3f8cde5989c7339f4862dd44ecd827fbf06d0ae6152c17907e27e822e0bf82

SHA512
d715cc1761a025e0df4296a4c37c4e799c6006dce6bf63215f9864cf853cc5f7917fd24baa1cac775e8b74005eebb6fc42b211876bf386af0062364c6ee2fd77

Download Submit
C:\Program Files (x86)\360\Total Security\softmgr\EaInstHelper64.exe

Filesize
146KB

MD5
bebc39160a8446ec0e9693f5da3e8380

SHA1
9c4a2817429159eb4357ead9fca2d07d9d7c3f21

SHA256
ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56

SHA512
67281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8

Filesize
2KB

MD5
f7d1d25a4bb9539426866bd092721c19

SHA1
5c2bf9edfdae783797538617e6b453f984d37167

SHA256
73783350d643231a95bd81354713994eeb2ebd3cc6e80733922f2ff7e232fd37

SHA512
55b08279b76e264847c53396e22c71cea9a8296fe38948fc6f2a44c2af4a3101f072d8038c8a45e934f0000c102dda5ad6c09a4d5d80a4b6f61277aeb8ee61a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a2b3de2676790ac64a1bc51ba3e667d1

SHA1
2a7f7090fed2ddd299339197428a9fafc3fd349b

SHA256
aa8cdcc9c8c19d24037aa62dfb529b22d25a7eb3927d35f59572c153c81c5a4a

SHA512
ab9e80a077a2fe486630e4d7fb159994224fce41c6fbc6197cc600e4fac86d504e8b3d1670ca628fb45792498be42a80e1c6b0af4b3e7451bc039222ea123ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8

Filesize
488B

MD5
143b26e9454944a0f8d6c1cb429b7139

SHA1
b2027dbc7b8b6f921a6e2865cb6a2def1967aed2

SHA256
1a91c2b3d41e72401a2af2e5f615c3d5eb6a2858bd05fe138758328dfb08c93e

SHA512
47e0c34616e4f89b7c34a33435d2e14e5a6a38a246a730fadfc378031aad16e0f5c45b40d4c0b12d1f5e9c8bfa61abb6f27ea90408cf218f94fb842f55f2b496

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
77866833de1d6ced8bca595723d8c366

SHA1
0d0ca49de50e72612e543d1c4f76cdbfe64d57f5

SHA256
89f6c41ca9e4c884a04d0f72f16b38dde5314d230f08e1e6f15558d38e9eae41

SHA512
015fd27cc4a5aa6a790993c8ae201cc5f7c8a5728ef9e76cde3d757d0eb0bab409f95d6f723b2eeeaf53327e8629d746475ab1945f2494154ca0a3a94669e78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1672330461_00000000_base\360base.dll

Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1672330479_00000000_base\360base.dll

Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1672330488_00000000_wscreg\WscReg.exe

Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1672330488_00000000_wscreg\WscReg.exe

Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
92.8MB

MD5
4b78ca0f2616ea2062401e4aab555433

SHA1
c9b3c66e9198f0a8dc640c53dd08af346cc63027

SHA256
a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f

SHA512
978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe

Filesize
92.8MB

MD5
4b78ca0f2616ea2062401e4aab555433

SHA1
c9b3c66e9198f0a8dc640c53dd08af346cc63027

SHA256
a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f

SHA512
978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20221229161441_240614843\7z.dll

Filesize
1.1MB

MD5
e74067bfda81cd82fe3a5fc2fdb87e2b

SHA1
de961204751d9af1bab9c2a9ba16edc7a4ae7388

SHA256
898bf5db34d9997b3d90b87091f34ae4e3e9cf34b6f2ae7fb8fd86e8a1bb684e

SHA512
c0b1d851d97df2635b865d7f0a252881eef622363e08190e1f45ec308fdbd81f94ece53a6c2b1b36c38fcb82c2b8262f31a936a399cee567631b9146cf3ef60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F29EEB7C-07FB-429c-BD20-6D37D07E0743}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/344-217-0x0000000000000000-mapping.dmp

Download
memory/628-228-0x0000000000000000-mapping.dmp

Download
memory/1384-210-0x0000000000000000-mapping.dmp

Download
memory/1480-179-0x0000000000000000-mapping.dmp

Download
memory/2108-223-0x0000000000000000-mapping.dmp

Download
memory/2240-152-0x0000000000000000-mapping.dmp

Download
memory/2532-174-0x0000000000000000-mapping.dmp

Download
memory/3152-207-0x0000000000000000-mapping.dmp

Download
memory/3204-213-0x0000000000000000-mapping.dmp

Download
memory/3368-219-0x0000000000000000-mapping.dmp

Download
memory/3420-222-0x0000000000000000-mapping.dmp

Download
memory/3452-169-0x0000000000000000-mapping.dmp

Download
memory/3700-209-0x0000000000000000-mapping.dmp

Download
memory/3832-225-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/3832-229-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3832-233-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3832-232-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3832-231-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3832-230-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3832-227-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3832-216-0x0000000000000000-mapping.dmp

Download
memory/3832-226-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3844-153-0x0000000000000000-mapping.dmp

Download
memory/3868-208-0x0000000000000000-mapping.dmp

Download
memory/4008-133-0x0000000000000000-mapping.dmp

Download
memory/4056-212-0x0000000000000000-mapping.dmp

Download
memory/4072-220-0x0000000000000000-mapping.dmp

Download
memory/4176-172-0x0000000000000000-mapping.dmp

Download
memory/4300-185-0x0000000000000000-mapping.dmp

Download
memory/4320-218-0x0000000000000000-mapping.dmp

Download
memory/4364-224-0x0000000000000000-mapping.dmp

Download
memory/4476-145-0x0000000000000000-mapping.dmp

Download
memory/4516-215-0x0000000000000000-mapping.dmp

Download
memory/4688-188-0x0000000000000000-mapping.dmp

Download
memory/4968-211-0x0000000000000000-mapping.dmp

Download
memory/4996-221-0x0000000000000000-mapping.dmp

Download
memory/5068-137-0x0000000000000000-mapping.dmp

Download
memory/5088-214-0x0000000000000000-mapping.dmp

Download