Analysis
-
max time kernel
400s -
max time network
402s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-12-2022 00:48
General
-
Target
360TS_Setup_Mini.exe
-
Size
1.5MB
-
MD5
858ee6ceb590822f57d2d98a32e3c5af
-
SHA1
0cd9e539e919dd0367c1d04e2644bc3e8ad109e5
-
SHA256
3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb
-
SHA512
ad624bba251a6131471a662e31a676c6facb335aef433b0c2313adb57c2ca4701590845c3c237d190a1817fa43daeaaeb3731c91e19045691523cccf9cbbd198
-
SSDEEP
24576:AD1YS7FpyUxT3DC2O1zj1SqdAGFQZIxvC45UJoenm9x:TQ5xT3DDWzjYq+ZIxL5UJoew
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Signatures
-
Modifies system executable filetype association 2 TTPs 10 IoCs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 13 IoCs
-
Executes dropped EXE 49 IoCs
-
Modifies Installed Components in the registry 2 TTPs 6 IoCs
-
Registers COM server for autorun 1 TTPs 6 IoCs
-
Sets service image path in registry 2 TTPs 14 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 15 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks for any installed AV software in registry 1 TTPs 44 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 17 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 14 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 24 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Control Panel 8 IoCs
-
Modifies Internet Explorer settings 1 TTPs 18 IoCs
-
Modifies data under HKEY_USERS 57 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\1672365003_0\360TS_Setup.exe"C:\Program Files (x86)\1672365003_0\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1 /TSinstall4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1672365048_00000000_wscreg\WscReg.exe/regas:1_15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set {bootmgr} flightsigning on5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set flightsigning on5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"6⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe"C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe" /installsrv5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"5⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"6⤵
-
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe"C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe" /Install_run2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe/showtrayicon2⤵
- Executes dropped EXE
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /install3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /ExShowTrayIcon4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /ExShowTrayIcon3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\safemon\safemon.dll"3⤵
-
C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe" /lowrun4⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /watch2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\bdfltlib.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\scan.dll"2⤵
-
C:\Program Files (x86)\360\Total Security\QHSafeMain.exe"C:\Program Files (x86)\360\Total Security\QHSafeMain.exe" /install2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\PromoUtil.exe"C:\Program Files (x86)\360\Total Security\PromoUtil.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe/lang=en4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe"C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe" --type=renderer --disable-gpu-compositing --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\360\Total Security\Utils\cef\debug.log" --log-severity=disable --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3136.0.1442896302\1287148021" /prefetch:15⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe"C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe" --type=renderer --disable-gpu-compositing --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\360\Total Security\Utils\cef\debug.log" --log-severity=disable --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3136.1.1511230812\1430405047" /prefetch:15⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe"C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe" --type=utility --channel="3136.2.775570120\1113285401" --lang=en-US --no-sandbox --no-sandbox --lang=en-US --log-file="C:\Program Files (x86)\360\Total Security\Utils\cef\debug.log" --log-severity=disable /prefetch:85⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe"C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe" /tools_src=page3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe"C:\Program Files (x86)\360\Total Security\LiveUpdate360.exe" /s4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe"C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe" /installproxy4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Public\Downloads\WinRAR_is_64.exe"C:\Users\Public\Downloads\WinRAR_is_64.exe" /S5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup6⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe"C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe" /installproxy4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Public\Downloads\Opera_90.0.4480.80_Setup.exe"C:\Users\Public\Downloads\Opera_90.0.4480.80_Setup.exe" --silent --allusers=0 --otd="utm.medium:pb,utm.source:360,utm.campaign:noext"5⤵
- Executes dropped EXE
-
C:\Users\Public\Downloads\Opera_90.0.4480.80_Setup.exeC:\Users\Public\Downloads\Opera_90.0.4480.80_Setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=90.0.4480.80 --initial-client-data=0x324,0x328,0x32c,0x300,0x330,0x6f2389c8,0x6f2389d8,0x6f2389e46⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe"C:\Program Files (x86)\360\Total Security\softmgr\360InstantSetup.exe" /installproxy4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Public\Downloads\SkypeSetupFull_7.32.99.104_is.exe"C:\Users\Public\Downloads\SkypeSetupFull_7.32.99.104_is.exe" /VERYSILENT /SP- /NOCANCEL /NORESTART /SUPPRESSMSGBOXES /NOLAUNCH /DIR="C:\Program Files (x86)\Skype\"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\360\Total Security\PromoUtil.exe/tp:10094⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna.exe"C:\Program Files (x86)\360\Total Security\360DeskAna.exe" lspscan 32 \\.\pipe\lspscanalsqjzqy3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna.exe"C:\Program Files (x86)\360\Total Security\360DeskAna.exe" lspscan 32 \\.\pipe\lspscanalsqjzqy3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna64.exe"C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "explorer.exe","","0"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna64.exe"C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "iexplore.exe","","0"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna64.exe"C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "explorer.exe","","0"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna64.exe"C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "iexplore.exe","","0"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna64.exe"C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "explorer.exe","","0"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360DeskAna64.exe"C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "iexplore.exe","","0"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe"C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe" /delay:302⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\gpupdate.exeC:\Windows\system32\gpupdate.exe /force2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3942D63F2367407F737E9D0CBF7AA2742⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2C822A9FD65783285D70C5D4B8D3D6C9 E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\SysWOW64\attrib.exe" +r "C:\program files (x86)\skype"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
4Winlogon Helper DLL
1Bootkit
1Hidden Files and Directories
1Defense Evasion
Modify Registry
7Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\1672365003_0\360TS_Setup.exeFilesize
92.8MB
MD54b78ca0f2616ea2062401e4aab555433
SHA1c9b3c66e9198f0a8dc640c53dd08af346cc63027
SHA256a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f
SHA512978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1
-
C:\Program Files (x86)\1672365003_0\360TS_Setup.exeFilesize
92.8MB
MD54b78ca0f2616ea2062401e4aab555433
SHA1c9b3c66e9198f0a8dc640c53dd08af346cc63027
SHA256a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f
SHA512978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360Base.dllFilesize
965KB
MD54f241e5de9091f6d78469bf1dc141cbd
SHA1dec02d084f94049a4087a0f23db063ecaf98269a
SHA256b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659
SHA5122cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a
-
C:\Program Files (x86)\360\Total Security\360NetBase.dllFilesize
1.4MB
MD514c6b4bbd31f6fd13530bc941cc71d1a
SHA1ce4e38ac82a54f64d318507ddc28f9ffbb378f0f
SHA256401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5
SHA512c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95
-
C:\Program Files (x86)\360\Total Security\360TSCommon.dllFilesize
483KB
MD5fd9ec3f6ae3ec4e72c7d8adb9d977480
SHA1304b83eb514354a86c9b136ac32badcec616fed8
SHA256deddae3c60a724e167107cda7d4ad0481d8ab451f61081eff7730d0f114da918
SHA51222a47674c2000c175594e8b9f95d23665481a2f2c84f8870a4ad58095aa107b9a0ba61a5315ebdfcd1ec6a4b3031bb3e21ee6e2624d57daae20c587592cce5fd
-
C:\Program Files (x86)\360\Total Security\CrashReport.dllFilesize
170KB
MD594a08d898c2029877e752203a477d22f
SHA1d8a4c261b94319b4707ee201878658424e554f36
SHA25607ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169
SHA51279a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6
-
C:\Program Files (x86)\360\Total Security\CrashReport.dllFilesize
170KB
MD594a08d898c2029877e752203a477d22f
SHA1d8a4c261b94319b4707ee201878658424e554f36
SHA25607ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169
SHA51279a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6
-
C:\Program Files (x86)\360\Total Security\I18N.dllFilesize
95KB
MD57e181b91215ae31b6717926501093bc4
SHA18fcf05c9ac64c46c87acc1ec67631e7b66363d9e
SHA256239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9
SHA5120df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f
-
C:\Program Files (x86)\360\Total Security\I18N.dllFilesize
95KB
MD57e181b91215ae31b6717926501093bc4
SHA18fcf05c9ac64c46c87acc1ec67631e7b66363d9e
SHA256239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9
SHA5120df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f
-
C:\Program Files (x86)\360\Total Security\MenuEx64.dllFilesize
388KB
MD5d569954dc1054b6e7d3b495782634034
SHA1dfaf57da05704261aa54afaa658d4e61a64fa7f2
SHA25611294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80
SHA512b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e
-
C:\Program Files (x86)\360\Total Security\MenuEx64.dllFilesize
388KB
MD5d569954dc1054b6e7d3b495782634034
SHA1dfaf57da05704261aa54afaa658d4e61a64fa7f2
SHA25611294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80
SHA512b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e
-
C:\Program Files (x86)\360\Total Security\MenuEx64.dllFilesize
388KB
MD5d569954dc1054b6e7d3b495782634034
SHA1dfaf57da05704261aa54afaa658d4e61a64fa7f2
SHA25611294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80
SHA512b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e
-
C:\Program Files (x86)\360\Total Security\QHVer.dllFilesize
22KB
MD58338ded55a057f285dd476d0a65961d1
SHA140e80790eec0300a1bb3a90bc3dd3a058dcdb58d
SHA2569f48f5b3d0086c61ec00a54d14bb48f55d118045a96c7f0e153ed187c2247202
SHA51254073a45b5fcd4bfbe8e2b8d632eaeaa1669bd69ba3f728dff13f5a3cd20713eb3e96b16d8b45bac6ca9bcafbdbc727214824a165bbb4b43ea74e08a0ec817e1
-
C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exeFilesize
146KB
MD5bebc39160a8446ec0e9693f5da3e8380
SHA19c4a2817429159eb4357ead9fca2d07d9d7c3f21
SHA256ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56
SHA51267281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718
-
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exeFilesize
145KB
MD5a99cc896f427963a7b7545a85a09b743
SHA1360dec0169904782cfe871ba32d0ed3563c8fa62
SHA256192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559
SHA5125d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285
-
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exeFilesize
145KB
MD5a99cc896f427963a7b7545a85a09b743
SHA1360dec0169904782cfe871ba32d0ed3563c8fa62
SHA256192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559
SHA5125d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285
-
C:\Program Files (x86)\360\Total Security\config.iniFilesize
146B
MD5259b45ba3e50c2921cbe47da65d08651
SHA1e694804d77e49bdf69943501fab96533e281b653
SHA2566228e04578135ea2b289038dbb9cd3e854626ddcc77905c955783f505d67511c
SHA5129d4cb718772dd4131ce937ed72a634cf06798b7f5363e93d711228aea01454fb6ae50071d79023897993d2891fa7f3654b781eafd15389fd53de88ab4c1bcab2
-
C:\Program Files (x86)\360\Total Security\deepscan\360FsFlt_win10.sysFilesize
527KB
MD50e91072224732381b04b5b7001cce459
SHA15d1c1ed761d99d7356641672bc38e4efb74ecafc
SHA256726a10a2f2e03bd5d85ba58d877606c42338245f7471aed88442dffd807605b1
SHA5125f453a45d7a2ab3e10898ab6d17526864c6ee8217f0825092a5a5288089cd310e0a33eb93c1b828987f5977229bfe8e0f39180050a47b26b6c24624b4cb0957a
-
C:\Program Files (x86)\360\Total Security\deepscan\BAPI.dllFilesize
247KB
MD5c9dcd0eb8bc1ac4abb1e978de496d11a
SHA143ed0869766dc114ab05baa2095c907dea5a1827
SHA256a173bd0c2bc2b1626c721da9530f3a1b2f2e3006383b533899a78edebab78c74
SHA512151fe785153aef21b262347212cc035ba606ae86e24021ee436cded6b5746c4e0b7239664ee9aff5add0f2402a95f6035d9cd003b504c8e08554569b3659966a
-
C:\Program Files (x86)\360\Total Security\deepscan\qutmload.dllFilesize
111KB
MD5b2fd7b345d3683210a2a465a886ddb9e
SHA12aa774cbae5c9460945ffb850b990d3159c091f6
SHA256eed8df7dc1f0e59b367cf49aa53c91f05953d0164f2d0900ab8ec738a413e5e1
SHA51262e29140ae56b9aaa1872a070ef343e085802fc9dd46245456326a67288d452e81d986672ea30d232c9241011412af728672d6b6844b481037f448e8c180cf4c
-
C:\Program Files (x86)\360\Total Security\filemon\360AvFlt.dllFilesize
53KB
MD5da5e35c6395a34acaa5a0eb9b71ff85a
SHA15da7e723aaa5859ab8f227455d80d8afa7696e22
SHA2565e11c25e4d6e146c5e10fcbc21b2cdb5e97ec47f25c416e5d263985f3d964172
SHA51249660339594abff9b0590bc3f401634a514834cf98fa8715b05a57a3cea575d74859681984d8c2c601d5fe947701f8f110450fac764a5d32096e24d7eadcdd2c
-
C:\Program Files (x86)\360\Total Security\filemon\AVCheck.dllFilesize
321KB
MD50fc2f13d9e0cfbd4903a77051348d16a
SHA1c1df2fe56cbd15271020e48751c39ab482f6eaca
SHA2567b79ca1ec9ea05d6549218af8c646f8cb25c563e66d810ca8890340066cff72b
SHA5126977514116a2fa2c0a884b46975cfa048d966448e493c1415467d6be8719c6b40db0181a861f9e0ef53aa90a3b04012e02e6aecb70230745c487355170416efc
-
C:\Program Files (x86)\360\Total Security\i18n.dllFilesize
95KB
MD57e181b91215ae31b6717926501093bc4
SHA18fcf05c9ac64c46c87acc1ec67631e7b66363d9e
SHA256239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9
SHA5120df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f
-
C:\Program Files (x86)\360\Total Security\i18n\en\UrlSettings.dll.localeFilesize
22KB
MD5627cbb9d1671cd7a553cb9e59e765bbf
SHA14a4916f14c4ca7d26dac88ff4a5884761d8c5a70
SHA256063e660b1e32cbaefb8b928f1fa638853bbcb6b996bb08496fc861fc5425a840
SHA512cfe0246353d9670ac7d77994633e8c55aca4a3ecc889c52d09949e427d5e5e06056678de15ecc3017af81ca6ca1333f624f8652a7488dd4e317c6a46c8719237
-
C:\Program Files (x86)\360\Total Security\i18n\en\safemon\360procmon.dll.localeFilesize
106KB
MD57bdac7623fb140e69d7a572859a06457
SHA1e094b2fe3418d43179a475e948a4712b63dec75b
SHA25651475f2fa4cf26dfc0b6b27a42b324a109f95f33156618172544db97cbf4dddd
SHA512fbed994a360ecff425728b1a465c14ffe056c9b227c2eb33f221e0614984fd21670eddb3681c20e31234a57bfe26bcf02c6a3b5e335d18610d09b4ed14aa5fb2
-
C:\Program Files (x86)\360\Total Security\i18n\i18n.iniFilesize
246B
MD5dfc82f7a034959dac18c530c1200b62c
SHA19dd98389b8fd252124d7eaba9909652a1c164302
SHA256f421332fd132d8405cad34871425c9922e4a1b172d74f86b9e4e7ee750205919
SHA5120acb2a043303ab1c033313d62b9b4dad8ca240e345195c87776f99f129a93946036835872b336a8efd996657c37acf56da7c01d68add340408e8fce72fc66fe5
-
C:\Program Files (x86)\360\Total Security\ipc\360Box.dllFilesize
50KB
MD5f398c9c333589ed57bb5a99eb2d32d13
SHA11fcac85e06506f332cae1d29451abe6808d8d39b
SHA2561587d34c58ff2376384a0f3b279248d080724809eaf5f251cc2dda7896f04602
SHA5120282f9ab1084fe093e097b6c33adfe2de59d4ed3a9eae12698df7295498ba56d4e8250a130af9f7284cd962691340246a15b3d32e9bf1df22ddd128f44d1205c
-
C:\Program Files (x86)\360\Total Security\ipc\360hvm.dllFilesize
23KB
MD5e540bc23b3f5934dee4d7b7b39fc3ac2
SHA1465f0b0e4fe49b81a43980dd0cf40e068e98abed
SHA256e794c636a50b5f51e0bd233c59c9144277a94792d3537460123a39c583d01421
SHA51239412ddea1f7b16ae1b6d89db7f7c24b92b1b310f3d9191ab82bfa01283044d3c4e991a5fd4efee98d00c1e65d76328bd396138e5dfc90f44ed49ed605f8e764
-
C:\Program Files (x86)\360\Total Security\ipc\DrvUtility.dllFilesize
171KB
MD5bc8917f469a0e356c015ad6a31acc134
SHA1a2e0fbcff53018ed92754065beb0a16e35339cf3
SHA2564f798cf1e27dd355709c4ebe11a24b17ee832b4051f8952d9ae12942e0ccc5a9
SHA512f9039ea609c18174dd76f5a89b6af4908573fe194cfaf412430c755da0626dce7b92f668e5cac6b195c91f17cc4eaf4ddb963b95bc6de7483c05436f7f4f59c8
-
C:\Program Files (x86)\360\Total Security\ipc\X64For32Lib.dllFilesize
59KB
MD5bdce31fc701c9aa16ca392a561ba102d
SHA158bbdeb96e7819b00d60f0e6580dfc455774a9f7
SHA2563305ad2718c9bb9bd1db19cde17a184e0d7e497ff3930050c74875bc50f9690b
SHA5122a16cc0a0bf718f661a3abe8f36b87c8b13716d5bdaa4c2768840734321f879de3d60255b67b2b858eabd627cf4302d7be0a29648bb65bedbfb5f838c9b96863
-
C:\Program Files (x86)\360\Total Security\ipc\sbmon.dllFilesize
366KB
MD5c0805da6b17d760418fd2fd031880934
SHA1f9cf240f7bd4dbd31bc57913ab6517f0dc17d7a5
SHA256edf443a3751d042fe16b8b11b484357a1b4702310bb50fb7aba9d68725803612
SHA512f1c458ac3c1eb6ec67b4b0c54aaef09258e41ad4fbd3cd429da3bde278dba09c2419a79625aa39bb231ef277f803cf5ea568c82eaf028cd7a23a6a2fe74306ae
-
C:\Program Files (x86)\360\Total Security\netmon\360netctrl.dllFilesize
382KB
MD530c9d5470142edf4d69b00aff040f822
SHA17c21ed33749b58c10ad7e1d95c922244eec62fcf
SHA256b76103ff3d6faa46537d3db213270a086ae3b5b58fe6841b03cd5f9f73c54247
SHA512c385b70414823107903fc1eec608b064360337114dc8a6d307f2caad9ec5ec7e53a2850f26b5374deaa97b2c727206f08a0a2037d12550e6449632d165b03b7f
-
C:\Program Files (x86)\360\Total Security\netmon\netmstart.dllFilesize
169KB
MD5b1f70f9be9df8bb186c5bc5159690a1f
SHA10c9347ac3245cdeb8dcea9b3edf01fe4cfd33fe2
SHA256ce993f7583b1f253c6d82027b89fd867390ea1563564da75684d293539edc6a2
SHA512188419d1cbc4f1b1bec99bf77f716bb004a0228d3d36eca9d2e479735efae8970dff62f5df42f01e8174173537f0d68ae37b9d5b70b0698b52f50ee0aacc5231
-
C:\Program Files (x86)\360\Total Security\safemon\360HipsPopWnd.dllFilesize
790KB
MD5c77481cac4c9411aa1ead1de68c7798d
SHA1f2288af2ee58e25de2a11da09589bb61e94ae5cb
SHA256eb04cc2139f21f62107afaf03939c49515730cce4ed0f0e6d12199445b5f377a
SHA512bbde3700933d5264ec024f866dc1c6b5d7e51d6368f3614aa95fbbe93fb9ee593e87f61e7f945d141d883d4d2a07c22114bb98e262f2afbccc7ec485cffde3cc
-
C:\Program Files (x86)\360\Total Security\safemon\360SPTool.exeFilesize
165KB
MD5259affe7b271b29d4b04d678c94bc776
SHA1073f326b4ce111ace97df011f8ffb78bbefcdbd2
SHA25692d35442715cb9c7dee115e146daa72bbb5c408ae03bb6bb5b6f834ff1867444
SHA512e042c2ecb0f2f53a2d1555799d30aff474dfeea01033761f7f9298fa5575f5c23db5819bd850209c1b916ba3d7bd8f32a31c8b81ab9ac65a0d0a27be353aeb63
-
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dllFilesize
470KB
MD583f8ed9de87847a744d5c9886497c35a
SHA1ebd215ec6eff04b395f4ddffa77b5f06d43d2e74
SHA2560f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b
SHA512c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1
-
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dllFilesize
470KB
MD583f8ed9de87847a744d5c9886497c35a
SHA1ebd215ec6eff04b395f4ddffa77b5f06d43d2e74
SHA2560f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b
SHA512c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1
-
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dllFilesize
470KB
MD583f8ed9de87847a744d5c9886497c35a
SHA1ebd215ec6eff04b395f4ddffa77b5f06d43d2e74
SHA2560f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b
SHA512c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1
-
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exeFilesize
1.1MB
MD57e0bce805d94db8b88971a0fe03ec52e
SHA1f4ce366ed9958d1f25426e5914b6806aa9790a33
SHA256e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2
SHA512d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b
-
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exeFilesize
1.1MB
MD57e0bce805d94db8b88971a0fe03ec52e
SHA1f4ce366ed9958d1f25426e5914b6806aa9790a33
SHA256e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2
SHA512d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b
-
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exeFilesize
2.9MB
MD5c7dbfd0d17929c83f12080eb4680595f
SHA1210f608a7929bf4085815522ffe2695063125e69
SHA256a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75
SHA5127d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3
-
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exeFilesize
2.9MB
MD5c7dbfd0d17929c83f12080eb4680595f
SHA1210f608a7929bf4085815522ffe2695063125e69
SHA256a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75
SHA5127d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3
-
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exeFilesize
2.9MB
MD5c7dbfd0d17929c83f12080eb4680595f
SHA1210f608a7929bf4085815522ffe2695063125e69
SHA256a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75
SHA5127d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3
-
C:\Program Files (x86)\360\Total Security\softmgr\360elam64.sysFilesize
16KB
MD567e72ee5dcd6e2c69d9c1f457fd0e3c9
SHA11da65ca2fd47f10ec7eac55fdb5bfce19bb90de3
SHA2567f3f8cde5989c7339f4862dd44ecd827fbf06d0ae6152c17907e27e822e0bf82
SHA512d715cc1761a025e0df4296a4c37c4e799c6006dce6bf63215f9864cf853cc5f7917fd24baa1cac775e8b74005eebb6fc42b211876bf386af0062364c6ee2fd77
-
C:\Program Files (x86)\360\Total Security\softmgr\EaInstHelper64.exeFilesize
146KB
MD5bebc39160a8446ec0e9693f5da3e8380
SHA19c4a2817429159eb4357ead9fca2d07d9d7c3f21
SHA256ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56
SHA51267281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8Filesize
2KB
MD5f7d1d25a4bb9539426866bd092721c19
SHA15c2bf9edfdae783797538617e6b453f984d37167
SHA25673783350d643231a95bd81354713994eeb2ebd3cc6e80733922f2ff7e232fd37
SHA51255b08279b76e264847c53396e22c71cea9a8296fe38948fc6f2a44c2af4a3101f072d8038c8a45e934f0000c102dda5ad6c09a4d5d80a4b6f61277aeb8ee61a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5a2b3de2676790ac64a1bc51ba3e667d1
SHA12a7f7090fed2ddd299339197428a9fafc3fd349b
SHA256aa8cdcc9c8c19d24037aa62dfb529b22d25a7eb3927d35f59572c153c81c5a4a
SHA512ab9e80a077a2fe486630e4d7fb159994224fce41c6fbc6197cc600e4fac86d504e8b3d1670ca628fb45792498be42a80e1c6b0af4b3e7451bc039222ea123ef5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8Filesize
488B
MD5b18d5effe8f626bda1a932cd6a712cb0
SHA120fd0504e4d3f8ba9c05fd3eb4c2cb26187df651
SHA2560d6c186b346da805a366778f1887dab1546d7b525040c058c796808e9cc61ab0
SHA512994dcaba79bf4da90984ef8744bec67d1d4314e6c601d848116c42e00fb44b0b5714faf7f77347746d6c6ab1a45db4b5e9f22bb90de1750943218efd2b917ea9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD5d1f2cab0c3855401dd723e00fc929fa1
SHA16b8050d97a6fc5302beddf4a55b11c04fcb068dc
SHA2563a7f308430576b15a7d39e6b6e15626ad19a94df0d2775cb4b4dd0b786b1035d
SHA512e3238ab8b4965ef184b766da040cb49c92e242612c3e3a1ab5d1709f79a147add21ef9c2269ce8905916b9d37537effe34effffce3f2badbc9e345d5c93855ee
-
C:\Users\Admin\AppData\Local\Temp\1672364999_00000000_base\360base.dllFilesize
884KB
MD58c42fc725106cf8276e625b4f97861bc
SHA19c4140730cb031c29fc63e17e1504693d0f21c13
SHA256d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22
SHA512f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105
-
C:\Users\Admin\AppData\Local\Temp\1672365023_00000000_base\360base.dllFilesize
884KB
MD58c42fc725106cf8276e625b4f97861bc
SHA19c4140730cb031c29fc63e17e1504693d0f21c13
SHA256d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22
SHA512f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105
-
C:\Users\Admin\AppData\Local\Temp\1672365048_00000000_wscreg\WscReg.exeFilesize
2.9MB
MD5c7dbfd0d17929c83f12080eb4680595f
SHA1210f608a7929bf4085815522ffe2695063125e69
SHA256a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75
SHA5127d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3
-
C:\Users\Admin\AppData\Local\Temp\1672365048_00000000_wscreg\WscReg.exeFilesize
2.9MB
MD5c7dbfd0d17929c83f12080eb4680595f
SHA1210f608a7929bf4085815522ffe2695063125e69
SHA256a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75
SHA5127d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3
-
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exeFilesize
92.8MB
MD54b78ca0f2616ea2062401e4aab555433
SHA1c9b3c66e9198f0a8dc640c53dd08af346cc63027
SHA256a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f
SHA512978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1
-
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exeFilesize
92.8MB
MD54b78ca0f2616ea2062401e4aab555433
SHA1c9b3c66e9198f0a8dc640c53dd08af346cc63027
SHA256a9e1b9bc84f9d7f1a9de4a81865dc9bb21a8ef3d1a799c19627dd203aae9585f
SHA512978f4f8f31e3480c30b2ffb4d1453c8bc3f2b4242b364eecba85c86a711c14b689378d35d80ed25f8ac2203f0c1da83f77252513f5c3e35a83d33c3e54af0fa1
-
C:\Users\Admin\AppData\Local\Temp\360_install_20221230015024_240651187\7z.dllFilesize
1.1MB
MD5e74067bfda81cd82fe3a5fc2fdb87e2b
SHA1de961204751d9af1bab9c2a9ba16edc7a4ae7388
SHA256898bf5db34d9997b3d90b87091f34ae4e3e9cf34b6f2ae7fb8fd86e8a1bb684e
SHA512c0b1d851d97df2635b865d7f0a252881eef622363e08190e1f45ec308fdbd81f94ece53a6c2b1b36c38fcb82c2b8262f31a936a399cee567631b9146cf3ef60a
-
C:\Users\Admin\AppData\Local\Temp\{5357B8C2-431E-46de-B7C8-5C7D078DCD0E}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
memory/384-244-0x0000000000000000-mapping.dmp
-
memory/400-280-0x0000000000010000-0x000000000012E000-memory.dmpFilesize
1.1MB
-
memory/400-300-0x0000000000200000-0x000000000022B000-memory.dmpFilesize
172KB
-
memory/400-326-0x000000000D330000-0x000000000D342000-memory.dmpFilesize
72KB
-
memory/400-325-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/400-324-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/400-323-0x0000000000470000-0x0000000000498000-memory.dmpFilesize
160KB
-
memory/400-322-0x0000000000040000-0x0000000000053000-memory.dmpFilesize
76KB
-
memory/400-321-0x0000000000040000-0x0000000000053000-memory.dmpFilesize
76KB
-
memory/400-319-0x000000000D330000-0x000000000D347000-memory.dmpFilesize
92KB
-
memory/400-320-0x0000000000410000-0x00000000004FF000-memory.dmpFilesize
956KB
-
memory/400-317-0x0000000000470000-0x0000000000498000-memory.dmpFilesize
160KB
-
memory/400-316-0x0000000000410000-0x00000000004FF000-memory.dmpFilesize
956KB
-
memory/400-272-0x000000000D330000-0x000000000D397000-memory.dmpFilesize
412KB
-
memory/400-315-0x0000000000010000-0x000000000012E000-memory.dmpFilesize
1.1MB
-
memory/400-314-0x000000000D330000-0x000000000D352000-memory.dmpFilesize
136KB
-
memory/400-274-0x000000000D330000-0x000000000D33A000-memory.dmpFilesize
40KB
-
memory/400-313-0x000000000D330000-0x000000000D352000-memory.dmpFilesize
136KB
-
memory/400-312-0x000000000D330000-0x000000000D33D000-memory.dmpFilesize
52KB
-
memory/400-311-0x000000000D330000-0x000000000D33D000-memory.dmpFilesize
52KB
-
memory/400-310-0x000000000D330000-0x000000000D343000-memory.dmpFilesize
76KB
-
memory/400-309-0x000000000D330000-0x000000000D343000-memory.dmpFilesize
76KB
-
memory/400-308-0x000000000D330000-0x000000000D347000-memory.dmpFilesize
92KB
-
memory/400-307-0x0000000000010000-0x000000000012E000-memory.dmpFilesize
1.1MB
-
memory/400-306-0x000000000D330000-0x000000000D33A000-memory.dmpFilesize
40KB
-
memory/400-305-0x000000000D330000-0x000000000D397000-memory.dmpFilesize
412KB
-
memory/400-304-0x000000000D330000-0x000000000D397000-memory.dmpFilesize
412KB
-
memory/400-303-0x000000000D330000-0x000000000D37E000-memory.dmpFilesize
312KB
-
memory/400-302-0x000000000D330000-0x000000000D37E000-memory.dmpFilesize
312KB
-
memory/400-301-0x0000000000200000-0x000000000022B000-memory.dmpFilesize
172KB
-
memory/400-265-0x000000006BCC0000-0x000000006BD4E000-memory.dmpFilesize
568KB
-
memory/400-299-0x000000000D330000-0x000000000D33B000-memory.dmpFilesize
44KB
-
memory/400-297-0x000000000D330000-0x000000000D33B000-memory.dmpFilesize
44KB
-
memory/400-296-0x0000000000010000-0x0000000000028000-memory.dmpFilesize
96KB
-
memory/400-293-0x0000000000010000-0x000000000001E000-memory.dmpFilesize
56KB
-
memory/400-295-0x0000000000010000-0x0000000000028000-memory.dmpFilesize
96KB
-
memory/400-294-0x0000000000010000-0x000000000001E000-memory.dmpFilesize
56KB
-
memory/400-292-0x000000000D330000-0x000000000D342000-memory.dmpFilesize
72KB
-
memory/400-291-0x000000000D330000-0x000000000D342000-memory.dmpFilesize
72KB
-
memory/400-290-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/400-289-0x0000000000470000-0x000000000049A000-memory.dmpFilesize
168KB
-
memory/400-288-0x0000000000470000-0x0000000000498000-memory.dmpFilesize
160KB
-
memory/400-287-0x0000000000470000-0x0000000000498000-memory.dmpFilesize
160KB
-
memory/400-286-0x0000000000040000-0x0000000000053000-memory.dmpFilesize
76KB
-
memory/400-285-0x0000000000410000-0x00000000004FF000-memory.dmpFilesize
956KB
-
memory/400-284-0x000000000D330000-0x000000000D347000-memory.dmpFilesize
92KB
-
memory/400-283-0x0000000000410000-0x00000000004FF000-memory.dmpFilesize
956KB
-
memory/400-282-0x000000000D330000-0x000000000D347000-memory.dmpFilesize
92KB
-
memory/400-281-0x0000000000010000-0x000000000012E000-memory.dmpFilesize
1.1MB
-
memory/400-279-0x000000000D330000-0x000000000D352000-memory.dmpFilesize
136KB
-
memory/400-278-0x000000000D330000-0x000000000D33D000-memory.dmpFilesize
52KB
-
memory/400-254-0x000000006BCC0000-0x000000006BD4E000-memory.dmpFilesize
568KB
-
memory/400-277-0x000000000D330000-0x000000000D33D000-memory.dmpFilesize
52KB
-
memory/400-276-0x000000000D330000-0x000000000D343000-memory.dmpFilesize
76KB
-
memory/400-275-0x000000000D330000-0x000000000D343000-memory.dmpFilesize
76KB
-
memory/400-273-0x000000000D330000-0x000000000D397000-memory.dmpFilesize
412KB
-
memory/444-209-0x0000000000000000-mapping.dmp
-
memory/480-212-0x0000000000000000-mapping.dmp
-
memory/548-266-0x0000000000000000-mapping.dmp
-
memory/632-219-0x00000000049F0000-0x0000000004A00000-memory.dmpFilesize
64KB
-
memory/632-217-0x00000000049E0000-0x00000000049F0000-memory.dmpFilesize
64KB
-
memory/632-231-0x0000000004A00000-0x0000000004A10000-memory.dmpFilesize
64KB
-
memory/632-216-0x0000000000000000-mapping.dmp
-
memory/632-220-0x00000000049E0000-0x00000000049F0000-memory.dmpFilesize
64KB
-
memory/632-222-0x0000000004A00000-0x0000000004A10000-memory.dmpFilesize
64KB
-
memory/660-234-0x0000000000000000-mapping.dmp
-
memory/868-213-0x0000000000000000-mapping.dmp
-
memory/1256-224-0x0000000000000000-mapping.dmp
-
memory/1268-261-0x0000000000000000-mapping.dmp
-
memory/1344-179-0x0000000000000000-mapping.dmp
-
memory/1376-229-0x0000000000000000-mapping.dmp
-
memory/1448-250-0x0000000000000000-mapping.dmp
-
memory/1652-260-0x0000000000000000-mapping.dmp
-
memory/1656-223-0x0000000000000000-mapping.dmp
-
memory/1728-242-0x0000000000000000-mapping.dmp
-
memory/1752-233-0x0000000000000000-mapping.dmp
-
memory/1836-245-0x0000000000000000-mapping.dmp
-
memory/1900-227-0x0000000000000000-mapping.dmp
-
memory/1984-221-0x0000000000000000-mapping.dmp
-
memory/2188-211-0x0000000000000000-mapping.dmp
-
memory/2264-215-0x0000000000000000-mapping.dmp
-
memory/2380-247-0x0000000000000000-mapping.dmp
-
memory/2564-207-0x0000000000000000-mapping.dmp
-
memory/2588-208-0x0000000000000000-mapping.dmp
-
memory/2596-152-0x0000000000000000-mapping.dmp
-
memory/2740-246-0x0000000000000000-mapping.dmp
-
memory/3108-188-0x0000000000000000-mapping.dmp
-
memory/3136-248-0x0000000000000000-mapping.dmp
-
memory/3332-145-0x0000000000000000-mapping.dmp
-
memory/3356-226-0x0000000000000000-mapping.dmp
-
memory/3504-243-0x0000000000000000-mapping.dmp
-
memory/3504-185-0x0000000000000000-mapping.dmp
-
memory/3572-256-0x0000000000000000-mapping.dmp
-
memory/3608-249-0x0000000000000000-mapping.dmp
-
memory/3716-228-0x0000000000000000-mapping.dmp
-
memory/3844-257-0x0000000000000000-mapping.dmp
-
memory/3896-225-0x0000000000000000-mapping.dmp
-
memory/4024-251-0x000000006BCC0000-0x000000006BD4E000-memory.dmpFilesize
568KB
-
memory/4024-230-0x0000000000000000-mapping.dmp
-
memory/4024-264-0x000000006BCC0000-0x000000006BD4E000-memory.dmpFilesize
568KB
-
memory/4024-252-0x000000006BCC0000-0x000000006BD4E000-memory.dmpFilesize
568KB
-
memory/4056-133-0x0000000000000000-mapping.dmp
-
memory/4092-172-0x0000000000000000-mapping.dmp
-
memory/4296-232-0x0000000000000000-mapping.dmp
-
memory/4408-174-0x0000000000000000-mapping.dmp
-
memory/4480-270-0x0000000000400000-0x00000000030CA000-memory.dmpFilesize
44.8MB
-
memory/4480-267-0x0000000000000000-mapping.dmp
-
memory/4480-268-0x0000000000400000-0x00000000030CA000-memory.dmpFilesize
44.8MB
-
memory/4700-218-0x0000000000000000-mapping.dmp
-
memory/4720-169-0x0000000000000000-mapping.dmp
-
memory/4732-235-0x0000000000000000-mapping.dmp
-
memory/4732-153-0x0000000000000000-mapping.dmp
-
memory/4808-262-0x0000000000000000-mapping.dmp
-
memory/4928-214-0x0000000000000000-mapping.dmp
-
memory/4964-263-0x0000000000000000-mapping.dmp
-
memory/5028-210-0x0000000000000000-mapping.dmp
-
memory/5032-259-0x0000000000000000-mapping.dmp
-
memory/5040-255-0x0000000000000000-mapping.dmp
-
memory/5064-258-0x0000000000000000-mapping.dmp
-
memory/5108-137-0x0000000000000000-mapping.dmp
-
memory/5316-269-0x0000000000000000-mapping.dmp
-
memory/5412-271-0x0000000000000000-mapping.dmp
-
memory/5584-298-0x0000000000000000-mapping.dmp
-
memory/6004-318-0x0000000000000000-mapping.dmp
-
memory/6012-350-0x0000000000000000-mapping.dmp