009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79

Analysis

max time kernel
61s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2023, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe
Size

7.7MB
MD5

69371170e242cdd8300d15188874bc70
SHA1

815291554d7fd62bcf61d483bf5af7a606ee9940
SHA256

009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79
SHA512

893c766e73fec7d9a81ea3753b38563d5069f71c5f9351e248843b69d4f2ca66e00132f15f8b1e99a20155e3aa17f698889ae6f76e15a59918360d7a93fa533f
SSDEEP

196608:Igt/cJ5whGimYLCd4/zGkx77qeBlb2tokf6aAXXW:Igt/kGhGimmC4/QeBlb22kfJkXW

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1440	360DrvMgr.exe
4068	ComputerZService.exe
940	ScriptExecute.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ComputerZService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ComputerZService.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	360DrvMgr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe

Loads dropped DLL 14 IoCs

pid	Process
1440	360DrvMgr.exe
1440	360DrvMgr.exe
1440	360DrvMgr.exe
1440	360DrvMgr.exe
1440	360DrvMgr.exe
1440	360DrvMgr.exe
1440	360DrvMgr.exe
4068	ComputerZService.exe
1440	360DrvMgr.exe
4068	ComputerZService.exe
1440	360DrvMgr.exe
940	ScriptExecute.exe
4068	ComputerZService.exe
4068	ComputerZService.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ComputerZService.exe
File opened (read-only)	\??\N:	ComputerZService.exe
File opened (read-only)	\??\Q:	ComputerZService.exe
File opened (read-only)	\??\S:	ComputerZService.exe
File opened (read-only)	\??\U:	ComputerZService.exe
File opened (read-only)	\??\A:	ComputerZService.exe
File opened (read-only)	\??\F:	ComputerZService.exe
File opened (read-only)	\??\L:	ComputerZService.exe
File opened (read-only)	\??\M:	ComputerZService.exe
File opened (read-only)	\??\P:	ComputerZService.exe
File opened (read-only)	\??\R:	ComputerZService.exe
File opened (read-only)	\??\Y:	ComputerZService.exe
File opened (read-only)	\??\B:	ComputerZService.exe
File opened (read-only)	\??\H:	ComputerZService.exe
File opened (read-only)	\??\O:	ComputerZService.exe
File opened (read-only)	\??\V:	ComputerZService.exe
File opened (read-only)	\??\X:	ComputerZService.exe
File opened (read-only)	\??\G:	ComputerZService.exe
File opened (read-only)	\??\I:	ComputerZService.exe
File opened (read-only)	\??\J:	ComputerZService.exe
File opened (read-only)	\??\K:	ComputerZService.exe
File opened (read-only)	\??\T:	ComputerZService.exe
File opened (read-only)	\??\W:	ComputerZService.exe
File opened (read-only)	\??\Z:	ComputerZService.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360DrvMgr.exe
File opened for modification	\??\PhysicalDrive0	ComputerZService.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_fe5b23ea7991a359\hdaudio.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	ComputerZService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	ComputerZService.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	ComputerZService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1868	1440	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ComputerZService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ComputerZService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	ComputerZService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	ComputerZService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ComputerZService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ComputerZService.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1496	tasklist.exe
1436	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	ComputerZService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ComputerZService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	ComputerZService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	ComputerZService.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3724	taskkill.exe
4756	taskkill.exe
1668	taskkill.exe
3728	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	360DrvMgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\360DrvMgr.exe = "8000"	360DrvMgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE	360DrvMgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE\360DrvMgr.exe = "8000"	360DrvMgr.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4068	ComputerZService.exe
Token: SeIncBasePriorityPrivilege	4068	ComputerZService.exe
Token: SeAssignPrimaryTokenPrivilege	940	ScriptExecute.exe
Token: SeIncreaseQuotaPrivilege	940	ScriptExecute.exe
Token: SeDebugPrivilege	940	ScriptExecute.exe
Token: SeSecurityPrivilege	940	ScriptExecute.exe
Token: SeLoadDriverPrivilege	940	ScriptExecute.exe
Token: SeShutdownPrivilege	940	ScriptExecute.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	1436	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1440	360DrvMgr.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1440	360DrvMgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1440	360DrvMgr.exe
1440	360DrvMgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4780	4916	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	82
PID 4916 wrote to memory of 4780	4916	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	82
PID 4916 wrote to memory of 4780	4916	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	82
PID 4780 wrote to memory of 1440	4780	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	83
PID 4780 wrote to memory of 1440	4780	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	83
PID 4780 wrote to memory of 1440	4780	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	83
PID 1440 wrote to memory of 4068	1440	360DrvMgr.exe	87
PID 1440 wrote to memory of 4068	1440	360DrvMgr.exe	87
PID 1440 wrote to memory of 4068	1440	360DrvMgr.exe	87
PID 1440 wrote to memory of 940	1440	360DrvMgr.exe	94
PID 1440 wrote to memory of 940	1440	360DrvMgr.exe	94
PID 1440 wrote to memory of 940	1440	360DrvMgr.exe	94
PID 4916 wrote to memory of 3336	4916	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	97
PID 4916 wrote to memory of 3336	4916	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	97
PID 3336 wrote to memory of 1496	3336	cmd.exe	99
PID 3336 wrote to memory of 1496	3336	cmd.exe	99
PID 3336 wrote to memory of 1860	3336	cmd.exe	100
PID 3336 wrote to memory of 1860	3336	cmd.exe	100
PID 3336 wrote to memory of 1668	3336	cmd.exe	101
PID 3336 wrote to memory of 1668	3336	cmd.exe	101
PID 3336 wrote to memory of 3728	3336	cmd.exe	102
PID 3336 wrote to memory of 3728	3336	cmd.exe	102
PID 3336 wrote to memory of 3724	3336	cmd.exe	103
PID 3336 wrote to memory of 3724	3336	cmd.exe	103
PID 3336 wrote to memory of 4756	3336	cmd.exe	104
PID 3336 wrote to memory of 4756	3336	cmd.exe	104
PID 3336 wrote to memory of 3236	3336	cmd.exe	105
PID 3336 wrote to memory of 3236	3336	cmd.exe	105
PID 3336 wrote to memory of 3412	3336	cmd.exe	106
PID 3336 wrote to memory of 3412	3336	cmd.exe	106
PID 3336 wrote to memory of 660	3336	cmd.exe	107
PID 3336 wrote to memory of 660	3336	cmd.exe	107
PID 3336 wrote to memory of 1692	3336	cmd.exe	108
PID 3336 wrote to memory of 1692	3336	cmd.exe	108
PID 3336 wrote to memory of 4892	3336	cmd.exe	109
PID 3336 wrote to memory of 4892	3336	cmd.exe	109
PID 3336 wrote to memory of 408	3336	cmd.exe	110
PID 3336 wrote to memory of 408	3336	cmd.exe	110
PID 3336 wrote to memory of 1544	3336	cmd.exe	111
PID 3336 wrote to memory of 1544	3336	cmd.exe	111
PID 3336 wrote to memory of 4184	3336	cmd.exe	112
PID 3336 wrote to memory of 4184	3336	cmd.exe	112
PID 3336 wrote to memory of 4540	3336	cmd.exe	113
PID 3336 wrote to memory of 4540	3336	cmd.exe	113
PID 3336 wrote to memory of 4868	3336	cmd.exe	114
PID 3336 wrote to memory of 4868	3336	cmd.exe	114
PID 3336 wrote to memory of 4964	3336	cmd.exe	115
PID 3336 wrote to memory of 4964	3336	cmd.exe	115
PID 3336 wrote to memory of 1272	3336	cmd.exe	116
PID 3336 wrote to memory of 1272	3336	cmd.exe	116
PID 3336 wrote to memory of 2720	3336	cmd.exe	117
PID 3336 wrote to memory of 2720	3336	cmd.exe	117
PID 3336 wrote to memory of 4236	3336	cmd.exe	118
PID 3336 wrote to memory of 4236	3336	cmd.exe	118
PID 3336 wrote to memory of 2288	3336	cmd.exe	119
PID 3336 wrote to memory of 2288	3336	cmd.exe	119
PID 3336 wrote to memory of 3364	3336	cmd.exe	120
PID 3336 wrote to memory of 3364	3336	cmd.exe	120
PID 4916 wrote to memory of 4620	4916	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	121
PID 4916 wrote to memory of 4620	4916	009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe	121
PID 4620 wrote to memory of 1436	4620	cmd.exe	123
PID 4620 wrote to memory of 1436	4620	cmd.exe	123
PID 4620 wrote to memory of 1644	4620	cmd.exe	124
PID 4620 wrote to memory of 1644	4620	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe
"C:\Users\Admin\AppData\Local\Temp\009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe
  "C:\Users\Admin\AppData\Local\Temp\009f29f9c9176d147f5bc68bae34d774d4111c5a842f95c4a543def4af075f79.exe" -sfxwaitall:0 "C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360DrvMgr.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360DrvMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360DrvMgr.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZService.exe
      "C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZService.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Loads dropped DLL
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 2940
      4⤵
      Program crash
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ScriptExecute.exe
      "C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ScriptExecute.exe" /tip
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist | find /i "360DrvMgr.exe" || @pushd "C:\Users\Admin\AppData\Local\Temp\360DrvMgr" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\360DrvMgr\!)清除残留.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\system32\find.exe
    find /i "360DrvMgr.exe"
    3⤵
    PID:1860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DrvInst64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im 360DrvMgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ScriptExecute.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ComputerZService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\360DrvMgr" /f
    3⤵
    PID:3236
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\LiveUpdate360" /f
    3⤵
    PID:3412
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\KitTipCLSID" /f
    3⤵
    PID:660
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\360DrvMgr" /f
    3⤵
    PID:1692
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\360Safe\Liveup" /f
    3⤵
    PID:4892
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\LiveUpdate360" /f
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Wow6432Node\360DrvMgr" /f
    3⤵
    PID:1544
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Wow6432Node\360Safe\Liveup" /f
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\WOW6432Node\LiveUpdate360" /f
    3⤵
    PID:4540
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Tracing\360DrvMgr_RASAPI32" /f
    3⤵
    PID:4868
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Tracing\360DrvMgrInstaller_beta_RASAPI32" /f
    3⤵
    PID:4964
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\360DrvMgr_RASAPI32" /f
    3⤵
    PID:1272
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\360DrvMgrInstaller_beta_RASAPI32" /f
    3⤵
    PID:2720
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360DrvMgr" /f
    3⤵
    PID:4236
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360DrvMgr.exe" /f
    3⤵
    PID:2288
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360DrvMgr" /f
    3⤵
    PID:3364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist | find /i "360DrvMgr.exe" || rd/s/q "C:\Users\Admin\AppData\Local\Temp\360DrvMgr"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\system32\find.exe
    find /i "360DrvMgr.exe"
    3⤵
    PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1440 -ip 1440
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360DrvMgr\!)清除残留.bat

Filesize
1KB

MD5
3c113eb77eba88a6df3eee2b53397b0a

SHA1
b27290066286f44255c6d2a161d6ded70a2c6409

SHA256
fb1e659f76cc635338f8423a34b7c9cef10d0cf90ebcdb33ce6695b44cfc1945

SHA512
791748d5d7e7ac9fc9701c883b0a6e1366cd6a789eb6d20fc7d68c37e1861774d9f85b1f7e442ca70e89f1dcc543510113604d55d5fc08918c4dc6aa086470fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\187E~1.TXT

Filesize
1KB

MD5
354ddc4dfb1c036b3203b81370f955ff

SHA1
0c72ab046cd00d65781d721939d255f150c99e44

SHA256
5e1b3400ea5ab6705a2be28674011d09d0bd09bd02a8279d358bcd4e5942b743

SHA512
5e347fb37f915000683d97da682c20a7cf3dd32e6323765e0a7f552957ef12cfe51904d8467b1a7472537970a810b8a92c484304100d6bfde911d43a737a5d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\33D9~1.URL

Filesize
177B

MD5
2b63733fd005c661b16749485cc65f69

SHA1
7acaa1cf379ce82962f8191f1b5d58eab687cb08

SHA256
d2f570a8bb1cf05eb0061c6d154de147bc15be00e8a18894367f57f01174dcf7

SHA512
ffa77c782449934d18a83feae118346cb064f8f012a8ab4f72cf1de89f3fe1e44de81b34fdbe49289e89f1413cbaa9474c4c1c439cdc7162389f10adb5de93d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360Base.dll

Filesize
900KB

MD5
a73cf0457df35fab74ef3393d2766667

SHA1
c123e15967e7ab980eba5431a6993e646500befd

SHA256
df411ebc1b4a652a3822de0cebd5a48151abb3dd99c8c3d15f858401b27243fd

SHA512
faee2c8c3caf31ee2cceefadff4c442ef3aaed36fabf61a4217e1ba13b315808f09b575b5789ef7cc342cb16219afb4a1c4e7f7686ea8d079c9d7dd9ee782b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360Base.dll

Filesize
900KB

MD5
a73cf0457df35fab74ef3393d2766667

SHA1
c123e15967e7ab980eba5431a6993e646500befd

SHA256
df411ebc1b4a652a3822de0cebd5a48151abb3dd99c8c3d15f858401b27243fd

SHA512
faee2c8c3caf31ee2cceefadff4c442ef3aaed36fabf61a4217e1ba13b315808f09b575b5789ef7cc342cb16219afb4a1c4e7f7686ea8d079c9d7dd9ee782b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360Base.dll

Filesize
900KB

MD5
a73cf0457df35fab74ef3393d2766667

SHA1
c123e15967e7ab980eba5431a6993e646500befd

SHA256
df411ebc1b4a652a3822de0cebd5a48151abb3dd99c8c3d15f858401b27243fd

SHA512
faee2c8c3caf31ee2cceefadff4c442ef3aaed36fabf61a4217e1ba13b315808f09b575b5789ef7cc342cb16219afb4a1c4e7f7686ea8d079c9d7dd9ee782b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360Base.dll

Filesize
900KB

MD5
a73cf0457df35fab74ef3393d2766667

SHA1
c123e15967e7ab980eba5431a6993e646500befd

SHA256
df411ebc1b4a652a3822de0cebd5a48151abb3dd99c8c3d15f858401b27243fd

SHA512
faee2c8c3caf31ee2cceefadff4c442ef3aaed36fabf61a4217e1ba13b315808f09b575b5789ef7cc342cb16219afb4a1c4e7f7686ea8d079c9d7dd9ee782b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360DrvMgr.exe

Filesize
936KB

MD5
7fbe462539396d0c2116de7dfddb77a0

SHA1
4345b5f2ccd7ce000e97fb11789b9db924fe944c

SHA256
715aceabd30e55f27f84c96191539ffc29bd79a7e331c8777d65651f7ad1f998

SHA512
c5e82ce4031daf32ca6ac7af8d344bb426e8fa1efedd499d663a03403d6a3b198f55c7463161377742aa3f309e4a6e588d06152b9187d93e859f7b331ff82a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360DrvMgr.exe

Filesize
936KB

MD5
7fbe462539396d0c2116de7dfddb77a0

SHA1
4345b5f2ccd7ce000e97fb11789b9db924fe944c

SHA256
715aceabd30e55f27f84c96191539ffc29bd79a7e331c8777d65651f7ad1f998

SHA512
c5e82ce4031daf32ca6ac7af8d344bb426e8fa1efedd499d663a03403d6a3b198f55c7463161377742aa3f309e4a6e588d06152b9187d93e859f7b331ff82a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360LibDrvmgr.dat

Filesize
3KB

MD5
1c3d60acea6aeba17f4dd558941c5ea4

SHA1
bf662ae55e67861cf0c170eebe13970f7c2975f6

SHA256
55c4435d43e3c4fde1419a0f2a9140d6e5cf3baba6f55c6a5795d0e1dc559687

SHA512
cdddb2f4ada18d743404f3a68079f4f041044159cb4b9db251241873215dcaca2f3cad8d56876ccb3050f7527fee9a6a1570a5e78428b819f5958bc85addccef

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360NetBase.dll

Filesize
1.4MB

MD5
14c6b4bbd31f6fd13530bc941cc71d1a

SHA1
ce4e38ac82a54f64d318507ddc28f9ffbb378f0f

SHA256
401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5

SHA512
c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360NetBase.dll

Filesize
1.4MB

MD5
14c6b4bbd31f6fd13530bc941cc71d1a

SHA1
ce4e38ac82a54f64d318507ddc28f9ffbb378f0f

SHA256
401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5

SHA512
c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360NetUL.dll

Filesize
241KB

MD5
240e9b9b2b3f2a134070b7d5084278d3

SHA1
a39ce3213f364ec8435833afa36619e6d6fd24b0

SHA256
003e2f8225ae4bfe3487dea759c6e44176fb96ff89fb162904c7c923e9c78720

SHA512
2cdd9cd946b4a6df110f22197290090c1b4b734c9b9120e6403866342b17c50cd8a71d566ff0f284a03b5202af9f06248de71da1314486dbed58a64225cf5745

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360P2SP.dll

Filesize
689KB

MD5
75ae5114927b0200ea73e016211ae572

SHA1
15ae658c082afcab51ade61b8ed6699a978b5e05

SHA256
8e38aeb187edd59329007fe10d2b509e5566256e993a127902d57bac66b17346

SHA512
ae65e304fc669b98c5d137c4e7cba591e075b9d1b588af1d7eea2458776c29b2a2ccd06ea37aeb89d0cd0ebcb155aec7a6a0a842da4ac36f9b512049967e59fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\360net.dll

Filesize
477KB

MD5
2bca9e782840c8214dbc3ef6ee64404c

SHA1
9144db795c7b092ac55a5b59c0eb569e3432cfec

SHA256
1320ce2bf517978d3c65cf9cb8390318f3ea1896ef10a66b53a1832792341c62

SHA512
87188cdd4d581c9b20bb36451f0376837bfe5489b685dc28a902af441f0681ff89922138d1a160f4d926189b2ae491a7fb7158c60596116f9f09e6c9516d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\419E~1.URL

Filesize
177B

MD5
2b63733fd005c661b16749485cc65f69

SHA1
7acaa1cf379ce82962f8191f1b5d58eab687cb08

SHA256
d2f570a8bb1cf05eb0061c6d154de147bc15be00e8a18894367f57f01174dcf7

SHA512
ffa77c782449934d18a83feae118346cb064f8f012a8ab4f72cf1de89f3fe1e44de81b34fdbe49289e89f1413cbaa9474c4c1c439cdc7162389f10adb5de93d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\7za.dll

Filesize
777KB

MD5
34f4329522a2b16d1bc9ad4ab58d9fc1

SHA1
04ec3c21a59a15a85b29bead3733f0ceccce8680

SHA256
fc07200668d45a640bbd5f6997851e31a20941fcb661f8e09469899becebdf8a

SHA512
ab8efc3dee9319401634dc3d8e6fe8282dc14a6058cf923af2d69656e58ed3724cfd5d466801fcf0bf53510f5b3197986972240693e4b1bbdcc9ae562ae0eb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\811B~1.TXT

Filesize
2KB

MD5
8aa22fb31f89b0eb043fa533eae40eac

SHA1
dd8ec77ea4546fb7e1e327bd8f94e58bb5fc2c37

SHA256
99954c34ee32cfd9433e31f0b0f1757336c95e9f46d7ed28e91fa94831d3a6c5

SHA512
385b56d8108ef34c9ecdded1c400aeec532faa968d40fd01a900f8f97c0047cb637c8526a117833bf8d99825bde003932ddfd488c3e627debac2493046162c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\COMPUT~1.DAT

Filesize
3.9MB

MD5
1bd204d7c5d14c607680557f37b04b90

SHA1
fbe84572551508f780b243e3c5419fbab9e14625

SHA256
ab9b0a2f098624faf35211ce1759f8815fa4c0989b15a5d4028f4a356bc4308f

SHA512
3dfd90d8d303bfb5f76f297a7af487e522267d05a3f78b45c67cecefaf5704ff87b37f9faae5f97c5638afe211c70d2a70ba4d5a0402593f23d78238548b6350

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\COMPUT~1.DLL

Filesize
1.1MB

MD5
6dbf812d5b61f30a21ddccaec30b4452

SHA1
4778e2d043ac593193e5e15056bb98bba564c246

SHA256
197c529acff08fbc13b11010d95c270e50ddd867f783cfec598c5f831f847033

SHA512
7b9506902c1d0a6b8b74e068be87a7d4fec8a96b3d1b05d06d533d4ef995abc7e2ce24a8d37e38b19b62ad5b316e10831c220df44360a15a6b89e18767bea699

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\COMPUT~1.SET

Filesize
65B

MD5
2d190642e5162c95e649f0032cf66dae

SHA1
262f8e1e5fff6784f31eb1a33b72e91405595297

SHA256
54a58179f47494502dd6750e2dba0008fd08958f5945346bbd8af818f52a6b3b

SHA512
6e5aa767f214c86bd1f7216ef4203931019efb7f11900d755bd409329576e4a4d6bf458b62676feab7093c9734a486e759af012a1a4bd0d1d0b246b1f10f88d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZ2.dll

Filesize
229KB

MD5
a75f38215a115f9260b58cdd935d7d81

SHA1
dbb7d9d7e69cd5f2f4cda49bebc0fd922316a866

SHA256
102459b35d0b36f915b2cafc2e083d95f4e042815c732a2520dfb646efae4cd1

SHA512
3eeacb82ed9e61d9dc8fec13c2f87fd07b90a5052dd1a3482ee4cdb5122db77587078e7966bf72d73b776973bac09f53f37081f4af0828f1a914c0cd31d03ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZ2.dll

Filesize
229KB

MD5
a75f38215a115f9260b58cdd935d7d81

SHA1
dbb7d9d7e69cd5f2f4cda49bebc0fd922316a866

SHA256
102459b35d0b36f915b2cafc2e083d95f4e042815c732a2520dfb646efae4cd1

SHA512
3eeacb82ed9e61d9dc8fec13c2f87fd07b90a5052dd1a3482ee4cdb5122db77587078e7966bf72d73b776973bac09f53f37081f4af0828f1a914c0cd31d03ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZ5.dll

Filesize
197KB

MD5
d8308aa7cc08c3a56c9187029db56702

SHA1
f8a1b97e321660d814d4d01f03911f6da0caed9d

SHA256
850bb1419ab0c93d524284a6c9c15db69a1e5328e9f84f06bb27ba5efb8a65b8

SHA512
0a6c757b3e5cfaf2de92e4f402dc97306a551244501d97a099ac2a586c7501f087fe7c82c8a81e95b4fea851a0690733c116345360b5dbeb343966fdbda08baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZ5.dll

Filesize
197KB

MD5
d8308aa7cc08c3a56c9187029db56702

SHA1
f8a1b97e321660d814d4d01f03911f6da0caed9d

SHA256
850bb1419ab0c93d524284a6c9c15db69a1e5328e9f84f06bb27ba5efb8a65b8

SHA512
0a6c757b3e5cfaf2de92e4f402dc97306a551244501d97a099ac2a586c7501f087fe7c82c8a81e95b4fea851a0690733c116345360b5dbeb343966fdbda08baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZService.exe

Filesize
1.1MB

MD5
66bed313b2a1d83113ced5c4297c0abc

SHA1
bfc0ca5ca11b5e9e0a84c5a25fb3fb7bfc8cc5eb

SHA256
b6ce0f204ed6f92ed8949c12cff5ac63f003adcbeb6e744ab81f7ac10d18e23f

SHA512
8ad3abfd830e4d500be988bc0c771cb7537fbfcdae15dbe44b82cdeabbbeef6b523ae3c0038c0026c7937289ba9bc526ecbe640cc1757a1552d4f3555a3746d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZService.exe

Filesize
1.1MB

MD5
66bed313b2a1d83113ced5c4297c0abc

SHA1
bfc0ca5ca11b5e9e0a84c5a25fb3fb7bfc8cc5eb

SHA256
b6ce0f204ed6f92ed8949c12cff5ac63f003adcbeb6e744ab81f7ac10d18e23f

SHA512
8ad3abfd830e4d500be988bc0c771cb7537fbfcdae15dbe44b82cdeabbbeef6b523ae3c0038c0026c7937289ba9bc526ecbe640cc1757a1552d4f3555a3746d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZ_HardwareDll.dll

Filesize
8.5MB

MD5
2bcee702e76853c61a3621e410521a20

SHA1
824a186e0f1d77692b416877c18d867885dc2dca

SHA256
14f5ffec3b83ed5831f7cd046552b9b224a6ec2613643f85c8cebfdf72df80d5

SHA512
f20fec854d0399d57e58b2056063be9414a0714c8938e914fbbab6cd1fc2eac09fb3919359eaee83284b60923f38252c417ce430c081dbf4bcfbf2c176fa20e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ComputerZ_HardwareDll.dll

Filesize
8.5MB

MD5
2bcee702e76853c61a3621e410521a20

SHA1
824a186e0f1d77692b416877c18d867885dc2dca

SHA256
14f5ffec3b83ed5831f7cd046552b9b224a6ec2613643f85c8cebfdf72df80d5

SHA512
f20fec854d0399d57e58b2056063be9414a0714c8938e914fbbab6cd1fc2eac09fb3919359eaee83284b60923f38252c417ce430c081dbf4bcfbf2c176fa20e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\D58E~1.URL

Filesize
177B

MD5
2b63733fd005c661b16749485cc65f69

SHA1
7acaa1cf379ce82962f8191f1b5d58eab687cb08

SHA256
d2f570a8bb1cf05eb0061c6d154de147bc15be00e8a18894367f57f01174dcf7

SHA512
ffa77c782449934d18a83feae118346cb064f8f012a8ab4f72cf1de89f3fe1e44de81b34fdbe49289e89f1413cbaa9474c4c1c439cdc7162389f10adb5de93d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DIFXAP~1.DLL

Filesize
311KB

MD5
1bd976dd77b31fe0f25708ad5c1351ae

SHA1
50d075688835df04484f0b93792a530cb47a1872

SHA256
b3c28941ceb057de44d9c322a38bb0f63c62d7ffbd91cf7970964413978f8eb7

SHA512
d58c2be88941c15214c51c59923437863a94db7b8080ead69017f7cce19d256dbe4d1d8498762476c75c26773dfba1aaff3bed615589ebf4b39df78df1b50b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DRVINS~1.EXE

Filesize
190KB

MD5
88b760633dda4594397b2f8b88d48183

SHA1
6b86e7419c64d20b66ccfcebadd7d9781bf62b34

SHA256
59624413da628923f722f24b407b18fccc9a8c7652042cf7d9d0f0b337d11148

SHA512
5071431448a5b95dddd55a01bd1ca2c3d97a6e5a7337203c51b877f804e61f46fc7e2970fef488c6a94ec045313e2a317a14c66627b0927ae1830cc13725d340

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DataMgr.dll

Filesize
664KB

MD5
af1cc0d945bceb82863195d11ad9827e

SHA1
215884e6188ebf94b73bffbff7e040e376954874

SHA256
18d8c74199c73a226436b3cbde6ce232b8aa30dabdc0dbb64e9dc52c18fa0a05

SHA512
39f1e822ea1b0f1ac292533df058977ece4386b7636256a4158f65c9f1e6ad05cc1c91f0edb19af03fe9b757661348256b667d285243db55404c42ea3e3d3daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DataMgr.dll

Filesize
664KB

MD5
af1cc0d945bceb82863195d11ad9827e

SHA1
215884e6188ebf94b73bffbff7e040e376954874

SHA256
18d8c74199c73a226436b3cbde6ce232b8aa30dabdc0dbb64e9dc52c18fa0a05

SHA512
39f1e822ea1b0f1ac292533df058977ece4386b7636256a4158f65c9f1e6ad05cc1c91f0edb19af03fe9b757661348256b667d285243db55404c42ea3e3d3daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DownloadMgr.dll

Filesize
429KB

MD5
31ae966d5496d5267a91b99e0601bcdd

SHA1
299b4cfd2c83f9e068e7370aa09f3f82f8ff44bf

SHA256
1cbb9d60d6e9ade674316d8405ce6f1a014ff5a650a8cf239034ac098cca947d

SHA512
62ceb4421318a212ac1be97fdc550c140575df4dc9ab3416d13ae2bb0adc082b520e63dca784c0b16746f1ff6a3b420f2bc63bf12e0b3e21273401d72c5755ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DownloadMgr.dll

Filesize
429KB

MD5
31ae966d5496d5267a91b99e0601bcdd

SHA1
299b4cfd2c83f9e068e7370aa09f3f82f8ff44bf

SHA256
1cbb9d60d6e9ade674316d8405ce6f1a014ff5a650a8cf239034ac098cca947d

SHA512
62ceb4421318a212ac1be97fdc550c140575df4dc9ab3416d13ae2bb0adc082b520e63dca784c0b16746f1ff6a3b420f2bc63bf12e0b3e21273401d72c5755ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DrvMgrUI.dll

Filesize
2.8MB

MD5
cec52d056c97f3b262e9a47f67ff1120

SHA1
a7571da8dede1a42e628f8dae94ea098732f3b96

SHA256
6257dff3facfa9e1b06f1238e3b0af0386ea1b4cfa74f9b0fc2adc19b443a71a

SHA512
a1a2be9da37a54d14f44ec49d0acc59b7aae1e778e90577300f370fdaaba5c34293e5cb7b6ea6c81de23e5f333cfebc1052686fc16fbdf0185358385e47de2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DrvMgrUI.dll

Filesize
2.8MB

MD5
cec52d056c97f3b262e9a47f67ff1120

SHA1
a7571da8dede1a42e628f8dae94ea098732f3b96

SHA256
6257dff3facfa9e1b06f1238e3b0af0386ea1b4cfa74f9b0fc2adc19b443a71a

SHA512
a1a2be9da37a54d14f44ec49d0acc59b7aae1e778e90577300f370fdaaba5c34293e5cb7b6ea6c81de23e5f333cfebc1052686fc16fbdf0185358385e47de2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DrvmgrCore.dll

Filesize
1.2MB

MD5
9fa77c11b0866a3b5db1fd69cb39fa32

SHA1
27d14222a09672fb98872f4caaba53cce033acf8

SHA256
cbe0f6818b404d1b2fc95b2aa8935aea0fd8ecd7c6a6fe69aaa3bdac2c9d2764

SHA512
73232f38d8f208ab696f1043104ea132946bdb96a05259ca4aeaced55ff1b46dd49775bc94678b74fec704b7c35cdd1d90811228de54b6ae6867234aa5745fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\DrvmgrCore.dll

Filesize
1.2MB

MD5
9fa77c11b0866a3b5db1fd69cb39fa32

SHA1
27d14222a09672fb98872f4caaba53cce033acf8

SHA256
cbe0f6818b404d1b2fc95b2aa8935aea0fd8ecd7c6a6fe69aaa3bdac2c9d2764

SHA512
73232f38d8f208ab696f1043104ea132946bdb96a05259ca4aeaced55ff1b46dd49775bc94678b74fec704b7c35cdd1d90811228de54b6ae6867234aa5745fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\LIVEUP~1.DLL

Filesize
593KB

MD5
e2ab61cd7dd7c8443719460140737b09

SHA1
d07424aaf894aa68bab5c7cc829e54f69f466338

SHA256
0439f9f3a68e14ee28c718ac334f9318f97858ab5430e4fa2e82eb355ed446d6

SHA512
c608aa5fd10849f5efcc74ffb02bfc59c1cd943154b30f2e2174e30543708f3b92d020d39ae36b9dd2e90c2171863b5a610ab18248d430c974853fe0a810df60

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\MiniUI.dll

Filesize
901KB

MD5
043365f793b1672fc80aaebde3b22929

SHA1
be526a544e7af66b573b29ee7100374e9deb9a1f

SHA256
2bf36c7813e8410e2ef442158e4089f5c5fa512684848f421cd4b08f1eca1d23

SHA512
efb94e1447842254992f67ad2bcc8ebd1862894019e612d680a3b69a4ec9aaef787bddd155775842baf225b9dea05feaef37db26808fc8516851f995a0b62530

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\MiniUI.dll

Filesize
901KB

MD5
043365f793b1672fc80aaebde3b22929

SHA1
be526a544e7af66b573b29ee7100374e9deb9a1f

SHA256
2bf36c7813e8410e2ef442158e4089f5c5fa512684848f421cd4b08f1eca1d23

SHA512
efb94e1447842254992f67ad2bcc8ebd1862894019e612d680a3b69a4ec9aaef787bddd155775842baf225b9dea05feaef37db26808fc8516851f995a0b62530

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\PDown.dll

Filesize
230KB

MD5
48a849ff04150b2ec0836ab6bb32590a

SHA1
1f52bbcd5d124de15c27cf5ea84e14cb9a87f6a3

SHA256
ded09df700ef458322b6160edd39adb103c03cef3c6ffbce2ee096ce1fd33d62

SHA512
b0b23e540102b16c4ed9ac05f1ac353bf0d19e0c2b0880cec1fa2e9292030e1c5a75694176ac428c7de55588cf503ab36643d2db8c1fec3543daf3aeeb53a680

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\SIGNHE~1.DLL

Filesize
139KB

MD5
a60df7bdf1ab9583e8bf7b38f2eca0a3

SHA1
528064b42f0470e785e896df67b41c6335f176a6

SHA256
4c20f1868b4ee71cca4d399b947f7942460a4074f2942ba90f382c2476b96978

SHA512
7fd219bf83e63dae70dfc79ad1978cefa4a9aec27b69f6e7f0b6e26678c988f8e4dda88f8d000cc20a1b0fdcdd69c24c56eab9a70c242630e902fe1b2d47eea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ScriptExecute.exe

Filesize
526KB

MD5
e34bbcc2547c4e0c282e1bd01b7eb4a8

SHA1
d1995dd3f0bec2aa5e24e017a3583c3d49e1e344

SHA256
5a508c39f2c338a7c4a169888d1e529820d03d888b2be1178af2af81bdc66f0a

SHA512
eb5c1596cdfc4515cfcb6c1bb0747140304d8f5ffdcfc9e63db59260c0ab1b274731752891e1afd0df07b4a575b939872bd7646f6b440d885cd679dceec840c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\ScriptExecute.exe

Filesize
526KB

MD5
e34bbcc2547c4e0c282e1bd01b7eb4a8

SHA1
d1995dd3f0bec2aa5e24e017a3583c3d49e1e344

SHA256
5a508c39f2c338a7c4a169888d1e529820d03d888b2be1178af2af81bdc66f0a

SHA512
eb5c1596cdfc4515cfcb6c1bb0747140304d8f5ffdcfc9e63db59260c0ab1b274731752891e1afd0df07b4a575b939872bd7646f6b440d885cd679dceec840c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\TempMonitor.dll

Filesize
132KB

MD5
4e32b5b701c10243c46b1e8baa17610a

SHA1
fb8213eadf6b4d70cc5776822f9ee9547d872fb1

SHA256
35efe16118f2f244aab32cb3405051cd7d3d491aaf31fe76d73768f18584d0b6

SHA512
94a047ca5df3b6a0356cd7e9305ee3260402ae56c71e66874a5e51b419f052aeb6e7ff5e4f058fb56e08dad44f8f45bb44558922f813e9f1fae9417fc0d18f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\TempMonitor.dll

Filesize
132KB

MD5
4e32b5b701c10243c46b1e8baa17610a

SHA1
fb8213eadf6b4d70cc5776822f9ee9547d872fb1

SHA256
35efe16118f2f244aab32cb3405051cd7d3d491aaf31fe76d73768f18584d0b6

SHA512
94a047ca5df3b6a0356cd7e9305ee3260402ae56c71e66874a5e51b419f052aeb6e7ff5e4f058fb56e08dad44f8f45bb44558922f813e9f1fae9417fc0d18f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\atiags32.dll

Filesize
196KB

MD5
a1f7d080d2a00a9ddca9a469c29663c0

SHA1
9fa6b676b9509eead040415ca13a097118ae2175

SHA256
81b7e8a1c0073f6b7c4188216a94e5ab6420844e1acb122d93fab4c6bc14eebe

SHA512
eef12054ace42f07b05b371aa51164bbbfd65120b111e375eaec30537c232ae85022dd1bf424ed94a8d97eb216919cc5857e332029778b93faa8064555e4e07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\cacert.dat

Filesize
2KB

MD5
e10c92a310813373102fe1b5ac4ca476

SHA1
60bd6efd052102371df2586fa1e38d273381c11a

SHA256
2f8436d3568fa6bba1bebf367db6f50e1a0c4e0c38544a268eb5e01b30191776

SHA512
adc230eca39e7e92cc8628f8a9f0010f96d988d24dc02524a5c6a3d7faffae407ae646cb21433a4a78497b95eb9c1324558885ab365ea5c3825c41a279ea97f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\config\config.xml

Filesize
978B

MD5
583e167ba709fec11044409c6b09d04f

SHA1
27b363d8b5dee2df351a5d41e6f14b6156db190f

SHA256
ea5f4faf853767718beef85023fcd9e13cca2127ebb3c17331903779db2916a0

SHA512
bebb16e99340d9264b7ae4cfd1562243a8cef688d3585968046c68020f19de587668485017f74368c20b686f5543bb319cc02665a3cdbb890eb47ffa4ce2a20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\config\defaultskin\defaultskin.ui

Filesize
156KB

MD5
0cc06e728803d0cdeedda92e04313e6c

SHA1
62e897041bdbf18ca65f6c452abcb557e17c0ded

SHA256
3fb6414e92be15821c674a6e72295e75747e9734c827ac14e85479d4720f2b33

SHA512
72afb68bf2078e459cf2e37481c61ff172dd224f5b089bf9903b0c55660aecfdcb98622c0b04fe88edae0e2e25c0eb640cffafc7343bbe5d67ef137397678936

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\config\defaultskin\miniui.xml

Filesize
8KB

MD5
1c7fad425e4dc4787174876b6725c5de

SHA1
6bf7f9afb666636bea1cef7eca6ebc32f4b344a2

SHA256
ee451d9f3d84226bcd456f193e1e79ebfbd1f24b961b25770c40df93ee7ca494

SHA512
ab02ca7851e6a859244edea31b3cf931a14937ec9ad2274c49a1aedb5a258360f653d7d5e76b9c6166633c4c284db9be277ae584d89641a99da3c77564f8b57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\dynlenv.dll

Filesize
548KB

MD5
61bda655c88ce843905ce63a2d5669e4

SHA1
532304d12d6e1a740e01cf03b3439301d2c6c85d

SHA256
fa7daa6a0e13f9112de63313caf4d06081aee0c7e79b5937cff0519bb4c0bbd4

SHA512
ad9c4f862747ff55ac506ea8b9d4a84a7d0c15d9cb8e9c987722141b9c33957d6aed44b59f0d85a068431ec2b85061b6c27d38011b8dca1675905aaaf6e37bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\log\COMPUT~1.LOG

Filesize
76KB

MD5
f632be98325400eaeea0cc9cb0479006

SHA1
a6151050991c5e6d68103fb9ea65c114e83e2acf

SHA256
b029aa88659511edcbb39eb6cbd7f36ff82ea5e0e521b4184ead0d9f1cd7acdf

SHA512
7076194371013ff7e9b26954c40fdefdba9114b69e1db962f293ffb205681f80f9431a1ad3d2f27d033e0f34b44ad0a6c72e8ae2cc596b25988e9e65b293ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\360DrvMgr\pdown.dll

Filesize
230KB

MD5
48a849ff04150b2ec0836ab6bb32590a

SHA1
1f52bbcd5d124de15c27cf5ea84e14cb9a87f6a3

SHA256
ded09df700ef458322b6160edd39adb103c03cef3c6ffbce2ee096ce1fd33d62

SHA512
b0b23e540102b16c4ed9ac05f1ac353bf0d19e0c2b0880cec1fa2e9292030e1c5a75694176ac428c7de55588cf503ab36643d2db8c1fec3543daf3aeeb53a680

Download Submit
C:\Users\Admin\AppData\Roaming\360DrvMgr\360DRV~1.DAT

Filesize
393B

MD5
22599e195a8217974adb4971988540ad

SHA1
a0e00efa071045addd3797cf98de83c8e2c5023e

SHA256
e7001631f97e6b8f3f400781caed09eb8e36b4da0004f75d7fbc8b9e0a57fdfd

SHA512
767475958de47252433a06ac75f1b4bcb6fa5087840d2c4647f814ea008be9f1a64775444265e61881b5b71ce590f4aaf858a7957f0267dba3b7b330032c534a

Download Submit
C:\Users\Admin\AppData\Roaming\360DrvMgr\Config.ini

Filesize
57B

MD5
af52d6fb8cb6b87a5ccc3d2ece2562c5

SHA1
b3b381e0b77a7fc85efb8b822824b3806e743181

SHA256
204cde7d986ab8fde7defcf30c34d8540d6280e8734e0ff9fe1c683c13ed1bff

SHA512
4a4409fa03eff4ebe73a9f5ebaf431db498dc2dff45e2c033503c2423ceb88a316868b84104e2759b27b1b3c5dbbacdac3244f52ab8ad84f4ac3436fa0d86ae2

Download Submit
C:\Users\Admin\AppData\Roaming\lds\lds.set

Filesize
27B

MD5
aa8a1b752f1a6bb56b5d64e0ae2c3bf7

SHA1
fb9f5f26935bf75feb692073ad745df067dae289

SHA256
a5fd212c0ae7274073f04c0e06560b7254ab7757c64b89a444e434fa90331f43

SHA512
bd84115462a0a57e1e9fd9b0a7bc0d208c88af10d5a71db006d3b388f8d00e516fc74444d70bc9559e8e754a15ddc676ea2a8a0412010effa5eec4814dca8664

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads