3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini.exe
Size

1.5MB
MD5

858ee6ceb590822f57d2d98a32e3c5af
SHA1

0cd9e539e919dd0367c1d04e2644bc3e8ad109e5
SHA256

3d505dd5081824da4517fbdc2a4da8c6133538b72171e260f59d10be5ed20acb
SHA512

ad624bba251a6131471a662e31a676c6facb335aef433b0c2313adb57c2ca4701590845c3c237d190a1817fa43daeaaeb3731c91e19045691523cccf9cbbd198
SSDEEP

24576:AD1YS7FpyUxT3DC2O1zj1SqdAGFQZIxvC45UJoenm9x:TQ5xT3DDWzjYq+ZIxL5UJoew

Score

10^/10

bootkit discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4180 bcdedit.exe
5080 bcdedit.exe
Downloads MZ/PE file

pid	process
4180	bcdedit.exe
5080	bcdedit.exe

Drops file in Drivers directory 12 IoCs

Processes:

QHActiveDefense.exe360TS_Setup.exeEaInstHelper64.exeQHActiveDefense.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\360AvFlt.sys	QHActiveDefense.exe
File created	C:\Windows\system32\drivers\360Camera64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\BAPIDRV64.sys	360TS_Setup.exe
File opened for modification	C:\Windows\system32\drivers\360elam64.sys	EaInstHelper64.exe
File created	C:\Windows\system32\drivers\360FsFlt.sys	QHActiveDefense.exe
File created	C:\Windows\system32\drivers\360elam64.sys	EaInstHelper64.exe
File opened for modification	C:\Windows\system32\drivers\360FsFlt.sys	QHActiveDefense.exe
File created	C:\Windows\SysWOW64\drivers\360AvFlt.sys	QHActiveDefense.exe
File created	C:\Windows\system32\drivers\360AntiHacker64.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360AvFlt.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360netmon.sys	360TS_Setup.exe
File created	C:\Windows\system32\drivers\360Box64.sys	360TS_Setup.exe

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KB931125-rootsupd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Version = "41,0,2195,0"	KB931125-rootsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Locale = "*"	KB931125-rootsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ComponentID = "Windows Roots Update"	KB931125-rootsupd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}	KB931125-rootsupd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ = "RootsUpdate"	KB931125-rootsupd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\IsInstalled = "1"	KB931125-rootsupd.exe

Sets service image path in registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QHActiveDefense.exe360TS_Setup.exeQHSafeTray.exeEaInstHelper64.exeQHActiveDefense.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360Camera\ImagePath = "System32\\Drivers\\360Camera64.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BAPIDRV\ImagePath = "system32\\DRIVERS\\BAPIDRV64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360Box64\ImagePath = "system32\\DRIVERS\\360Box64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AntiHacker\ImagePath = "System32\\Drivers\\360AntiHacker64.sys"	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360netmon\ImagePath = "system32\\DRIVERS\\360netmon.sys"	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360elam64\ImagePath = "system32\\DRIVERS\\360elam64.sys"	EaInstHelper64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\drivers\\360AvFlt.sys"	QHActiveDefense.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHProtected\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\WscReg.exe\""	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360elam64\ImagePath = "system32\\DRIVERS\\360elam64.sys"	QHSafeTray.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup_Mini.exe360TS_Setup.exeQHSafeTray.exeDesktopPlus.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	QHSafeTray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DesktopPlus.exe

Executes dropped EXE 26 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exeWscReg.exePowerSaver.exeWscReg.exeWscReg.exeEaInstHelper64.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exeQHWatchdog.exePopWndLog.exeQHSafeTray.exePopWndLog.exeQHWatchdog.exeQHSafeTray.exeDesktopPlus.exeDesktopPlus64.exeKB931125-rootsupd.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exeQHSafeMain.exe360TsLiveUpd.exePromoUtil.exe

pid	process
4288	360TS_Setup.exe
4256	360TS_Setup.exe
1740	WscReg.exe
1080	PowerSaver.exe
3240	WscReg.exe
5100	WscReg.exe
1792	EaInstHelper64.exe
4688	QHActiveDefense.exe
880	QHActiveDefense.exe
2296	QHSafeTray.exe
4456	QHWatchdog.exe
4084	PopWndLog.exe
4792	QHSafeTray.exe
3580	PopWndLog.exe
4996	QHWatchdog.exe
2464	QHSafeTray.exe
3548	DesktopPlus.exe
800	DesktopPlus64.exe
3972	KB931125-rootsupd.exe
1128	updroots.exe
2368	updroots.exe
3220	updroots.exe
1276	updroots.exe
1080	QHSafeMain.exe
1964	360TsLiveUpd.exe
4796	PromoUtil.exe

Loads dropped DLL 64 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exeregsvr32.exePowerSaver.exeWscReg.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exe

pid	process
4500	360TS_Setup_Mini.exe
4288	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
2304	regsvr32.exe
4748	regsvr32.exe
1080	PowerSaver.exe
5100	WscReg.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
4688	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
2296	QHSafeTray.exe
880	QHActiveDefense.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
2296	QHSafeTray.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
2296	QHSafeTray.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
2296	QHSafeTray.exe
880	QHActiveDefense.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 54.255.187.139
Destination IP 54.255.187.139
Destination IP 54.255.187.139
Destination IP 54.255.187.139

description	ioc
Destination IP	54.255.187.139
Destination IP	54.255.187.139
Destination IP	54.255.187.139
Destination IP	54.255.187.139

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QHActiveDefense.exeDesktopPlus64.exe360TS_Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start"	QHActiveDefense.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	DesktopPlus64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360DesktopLite = "\"C:\\ProgramData\\360TotalSecurity\\DesktopPlus\\DesktopPlus64.exe\" /auto"	DesktopPlus64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start"	360TS_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QHActiveDefense.exe

Checks for any installed AV software in registry 1 TTPs 37 IoCs

Security Software Discovery

T1063

Processes:

360TS_Setup.exeQHActiveDefense.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName = "LocalSystem"	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type = "16"	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName = "360 Total Security"	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group = "TDI"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Alias	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\NOD\CurrentVersion\Info	QHActiveDefense.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	QHActiveDefense.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents	QHActiveDefense.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start = "2"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName	360TS_Setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	360TS_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl = "1"	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath	360TS_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\""	360TS_Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

360TS_Setup.exeQHActiveDefense.exeQHSafeTray.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QHActiveDefense.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QHSafeTray.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

QHActiveDefense.exe

description	ioc	process
File opened (read-only)	\??\s:	QHActiveDefense.exe
File opened (read-only)	\??\t:	QHActiveDefense.exe
File opened (read-only)	\??\e:	QHActiveDefense.exe
File opened (read-only)	\??\m:	QHActiveDefense.exe
File opened (read-only)	\??\p:	QHActiveDefense.exe
File opened (read-only)	\??\r:	QHActiveDefense.exe
File opened (read-only)	\??\o:	QHActiveDefense.exe
File opened (read-only)	\??\v:	QHActiveDefense.exe
File opened (read-only)	\??\w:	QHActiveDefense.exe
File opened (read-only)	\??\y:	QHActiveDefense.exe
File opened (read-only)	\??\f:	QHActiveDefense.exe
File opened (read-only)	\??\g:	QHActiveDefense.exe
File opened (read-only)	\??\h:	QHActiveDefense.exe
File opened (read-only)	\??\i:	QHActiveDefense.exe
File opened (read-only)	\??\z:	QHActiveDefense.exe
File opened (read-only)	\??\l:	QHActiveDefense.exe
File opened (read-only)	\??\n:	QHActiveDefense.exe
File opened (read-only)	\??\u:	QHActiveDefense.exe
File opened (read-only)	\??\x:	QHActiveDefense.exe
File opened (read-only)	\??\j:	QHActiveDefense.exe
File opened (read-only)	\??\k:	QHActiveDefense.exe
File opened (read-only)	\??\q:	QHActiveDefense.exe

Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

360TS_Setup_Mini.exeQHSafeTray.exePromoUtil.exe360TS_Setup.exeQHActiveDefense.exeQHSafeTray.exeQHSafeTray.exePopWndLog.exeDesktopPlus64.exeQHSafeMain.exe360TsLiveUpd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini.exe
File opened for modification	\??\PhysicalDrive0	QHSafeTray.exe
File opened for modification	\??\PhysicalDrive0	PromoUtil.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe
File opened for modification	\??\PhysicalDrive0	QHActiveDefense.exe
File opened for modification	\??\PhysicalDrive0	QHSafeTray.exe
File opened for modification	\??\PhysicalDrive0	QHSafeTray.exe
File opened for modification	\??\PhysicalDrive0	PopWndLog.exe
File opened for modification	\??\PhysicalDrive0	DesktopPlus64.exe
File opened for modification	\??\PhysicalDrive0	QHSafeMain.exe
File opened for modification	\??\PhysicalDrive0	360TsLiveUpd.exe

Drops file in System32 directory 2 IoCs

Processes:

QHActiveDefense.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat	QHActiveDefense.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat-journal	QHActiveDefense.exe

Drops file in Program Files directory 64 IoCs

Processes:

360TS_Setup.exePopWndLog.exe360TS_Setup.exe360TsLiveUpd.exeQHSafeTray.exe

description	ioc	process
File created	C:\Program Files (x86)\360\Total Security\backupsrv.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\safemon\webprotection_firefox\plugins\nptswp.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\safemon\spsafe64.dll.locale	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\360\Total Security\safemon\testwrite.ini	PopWndLog.exe
File opened for modification	C:\Program Files (x86)\1675441634_0\360TS_Setup.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\safemon\spsafe64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\UrlSettings.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-CN\ipc\yhregd.dll.locale	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\360\Total Security\updatecfg.ini	360TsLiveUpd.exe
File created	C:\Program Files (x86)\360\Total Security\netmon\netdrv\wfp\360netmon_x64_wfp.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\it\deepscan\dsurls.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\SDPlugin\PopWndTracker.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\safemon\360SafeCamera.tpi.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\vi\ipc\Sxin64.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\tr\safemon\UDiskScanEngine.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\AVE\360ave_ex.def	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\deepscan\art.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\drvmk.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\filemon\AVCheck.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\dynlenv.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\EfiProc.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\NoAds.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\ipc\filemon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\deepscan\cloudsec3.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\ipc\appd.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\deepscan\DsRes.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\filemon\AVLib.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\safemon\drvmon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\tr\ipc\regmon.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\ipc\yhregd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\modules\360evtmgrpb.dat	QHSafeTray.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\ipc\360netd.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\safemon\bp.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\safemon\spsafe.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\DsTpi.tpi	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\Repair.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\bifdb.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pt\safemon\udisk.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\softmgr\360Opt.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\ipc\360ipc.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\libvi.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\deepscan\cloudsec3.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\pl\ipc\Sxin.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\fr\deepscan\art.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\zh-TW\ipc\NetDefender.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\softmgr\SML\Skin\SML_TaskBar.uiz	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\newui\themes\default\datashield_theme.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\sc.con	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\deepscan\dsurls.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\netmon\gameidentify.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\newui\themes\default\DailyNews\DailyNews_theme.ui	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\es\deepscan\DsRes64.dll	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\safemon\360disproc64_win10.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\SystemRegClean.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\libredlist.dat	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\webprotection_firefox\plugins\nptswp.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\deepscan\dsmain.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\softmgr\360elam.sys	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\hi\ipc\appd.dll.locale	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\fr\safemon\CameraProtect\CameraGuard\bkg\pic_01.jpg	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\tools\nodes\360Netmon.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\config\newui\themes\default\devicemgr_theme.xml	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\en\safemon\wd.ini	360TS_Setup.exe
File created	C:\Program Files (x86)\360\Total Security\i18n\de\ipc\filemon.dat	360TS_Setup.exe

Drops file in Windows directory 2 IoCs

Processes:

EaInstHelper64.exe

description	ioc	process
File opened for modification	C:\Windows\ELAMBKUP	EaInstHelper64.exe
File created	C:\Windows\ELAMBKUP\360elam64.sys	EaInstHelper64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup.exeQHSafeMain.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	360TS_Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	360TS_Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QHSafeMain.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	QHSafeMain.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

QHActiveDefense.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan\NetProbe	QHActiveDefense.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan\NetProbe\1 = "1"	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	QHActiveDefense.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan	QHActiveDefense.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan\NetProbe\5 = "1"	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\360Safe\360Scan\NetProbe	QHActiveDefense.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	QHActiveDefense.exe

Modifies registry class 61 IoCs

Processes:

regsvr32.exeQHSafeTray.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID\ = "MenuEx.SD360MN.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer\ = "MenuEx.SD360MN.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ = "SD360MN Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\360\\Total Security"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\360TotalSecurity.ext.1\shell\open\command	QHSafeTray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\360TotalSecurity.ext.1\shell\open\command\ = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHSafeTray.exe\" %1"	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\ = "SD360MN Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\ = "SD360MN Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\360TotalSecurity.ext.1	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\ = "MenuEx 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\360TotalSecurity.ext.1\shell	QHSafeTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID\ = "MenuEx.SD360MN"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\360TotalSecurity.ext.1\shell\open	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.TotalSecurity	QHSafeTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.TotalSecurity\ = "360TotalSecurity.ext.1"	QHSafeTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64	regsvr32.exe

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

updroots.exeupdroots.exeupdroots.exePowerSaver.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\679A4F81FC705DDEC419778DD2EBD875F4C242C6\Blob = 030000000100000014000000679a4f81fc705ddec419778dd2ebd875f4c242c6090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b0601050508020206082b060105050703090b000000010000002000000041002d00540072007500730074002d005100750061006c002d003000320000002000000001000000cf030000308203cb308202b3a003020102020300e248300d06092a864886f70d010105050030818b310b300906035504061302415431483046060355040a0c3f412d5472757374204765732e20662e20536963686572686569747373797374656d6520696d20656c656b74722e20446174656e7665726b65687220476d624831183016060355040b0c0f412d54727573742d5175616c2d30323118301606035504030c0f412d54727573742d5175616c2d3032301e170d3034313230323233303030305a170d3134313230323233303030305a30818b310b300906035504061302415431483046060355040a0c3f412d5472757374204765732e20662e20536963686572686569747373797374656d6520696d20656c656b74722e20446174656e7665726b65687220476d624831183016060355040b0c0f412d54727573742d5175616c2d30323118301606035504030c0f412d54727573742d5175616c2d303230820122300d06092a864886f70d01010105000382010f003082010a02820101009691abd78eb059b801bdb41ead99fda1fcea0c966b8f2e4948d8e9e42482e1d8baccebde075c48c6198201474209e17cb99fae8ff6ee5e6ba8a856883856b3e6fec99d4f3438513c9cbef3ac9c1cc83d5c9a84aef7942c14b26437608e14b03b2acd89b522aff7e47fee2c2b33f98e3cad4ca2570ffb82c58e1f01df538cc115a4ddee9a9212d228e96217256031efcf3194f37df3e43c21ab90fc6dcf63a7c612007149d71cc8a0ed639a7de38f28dd60f9d8e616ab26d1d02fbde70d09df6ed4ece53853f4640bba5acc80b53859ec80596584316a5f55914c24e5249a83847abe80f1ee5f2007aa77176c0be255aa967808029e97f02bae58f580503ffe3b0203010001a3363034300f0603551d130101ff040530030101ff30110603551d0e040a0408423d2b24a6c145ce300e0603551d0f0101ff040403020106300d06092a864886f70d0101050500038201010046cb1163500d9b3e45d4482d927c9dbdb66adb88b29a97e83a6bd33c5f077e123a3ea1890d3fa17819f783b405e99bbc5bf4bcbc96175b1dca51873094407275b410a219d2e09a14b1ed35e38616a728e74382476c0b54fefbea62bae60bef64c3814cb649bd461e527535ceabbc1e1fa7148300e1ea1a952af4b5ac737b45917a91aa6415b6ab51efb9e92881418a873ada34c1c0330f5f78432434750d23dce819d996268dc36207762310d2606861e46715dabe4f20cab2398938e40f2f3ccbfec69ac3a17cf75fa00632c5105aae0f247bde500f252dbbf51ddcb22f165a4e196140bfd55f07dcab62a7f27a69cf1eaa12c26e627cd4ba3dd89187cffa2d	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7FB9E2C995C97A939F9E81A07AEA9B4D70463496\Blob = 0b00000001000000120000005300690067006f0076002d00430041000000090000000100000056000000305406082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b060105050703090300000001000000140000007fb9e2c995c97a939f9e81a07aea9b4d7046349620000000010000001d0400003082041930820301a00302010202043a5c701a300d06092a864886f70d0101050500303d310b3009060355040613027369311b3019060355040a131273746174652d696e737469747574696f6e733111300f060355040b13087369676f762d6361301e170d3031303131303133353235325a170d3231303131303134323235325a303d310b3009060355040613027369311b3019060355040a131273746174652d696e737469747574696f6e733111300f060355040b13087369676f762d636130820122300d06092a864886f70d01010105000382010f003082010a0282010100d50b26cf07768b1b6512cce860f4909343c80ed292b68652a02eb9f053c8706ede4ed8186bb1ae5037aecc08d28b358617fdd110d7490a618376affe0106b3d8995d564bd473ffa6c44b2a9e77d7e1883cd355a72c676e726791138241aef0a9888c94ecb0bee12be9c91981acf264f2793914df858e0fbf81b011fafb26ea049fdb8a944da4b9a7c36a83b64c06222c92d836bf4e904069a2db41167905258a777438835a93f1426438f0c1a5bcf8a9fb6016f9f5e4c2533c50429e970b10232c6ab7c035c5d54eeb3a1cf214711f5efa96a39ca2ca6fc806d522cb5be994b09bd7b17ffda5a6c5e69c14fcb171535e7a24b4ecd25607d1b4941e50b4fd07ad0203010001a382011f3082011b301106096086480186f8420101040403020007305f0603551d1f045830563054a052a050a44e304c310b3009060355040613027369311b3019060355040a131273746174652d696e737469747574696f6e733111300f060355040b13087369676f762d6361310d300b0603550403130443524c31302b0603551d1004243022800f32303031303131303133353235325a810f32303231303131303134323235325a300b0603551d0f040403020106301f0603551d230418301680141ef8d4536bb38306e904065702f9a5bfc6583c72301d0603551d0e041604141ef8d4536bb38306e904065702f9a5bfc6583c72300c0603551d13040530030101ff301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d0101050500038201010083c2b62ca80da2104f60ec8722aeb7567c50ee19943988df897d4a5f79f688955fe3afa5c6bc77ddb68250da1643f70c73a3e665e1bc6bb5420ad560e5c7f5976e929ee9d9366b8b1c136b2955425c809d26aca608a1050bffdaa3aa040c73ed9a1999bb65ab44fcd3cbc5120fb002206c4b4c5ba0c33227178c43c99d9055eef24fddf990b30e5481834cdca4246bbef9847c2ad29e28f4aa0ad75b5411303800e4124b04ac6289946bfbcaa56de741c51cd3e72a7e553dd451d4138def7d87529114df9bafe2bec2e3f712a22673a75aa1566df9eedfc3209b11b0eb9f07f6e87b55c71a4d6d907046e56155ec9e4930443b45b2a59bf99538bec9f4490dfc	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\BED525D1AC63A7FC6A660BA7A895818D5E8DD564	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 0300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff11090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b0000000100000014000000540072007500730074007700610076006500000053000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c02000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F4914F7D874951DDDAE02C0BEFD3A2D82755185\Blob = 53000000010000002600000030243022060c2b06010401be58000264010230123010060a2b0601040182373c0101030200c00b0000000100000026000000510075006f0056006100640069007300200052006f006f00740020004300410020003300000009000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090300000001000000140000001f4914f7d874951dddae02c0befd3a2d827551852000000001000000a10600003082069d30820485a003020102020205c6300d06092a864886f70d01010505003045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f742043412033301e170d3036313132343139313132335a170d3331313132343139303634345a3045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f74204341203330820222300d06092a864886f70d01010105000382020f003082020a0282020100cc574216549ce698d3d34deefeedc79f43394a65b3e8168834db0d599174cf92b80440ad024b31abbc8d9168d8200e1a01e21a7b4e175de28ab73f991acdeb61abc265a61fb7b7bdb78ffcfd708f0ba067be01a259cf71e60f2976ffb15679452b1f9e7a54e8a3293568a4014f0fa42e37ef1bbfe38f10a872ab5857e75486c8c9f35bda2cda5d8e6e3ca33edafb82e5ddf25cb205336f8a36ced0134effbf4a0c344ca6c321bd500455ebb1bb9dfb451e6415de55018c0276b5cba13f4269bc2fbd68431656892a376191fda6ae4ec0cb146594374b9206ef04d0c89c88db0b7b81afb13d2ac4653a78b6eedc80b1d2d3999c3aee6b5a6bb38db7d5ce9cc2bea54b2f16b19e683b066fae7d9ff8deeccc29a798a325432feff15f26e1884df85e6ed7d9146e193369a73b848993c4535513a1517840f8b8c9a2ee7bba5242839e14ed05525a5956a797fc9d3f0a29d8dc4f910e13bcde95a4df8b99beac9b3388efb581af1bc62253c8f6c7ee9714b0c57c7852c8f0ce6e776084a6e92a7620ed5801173093e91a8be07363d96a9294494eb4ad4a85c4a32230fc09ed682273a6880c552158c5e13a9f2addcae190e0d973ab6c80b8e80b6493a09c8c19ffb3d20cec9126878ab3a2e1708f2c0ae5cd6d6851ebda3f057f8b32e6135c6bfe5f40e222c8b4b4644fd6ba7d483ea8690cd7bb8671c973b83f3b9d254bdaff40eb0203010001a382019530820191300f0603551d130101ff040530030101ff3081e10603551d200481d93081d63081d306092b06010401be5800033081c530819306082b060105050702023081861a8183416e7920757365206f66207468697320436572746966696361746520636f6e737469747574657320616363657074616e6365206f66207468652051756f566164697320526f6f74204341203320436572746966696361746520506f6c696379202f2043657274696669636174696f6e2050726163746963652053746174656d656e742e302d06082b060105050702011621687474703a2f2f7777772e71756f7661646973676c6f62616c2e636f6d2f637073300b0603551d0f040403020106301d0603551d0e04160414f2c013e082433efbee2f673296355cdbb8cb02d0306e0603551d23046730658014f2c013e082433efbee2f673296355cdbb8cb02d0a149a4473045310b300906035504061302424d31193017060355040a131051756f5661646973204c696d69746564311b30190603550403131251756f566164697320526f6f742043412033820205c6300d06092a864886f70d010105050003820201004fada02c4cfac0f26ff76655ab2334eee729dac35bb6b083d9d0d0e221fbf360a73b5d605327a29bf608222ae7bfa072e59c246a31b1907a27db84118927a6775a38d7bfac86fcee5d83bc06c6d1776b0f6d242f4b7a6ca70796cae3849fad888b1dab168d5b6617d916f48b80d2ddf8b276c3fc3813aa0cde42692b6ef33ceb8027dbf5a6440d9f5a55590bd50d5248c5ae9ff22f80c5ea32503512972ec1e1fff1238851389ff2665676e70f5197a5520c4d495195363dbfa24b0c101d86994caaf3721193e4eaf69bdaa85da74db79e02ae7300c8da2303e8f9ea1974620094cb2220be94a759b5826abe99797aa9f24a2452f774fdba4ee6a81d026eb10d8044c1aed323375fbb857c2b922ee87ea58bdd99e1bf276f2d5daa7b87fe0add4bfc8ef526e46e70426e33ec319e7b93c1e4c9691a3dc06b4e226deeab584dc6d041c12bea4f12875eeb45d86cf59802d3a0d8558a069919a2a077d1309eaccc75ee83f5b06239cf6c57e24cd2910b0e75281b9abffd1a43f1ca77fb3b8f61b869281642045e702a1c21d88fe1bd235b2d744092d963190d73dd69bc6247bce0742bb2eb7dbe411bb5c046c5a122cb5f4ec12892de18bad52a28bb118b1793989960945c23cf5a27975e0b050693371e3b6936eba99e611d8f32da8e0cd6743e7b0924da017747c43bcd348c99f5cae1256133b2591be26ed73757b60da912da	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D8A6332CE0036FB185F6634F7D6A066526322827	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000001800000045006e00740072007500730074002e006e0065007400000053000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c02000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A59C9B10EC7357515ABB660C4D94F73B9E6E9272	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\58119F0E128287EA50FDD987456F4F78DCFAD6D4	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A3E31E20B2E46A328520472D0CDE9523E7260C6D	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C\Blob = 0b000000010000000e000000740068006100770074006500000009000000010000000c000000300a06082b0601050507030303000000010000001400000023e594945195f2414803b4d564d2a3a3f5d88b8c200000000100000017030000308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b9918283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e7047	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6E3A55A4190C195C93843CC0DB722E313061F0B1\Blob = 0b000000010000004c0000004300680061006d006200650072007300690067006e0020004300680061006d00620065007200730020006f006600200043006f006d006d006500720063006500200052006f006f0074000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080300000001000000140000006e3a55a4190c195c93843cc0db722e313061f0b12000000001000000c1040000308204bd308203a5a003020102020100300d06092a864886f70d0101050500307f310b300906035504061302455531273025060355040a131e41432043616d65726669726d61205341204349462041383237343332383731233021060355040b131a687474703a2f2f7777772e6368616d6265727369676e2e6f726731223020060355040313194368616d62657273206f6620436f6d6d6572636520526f6f74301e170d3033303933303136313334335a170d3337303933303136313334345a307f310b300906035504061302455531273025060355040a131e41432043616d65726669726d61205341204349462041383237343332383731233021060355040b131a687474703a2f2f7777772e6368616d6265727369676e2e6f726731223020060355040313194368616d62657273206f6620436f6d6d6572636520526f6f7430820120300d06092a864886f70d01010105000382010d00308201080282010100b73655e5a55d1830e0da895491fcc8c752f82f50d9efb1757365477d1b5bba75c5fca18824fa2fedca084a3954c4517ab5da60ea383c81b2cbf1bbd991233f48017075a9052aad1f71f3c9543d1d066a403eb30c85ee5c1b79c262c4b8368e355d010c23044735aa9b604ea0663dcb260a9c40a1f45d98bf71aba500682aed837a0fa214b5d422b380b03c0c5a51692d58188fed999ef1aee295e6f647a8d60c0fb05858dbc366379e9b91543337d2941c6a48c9c9f2a5daa50c23f7230e9c32555e719c8405519a2dfde64e2a345adeca4037670c54215577da0a0ccc97ae80dc94364af43ece36131e53e4ac4e3a05ecdbae729c388bd0393b890a3e77fe75020103a38201443082014030120603551d130101ff040830060101ff02010c303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6368616d6265727369676e2e6f72672f6368616d62657273726f6f742e63726c301d0603551d0e04160414e394f5b14de9dba1295b578b4d760676e1d1a28a300e0603551d0f0101ff040403020106301106096086480186f842010104040302000730270603551d110420301e811c6368616d62657273726f6f74406368616d6265727369676e2e6f726730270603551d120420301e811c6368616d62657273726f6f74406368616d6265727369676e2e6f726730580603551d200451304f304d060b2b0601040181872e0a0301303e303c06082b060105050702011630687474703a2f2f6370732e6368616d6265727369676e2e6f72672f6370732f6368616d62657273726f6f742e68746d6c300d06092a864886f70d010105050003820101000c4197c21a86c0227c9ffb90f31ad103b1ef13f9215f049cdac9a58d276c968791be4190017293e71e7d5ff689c65da740093dac494545dc2e8d3068b209bafbc32fccba0bdf3f777b467d3a12248e968f3c050a6fd294281d6d0cc02e8822d5d8cf1d13c7f048d7d705a7cfc7479e3b3c34c8804fd414bbfc0d50f7fab3ec425fa9dd6dc8f475cf7bc17226b1011c5c2cfd7a4eb401c50557b9e73caa05d988e9074641ceef4181ae58df83a2aecad7771fe7003c9d6f8ee432091d4d783478343c949b26ed4f71c6197abd2022485afe4b7d03b7e758bec6324e741e68dda8685bb33eee627dd980e80a757ab7eeb4659a2190e0aad098bc38b5733c8bf8dc	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\016897E1A0B8F2C3B134665C20A727B7A158E28F	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C7F7CBE2023666F986025D4A3E313F29EB0C5B38	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AB9D58C03F54B1DAE3F7C2D4C6C1EC3694559C37	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\211165CA379FBB5ED801E31C430A62AAC109BCB4\Blob = 030000000100000014000000211165ca379fbb5ed801e31c430a62aac109bcb4090000000100000020000000301e06082b0601050507030106082b0601050507030206082b060105050703040b000000010000004a00000043006f006c006500670069006f0020006400650020005200650067006900730074007200610064006f0072006500730020004d0065007200630061006e00740069006c0065007300000020000000010000001707000030820713308204fba003020102020f2de40ae19bd1c2aa4cf400ac8135f9300d06092a864886f70d01010505003081a4310b3009060355040613024553314a3048060355040a0c41436f6c6567696f206465205265676973747261646f726573206465206c612050726f7069656461642079204d657263616e74696c65732064652045737061c3b161311b3019060355040b0c12436572746966696361646f2050726f70696f312c302a06035504030c235265676973747261646f7265732064652045737061c3b161202d204341205261c3ad7a301e170d3037303130393137303033395a170d3331303130393137303033395a3081a4310b3009060355040613024553314a3048060355040a0c41436f6c6567696f206465205265676973747261646f726573206465206c612050726f7069656461642079204d657263616e74696c65732064652045737061c3b161311b3019060355040b0c12436572746966696361646f2050726f70696f312c302a06035504030c235265676973747261646f7265732064652045737061c3b161202d204341205261c3ad7a30820222300d06092a864886f70d01010105000382020f003082020a0282020100ac501b0e92ceb87c156af8e40f9d7c7c7c76e40b263a5106cd28b3ed0f3ed9917bccfc878342f77bb05db87a67fe342162bfb929c3de5af103f2ebf2e212c2656476a7f5e6cb31a368f279eb9d54c552ff9f3d83630ee6bf1d28027dfc23f44493a3a9439cd8e8251a2035f5b5b0ceeb552bfad95eb0a1442be5002c240f377f323484b2c8156f8af5f2e82ef7438e02b8329b801a531d0199486b74f35a704aa4e8f702d1ba91a36b87be105e7e54b958b20af63b0ae30e38f3805df7418ef88f36b9839b114ce10bb1c5938a33b2bf9bb69e44b71ffe2a8128397ccfd4af3565ae675e8d21df0060112bd43ce427509f93b705f1d20e14dc298296f12aa21b430570b3d05c1e034155fe1638c5524d93b5b43c76224da92bac15c4a94b74b9a523d8cd2b48c1e2efcddef84ab0dfa0e3ee8635bf5b72946fb2464aea4a53ae31e691b57498459aa47dec712ae590513643f949d4d7280603b1fd7987d606f8aca1f9bf14780dcb234bcdbb2e32f47dbc69bbb6357e79cfbd4b727e61ab2a7e40c70ce5b290b54c0cd657077c97ccf9d977db7be78c137ecc7e184f4c4b238eae1ac7ea5f1fa617dd38b64fde0a6e525059ac6dcdd63119bd24e9a058cfd9d4b243793f5fd66faa65c846f2d2d57ef92e4318c298e468dfc1d35f452f69d11dee912448d2eb000ec2104bd29dbda34d17a3379aafef973181da89b1617a63a70203010001a382013e3082013a300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141b8d591cb3b758626466ace2e4a4f6a21912f6e53081f70603551d200481ef3081ec3081e90604551d20003081e0303c06082b060105050702011630687474703a2f2f706b692e7265676973747261646f7265732e6f72672f6e6f726d61746976612f696e6465782e68746d30819f06082b060105050702023081921a818f436572746966696361646f2073756a65746f2061206c61204465636c6172616369f36e206465205072e1637469636173206465204365727469666963616369f36e2064656c20436f6c6567696f206465205265676973747261646f726573206465206c612050726f7069656461642079204d657263616e74696c65732064652045737061f1612028a9203230303629300d06092a864886f70d010105050003820201003f1fd62c197640929c26e69e5806123d12c22b3adee5d88977401fc651aa748996c5c6c39df1fabc6913a00675172689fc65398d7379ebcf77a7bbd5482679319130279841a517e05f5c1b5a2a7cbaad166500517d87debaba63d663b435e0d74e19457ebf5169486f3e886e525583f08bc44cf40ad41121ae2960e85b8b9ff8c2ecb7763f80c2742e477862519edb8cf5ad5f8505e8fd9a7bbd70680b93c2307e12f44b4f74e2898fb943740fd6845e7ade7054a413365f647ed3040efedd196f245395ede9c90ed4a6f193a15b09e3a2d2574e3e1ace7dacc4f753d0cda892eda4c9972266f8c6a2f275e5117e2f751296f78f6fcf07e5cacc073ef53c8bedbc7c32603ee30fd41183340d768664bd33974e70edf620385f9a69c7c04f16ca85828f01b6ba135ed0f1ede928dd2abd258ed0fa130c160f779f762934706ceb794b9def4e34f045bb252c7592445fa79bc4aad2b36f2ebc61eb86014cd97ab975678b034bc73352789e05c0ed8f74781d1223b632fc51505e2dde50be103c8eef0885f53afaf2dee7d84c3ae512ebf43674985a528a941a66a96e453e142b8d3408aaef051361129084680d115a2caf799e70949fc564cbcc78f6535ce0d70db13ee3160bf3a6ec34423e751084a5d8bdb1e3ea61e6249cc281da1ed86ffc782d16e3442dc0d23d5e7da0d256d4603771fe4c8e659cd63bda36dcd83367d001	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E206939CC5FA883635F64C750EBF5FDA9AEE653\Blob = 0b00000001000000740000004100750074006f0072006900640061006400200043006500720074006900660069006300610064006f007200610020005200610069007a0020006400650020006c006100200053006500630072006500740061007200690061002000640065002000450063006f006e006f006d0069006100000009000000010000004a000000304806082b0601050507030106082b0601050507030206082b06010505070304060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020300000001000000140000007e206939cc5fa883635f64c750ebf5fda9aee6532000000001000000c8050000308205c4308204aca003020102020103300d06092a864886f70d01010505003082014b31183016060355042d030f005345432d3833303130312d395639311730150603550407130e416c7661726f204f627265676f6e3119301706035504081310446973747269746f204665646572616c310b3009060355040613024d58310e300c060355041113053031303330311d301b06035504091314496e73757267656e74657320537572203139343031423040060355040313394175746f726964616420436572746966696361646f7261205261697a206465206c6120536563726574617269612064652045636f6e6f6d696131343032060355040b132b446972656363696f6e2047656e6572616c206465204e6f726d6174697669646164204d657263616e74696c311f301d060355040a1316536563726574617269612064652045636f6e6f6d69613124302206092a864886f70d010901161561637273654065636f6e6f6d69612e676f622e6d78301e170d3035303530393030303030305a170d3235303530393030303030305a3082014b31183016060355042d030f005345432d3833303130312d395639311730150603550407130e416c7661726f204f627265676f6e3119301706035504081310446973747269746f204665646572616c310b3009060355040613024d58310e300c060355041113053031303330311d301b06035504091314496e73757267656e74657320537572203139343031423040060355040313394175746f726964616420436572746966696361646f7261205261697a206465206c6120536563726574617269612064652045636f6e6f6d696131343032060355040b132b446972656363696f6e2047656e6572616c206465204e6f726d6174697669646164204d657263616e74696c311f301d060355040a1316536563726574617269612064652045636f6e6f6d69613124302206092a864886f70d010901161561637273654065636f6e6f6d69612e676f622e6d7830820122300d06092a864886f70d01010105000382010f003082010a0282010100c164a0f4e75270b2ea9313f4353a1fea3a1cc51b8b58e196d602415e8e8540ff41664053fc98b5d13232976740809dee203f0e54fb4207fb771a99d886f41c2a8825f3e944a34efe07beb1c8ef3c8d87e01eca49103b28ef2451a1fc88174ae71cc8546763e86a31e6436cf6401186c456eebdc91da6463c1e46c2828d2ea9e8ee760a43e0724d8cf4c506fa2c01003360ce3870346b171aeb7a6461a793a4656ad723c7767a94510bec9ea8cf3ba250321c42bd63e187cbb985480ec0d558b6f6ce4bf207cfe304d51fc2d6a36ea3bbb6b76ec4f1a21f16bcb62db0eff45a9b298dbce1fc075b1e09338278cc406d71b363132fd34c36ac394fc6c1b0b6f5850203010001a381ae3081ab302f0603551d1f042830263024a022a020861e61637273652e65636f6e6f6d69612e676f622e6d782f6c6173742e63726c30460603551d20043f303d303b060b6086480186f84501070101302c302a06082b06010505070201161e61637273652e65636f6e6f6d69612e676f622e6d782f6370732e68746d6c300f0603551d130101ff040530030101ff300c0603551d0f04050303070600301106096086480186f8420101040403020007300d06092a864886f70d01010505000382010100c0def5622daea48d311fa77f1479bbd922c8982e8b201d069e5c600a4e7ededf9c133625f889931c9d1de1260a577f4ffddeb21eaa4f23eede3fccf2994417be55af168eb488c696785eff87025b08bce0a7ca6d7ff76f203ba6342a31661adb395c0d0734bec7b81613d10e9b00d8c4b5fba0e9eab7d2e26b9828910432c58274cebc39cb97cc766aef65d83edd72d6105e6d41b8d58814b19788481de20b54d368accb767d0a1ab64886e04cdeae4e78c45d3779eb7223debe95a6850e5cb11cb38105729d162841f805d9973e96fee7e3f3dcf716b40ebffdca1452927d09dbdbd4038c8d3cd8c58bad9cec5300ab402103aedb2fde01028cf4482565e40a	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\60D68974B5C2659E8A0FC1887C88D246691B182C	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\06083F593F15A104A069A46BA903D006B7970991\Blob = 0b00000001000000520000004e00650074004c006f0063006b0020004100720061006e0079002000280043006c00610073007300200047006f006c0064002900200046005101740061006e00fa007300ed0074007600e1006e0079000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000006083f593f15a104a069a46ba903d006b797099120000000010000001904000030820415308202fda003020102020649412ce40010300d06092a864886f70d01010b05003081a7310b30090603550406130248553111300f06035504070c08427564617065737431153013060355040a0c0c4e65744c6f636b204b66742e31373035060355040b0c2e54616ec3ba73c3ad7476c3a16e796b696164c3b36b202843657274696669636174696f6e205365727669636573293135303306035504030c2c4e65744c6f636b204172616e792028436c61737320476f6c64292046c59174616ec3ba73c3ad7476c3a16e79301e170d3038313231313135303832315a170d3238313230363135303832315a3081a7310b30090603550406130248553111300f06035504070c08427564617065737431153013060355040a0c0c4e65744c6f636b204b66742e31373035060355040b0c2e54616ec3ba73c3ad7476c3a16e796b696164c3b36b202843657274696669636174696f6e205365727669636573293135303306035504030c2c4e65744c6f636b204172616e792028436c61737320476f6c64292046c59174616ec3ba73c3ad7476c3a16e7930820122300d06092a864886f70d01010105000382010f003082010a0282010100c4245e73be4b6d14c3a1f4e397906ed230451e3cee67d964e01a8a7fca30ca83e320c1e3f43ad3945f1a7c5b6dbf304f8427f69f1f49bcc6990a90f20ff57f43843763518b7aa570fc7a58cd8e9bedc3466c84705ddaf3019023fc4e30a97ee12763e7ed643ca0b8c93363fe1690ffb0b8fdd7a8c0c094430bb6d559a69e56d0241f7079afdb39540d6575d915419401af5eecf68df1ffad64fe209ad75cebfea61f0864a38b7655ad1e3b28602e8725e8aaaf1fc6644620b7707f3cde48db9653b73977e41ae2c7168476975b2fbb191585f86985f599a7a9f234a7a9b6a603fc6f863d547c76049b6bf9405d0034c72e99759de58803aa4df803d24276c01b020300a88ba345304330120603551d130101ff040830060101ff020104300e0603551d0f0101ff040403020106301d0603551d0e04160414ccfa6793f0b6b8d0a5c01ef353fd8c53df83d796300d06092a864886f70d01010b05000382010100ab7fee1c16a99c3c5100a0c0110805a799e66f018854616ef1b918ad4aadfe814023942ffb757c2f284b622481820bf561f11c6eb86138eb81fa62a13b5a62d39465c4e1e66d82f82f2570b22126c172511f8c2cc38490c35a8fbacff4a765a5eb98d1fb05b2467515236a6f85633080f0d59e1f291cc26cb050595d905b3ba80d30cfbf7d7fcef19d83bdc9466e20a6f96151ba212f7bbea51563a1d49587f19eb9f389f33d85b8b8dbbeb5b929f9da3705004994038444e7bf4331cf758b25d1f4a664f592f6ab05eb3de9a50b3662dacc065f368bb65e31b82afb5ef671df44269ec4e60d91b42e759580516a4b30a6b062a193f19bd8cec463753f5947b1	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 53000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000047beabc922eae80e78783462a79f45c254fde68b2000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\56E0FAC03B8F18235518E5D311CAE8C24331AB66	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0483ED3399AC3608058722EDBC5E4600E3BEF9D7	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AE5083ED7CF45CBC8F61C621FE685D794221156E	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AADBBC22238FC401A127BB38DDF41DDB089EF012	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2AC8D58B57CEBF2F49AFF2FC768F511462907A41\Blob = 0300000001000000140000002ac8d58b57cebf2f49aff2fc768f511462907a41090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b00000001000000120000004300410020004400690073006900670000002000000001000000130400003082040f308202f7a003020102020101300d06092a864886f70d0101050500304a310b300906035504061302534b311330110603550407130a4272617469736c61766131133011060355040a130a446973696720612e732e3111300f060355040313084341204469736967301e170d3036303332323031333933345a170d3136303332323031333933345a304a310b300906035504061302534b311330110603550407130a4272617469736c61766131133011060355040a130a446973696720612e732e3111300f06035504031308434120446973696730820122300d06092a864886f70d01010105000382010f003082010a028201010092f631c17d88fd9901a9d87bf27175f131c6f37566fa51284684977834bc6cfcbc45598826184ac4371fa14a44bde37104f54417e23ffc48586f5c9e7a09ba51372223664321b03c64a2f86a150e3feb51e154a9dd0699d79a3c548b39033f0fc5cec6eb837202a81f71f32df87508db624ce8facef9e76a1fb66b3582bae28f16927d050c6c46035dc0ed69bf3ac18aa0e88ed9b945288708ecb4ca15be82ddb5448b2dad860c68626d8556f2ac14633ac6d199ac3478564bcfb6ad3f8c8ad704e5e3784cf586aaf58ffa3d6c71a32dca67eb687b6e33a90c8228a84c6a214015200c265b83c2a91615c024825d2b16adca63f67400b0df43c41060566763450203010001a381ff3081fc300f0603551d130101ff040530030101ff301d0603551d0e041604148db249689d720825b9c027f5509356484671f98f300e0603551d0f0101ff04040302010630360603551d11042f302d811363616f70657261746f724064697369672e736b8616687474703a2f2f7777772e64697369672e736b2f636130660603551d1f045f305d302da02ba0298627687474703a2f2f7777772e64697369672e736b2f63612f63726c2f63615f64697369672e63726c302ca02aa0288626687474703a2f2f63612e64697369672e736b2f63612f63726c2f63615f64697369672e63726c301a0603551d2004133011300f060d2b811e9193e60a000000010101300d06092a864886f70d010105050003820101005d3474614caf3bd8ff9f6d58361c3d0b810d122b461080fde73c27d07ac8a9b67e743033a33a8a7b74c0797942936dffb1291482ab218c2f17f93f262ff559c6ef8006b79a4929ecce7e713c6a1041c0f6d39ab27c5a919cc0ac5bc84d5ef7e153ff4377fc9e4b676cd7f383d1a0e07f25dfb8980b9a32386c30a0f3ff081533f7504a7b3ea33e20a9dc2f56800aed4150b0c9f4ecb2e32644000e6f9e06bc2296537065c4500a466ba42f27811227135f10a176ce8a7b37eac339610395983ae76c882508fc79680d877d62f8b45ffbc5d84cbd58bc3f435bd41e014d3c63be23ef8ccd5a50b86854f90a99331100e19ec2467782f559068c214c8709cde5a8	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D2441AA8C203AECAA96E501F124D52B68FE4C375	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D2441AA8C203AECAA96E501F124D52B68FE4C375\Blob = 0b000000010000005200000049002e00430041002000132020005100750061006c00690066006900650064002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000d2441aa8c203aecaa96e501f124d52b68fe4c3752000000001000000220500003082051e30820406a003020102020400a037a0300d06092a864886f70d01010b05003081b7310b300906035504061302435a313a303806035504030c31492e4341202d205175616c69666965642043657274696669636174696f6e20417574686f726974792c2030392f32303039312d302b060355040a0c245072766ec3ad20636572746966696b61c48d6ec3ad206175746f726974612c20612e732e313d303b060355040b0c34492e4341202d20416363726564697465642050726f7669646572206f662043657274696669636174696f6e205365727669636573301e170d3039303930313030303030305a170d3139303930313030303030305a3081b7310b300906035504061302435a313a303806035504030c31492e4341202d205175616c69666965642043657274696669636174696f6e20417574686f726974792c2030392f32303039312d302b060355040a0c245072766ec3ad20636572746966696b61c48d6ec3ad206175746f726974612c20612e732e313d303b060355040b0c34492e4341202d20416363726564697465642050726f7669646572206f662043657274696669636174696f6e20536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100b53684cb4282f0cf65e2549a58732ce3eb155752f0cf225888840d782aefd471e6fd8a4621d63f67ae3471e6a792342f217ee6db704ae0e482e8a3bc919600df3a293b3e8614238a5763ef2ee91b73e7368a617a90b1c4bfaa8d03c5b184f6d1df12b09470f0076ca15b3a3b577415803446f37b2e82a427b4a602dcb9e54c66c9a4d3fe033ef68293bd007527fc8061164e24b1cf25612d8bf460b2f42b2674a4813fbf29f70f0bc7bbc32ea90382dd7fcc1adc51699249bec013f04f11e32bc9057521d23a9e51a70615a45ce61fe8649d6b2270f3a6edbb10bbbe20ca36b6e9e381e3411692c67a7a3b77ada35c780df898770fd86c915eec48e4c52401cb0203010001a382012e3082012a300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201063081e70603551d200481df3081dc3081d90604551d20003081d03081cd06082b060105050702023081c01a81bd54656e746f20636572746966696b6174206a6520767964616e206a616b6f206b76616c6966696b6f76616e792073797374656d6f767920636572746966696b617420706f646c65207a616b6f6e6120632e203232372f323030302053622e207620706c61746e656d207a6e656e692f54686973206973207175616c69666965642073797374656d206365727469666963617465206163636f7264696e6720746f20437a65636820416374204e6f2e203232372f3230303020436f6c6c2e301d0603551d0e0416041479cbd023e93a677091744fd351e2e020fde128fb300d06092a864886f70d01010b050003820101007d95a536d788586811cf65fb5b0d2ff674818b59d99d49b8f53996c9f0b20f04cc588cfa0432acc047be2dc3de938ba69645ae5674e59a4ba23faa26c42856612405575f99a4c767b01852c9fb41a8f9e4f19e32ce9e1545d95dacfb9edb9bc73c8fafdb4ba223e83b29707118a5f8e387ae21136af4692a590e31b328533a629aac08937ca987b65f5aa618c2d0c2f35d8c6fa73f308938eb94132a485ade79e590cb5ea4b917b66306395fc8366311f4b612cf4876893c6a57f9eb7322f7fa3e05ae3ac0c60e924dcfd48954d11a826a375b9628a8002283ced02ab9b38d53582e655cd5f2db8c0125736c978bfc6001ec4093c1ed51b8aacb62d82530a23d	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B8236B002F1D16865301556C11A437CAEBFFC3BB\Blob = 53000000010000002400000030223020060a2b06010401828f09020430123010060a2b0601040182373c0101030200c00b00000001000000180000005400720065006e00640020004d006900630072006f000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000b8236b002f1d16865301556c11a437caebffc3bb200000000100000002020000308201fe30820185a00302010202087497258ac73f7a54300a06082a8648ce3d0403033045310b300906035504061302555331143012060355040a0c0b41666669726d54727573743120301e06035504030c1741666669726d5472757374205072656d69756d20454343301e170d3130303132393134323032345a170d3430313233313134323032345a3045310b300906035504061302555331143012060355040a0c0b41666669726d54727573743120301e06035504030c1741666669726d5472757374205072656d69756d204543433076301006072a8648ce3d020106052b81040022036200040d305e1b159d03d0a17935b73a3c927aca151ccd62f39c265c073de554faa3d6cc12eaf4145fe88e19ab2f2e48e6ac184378acd037c3bdb2cd2ce647e21ae663b83d2e2f78c44fdbf40fa4684c55726b951d4e18429578cc373c91e29b652b29a3423040301d0603551d0e041604149aaf297ac011353526513000c36afe40d5aed63c300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300a06082a8648ce3d040303036700306402301709f38788505aafc8c042bf475ff56c6a86e0c42774e43853d7057f1b34e3c62fb3ca093c379dd7e7b846f1fda1e271023042598743d451dfbad309325ace887e573d9c5f426bf5072db5f08293f9596fae64fa58e58b1ee363beb581cd6f028c79	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6B81446A5CDDF474A0F800FFBE69FD0DB6287516	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\71899A67BF33AF31BEFDC071F8F733B183856332	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\517F611E29916B5382FB72E744D98DC3CC536D64	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\394FF6850B06BE52E51856CC10E180E882B385CC\Blob = 0b000000010000003c000000450071007500690066006100780020005300650063007500720065002000650042007500730069006e006500730073002000430041002d003200000009000000010000000c000000300a06082b06010505070303030000000100000014000000394ff6850b06be52e51856cc10e180e882b385cc2000000001000000240300003082032030820289a00302010202043770cfb5300d06092a864886f70d0101050500304e310b300906035504061302555331173015060355040a130e457175696661782053656375726531263024060355040b131d45717569666178205365637572652065427573696e6573732043412d32301e170d3939303632333132313434355a170d3139303632333132313434355a304e310b300906035504061302555331173015060355040a130e457175696661782053656375726531263024060355040b131d45717569666178205365637572652065427573696e6573732043412d3230819f300d06092a864886f70d010101050003818d0030818902818100e43939931e52061b2836f8b2a329c5ed8eb211bdfeebe7b474c28fff05e7d99d06bf12c83f0ef2d6d124b211ded173098ad4b12c98090d1e5046b283a6458d6268bb851b207032aa40cda6965fc471373f04f3b7412439071a1e2e6158a0120be5a5dfc5abea3771cc1cc8373ab99752a7acc56a24944e9c7bcfc06ad6df21bd0203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b300906035504061302555331173015060355040a130e457175696661782053656375726531263024060355040b131d45717569666178205365637572652065427573696e6573732043412d32310d300b0603550403130443524c31301a0603551d1004133011810f32303139303632333132313434355a300b0603551d0f040403020106301f0603551d23041830168014509e0beaaf5eb92048a6506acbfdd8207aa78276301d0603551d0e04160414509e0beaaf5eb92048a6506acbfdd8207aa78276300c0603551d13040530030101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d0101050500038181000c8682ade84e1af58e8927e235583d29b4078f365095bf6ec19eebc490b285a8bbb742e00f0739dffb9e90b2d1c13e539f0344b07e4bf46fe47c1fe7e2b1e4b89aefc3bdcede0b3234d9de28ed336bc4d4d73d1258ab7d092dcb70f5138a94a127a4d670c56d94b5c97d9da0d2c60849d9669ba6d3f40bdcc52657e19130eacd	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\70179B868C00A4FA609152223F9F3E32BDE00562\Blob = 0b000000010000002800000056006900730061002000650043006f006d006d006500720063006500200052006f006f007400000009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030903000000010000001400000070179b868c00a4fa609152223f9f3e32bde005622000000001000000a6030000308203a23082028aa00302010202101386354d1d3f06f2c1f96505d5901c62300d06092a864886f70d0101050500306b310b3009060355040613025553310d300b060355040a130456495341312f302d060355040b13265669736120496e7465726e6174696f6e616c2053657276696365204173736f63696174696f6e311c301a06035504031313566973612065436f6d6d6572636520526f6f74301e170d3032303632363032313833365a170d3232303632343030313631325a306b310b3009060355040613025553310d300b060355040a130456495341312f302d060355040b13265669736120496e7465726e6174696f6e616c2053657276696365204173736f63696174696f6e311c301a06035504031313566973612065436f6d6d6572636520526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100af57de561e6ea1da60b19427cb17db073f80854fc89cb6d0f46f4fcf99d8e1dbc2485c3aac3933c71f6a8b263d2b35f548b191c1024e0496917bb033f0b1144e116fb540af1b45a54aef7eb6acf2a01f583f1246603c8da1e07dcf573e331efb47f1aa1597075566a5b52d2ed88059b2a70db746ec2163ff35aba502cf2af44cfe7bf5945d844da8f2608fdb0e253c9f7371cf94df4aeadbdf72388cf396bdf117bcd2ba3b455ac6a7f6c6178b019dfc19a82a8316b83a48fe4e3ea0ab0619e953f3801307ed2dbf3f0a3c5520392c2c006974954abc20b2a979e5188991a8dc1c4defbb7e370b5dfe39a588528c006cec187c41bdf68b7577ba609d84e7fe2d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141538830f3f2c3f70331ecd46fe078c20e0d7c3b7300d06092a864886f70d010105050003820101005ff1417d7c5c08b92be0d59247fa675ca513c303219b2b4c8946cf594dc9fea540b663cddd7128956711cc24acd3446c71ae01206b03a28f18b7293a7de5166053783cc0af1583f78f523324bd649397ee8bf7db18a86d71b3f72c17d0742569f7fe6b3c94be4d4b418c4ee273d0e390227343cdf3efea73ce458ab0a649ff4c7d9d7188c4761d905b1deefdccf7eefd60a5b17a1671d116d07c123c6c6997dbae5f399a702f053c194604992036d0606e6106bb16428c70f730fbe0db66a30001bde62cda915fa0468b4d6a9c3d3ddd0546fe76bfa00a3ce400e627b7ff842ddeba2227961071eb22eddfdf339ccfe3adae8ed48ee64f51af1692e05cf6070f	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0b0000000100000012000000440069006700690043006500720074000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C93C34EA90D9130C0F03004B98BD8B3570915611\Blob = 0b00000001000000300000004c007500780054007200750073007400200047006c006f00620061006c00200052006f006f0074002000430041000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000c93c34ea90d9130c0f03004b98bd8b3570915611200000000100000068030000308203643082024ca00302010202020bb8300d06092a864886f70d01010b05003044310b3009060355040613024c5531163014060355040a130d4c7578547275737420732e612e311d301b060355040313144c7578547275737420476c6f62616c20526f6f74301e170d3131303331373039353133375a170d3231303331373039353133375a3044310b3009060355040613024c5531163014060355040a130d4c7578547275737420732e612e311d301b060355040313144c7578547275737420476c6f62616c20526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b27fa740f022ca0cf6ebb1f1cb0e95574075afa03f3eceecaa3257e619b16743985a6b7cb3b8fa789caaa684b2601b8041ce63cd1f170899a4f5ef3e12c74cb0579a5c784078fc458dda9167dc3a51b96d73e6b7398e763ab41f05f56955f993cf78884abeaa9bd77b475b46044c8216a635f6fc74dfd6b4afd8e2b527117459a2c2662c680ae19888883c8a057514e3b8aef308849b6ac13f3118af27a54b9ba4fd7931de983d0e61ca8798c1f88a309cfa3e33d5a5c40307e1f796741800273827d12baaaae141458b6ff125c2dca29795c74214335d7984236ae765c057a0d85da96301e7b0e48be8f8c563b8e56c74903dc777fc2bba79e9a4c61278a7ff0203010001a360305e300c0603551d13040530030101ff300e0603551d0f0101ff040403020106301f0603551d2304183016801417158589092f24876f3f1d1be4f29679834813ce301d0603551d0e0416041417158589092f24876f3f1d1be4f29679834813ce300d06092a864886f70d01010b050003820101005af01cd0d450cf417ee6b89d7dc370d05e36ff6e8e7a2fde4811d5342e3cb745c25425a7e1c11e3783b694aeb6454803ea95beeb9c6ab4375c1f2ed36b8281435b0a3f115563acfa7c080237a03c390433fe9732c852e5d9254db0c6ee681f70aa73ce5703dc7d0a0d33f2d25adf0a6c3bcc1151971aa421a2853502d78022d284b2f8c0aa68bfd5ebaac30baba17c2bf7f53b87e15457ec0524ef79424ef38b689fe46ecb8299c9cc2adc53c21f7083ab210f56b448ffdf0722b38cf91da604df2d0336b9dd6ffe318866ff6c6d4434af08773e26d272f4bb4756933c9863e133bb992392b58379e81d9f67ad62d689d6f6fc27de3227cb84da778521a11221	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\96C91B0B95B4109842FAD0D82279FE60FAB91683\Blob = 53000000010000002500000030233021060b2b06010401a53402814a0130123010060a2b0601040182373c0101030200c00b000000010000004400000044002d0054005200550053005400200052006f006f007400200043006c006100730073002000330020004300410020003200200045005600200032003000300039000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030803000000010000001400000096c91b0b95b4109842fad0d82279fe60fab91683200000000100000047040000308204433082032ba00302010202030983f4300d06092a864886f70d01010b05003050310b300906035504061302444531153013060355040a0c0c442d547275737420476d6248312a302806035504030c21442d545255535420526f6f7420436c617373203320434120322045562032303039301e170d3039313130353038353034365a170d3239313130353038353034365a3050310b300906035504061302444531153013060355040a0c0c442d547275737420476d6248312a302806035504030c21442d545255535420526f6f7420436c61737320332043412032204556203230303930820122300d06092a864886f70d01010105000382010f003082010a028201010099f1843470ba2fb730a08ebd7c04cfbe62bc99fd8297d27a0a67963809f6104e952273998dda152de705fc197322b78e9800bc3c3daca16cfbd679254badf0cc64da883e29b80f09d334dd33f562d1e1cd19e9ee184f4c58aee21ed60c5b155ad83ab8c418641ee333b2b589774e0cbfd9946b13976f12a3fe99a904cc15ec606836ed087bb7f5bf93ed6631838cc67134874e17eaaf8b918d1c5641ae22375e37f21dd9d12d0d2f6951a7be66a68a3a2abdc71ab1e114f0be3a1db9cf5bb16afeb4b14620a2fb1e3b70ef93987d8c7396f2c5ef8570ad2926fc1e043e1ca0d80fcb5283627cee8b539590a957a2ea6105d8f94dc427fa6eadedf9d751f76ba50203010001a382012430820120300f0603551d130101ff040530030101ff301d0603551d0e04160414d3948a4c62132a192eccaf728a7d36d79a1cdc67300e0603551d0f0101ff0404030201063081dd0603551d1f0481d53081d2308187a08184a08181867f6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e3d442d5452555354253230526f6f74253230436c617373253230332532304341253230322532304556253230323030392c4f3d442d5472757374253230476d62482c433d44453f63657274696669636174657265766f636174696f6e6c6973743046a044a0428640687474703a2f2f7777772e642d74727573742e6e65742f63726c2f642d74727573745f726f6f745f636c6173735f335f63615f325f65765f323030392e63726c300d06092a864886f70d01010b0500038201010034ed7b5a3ca49488ef1a1175072fb3fe3cfa1e5126eb87f629dee0f1d4c62409e9c1cf551bb430d9ce1afe0651a615a42defb24bbf20282549d1a6367734e864df52b111c7737acd399ec2ad8c7121f25a6bafdf3c4e55afb284651489b977cb2a31becfa36dcf6f489432466fe7718ca0a684193707f20345092b86757cdf5f695700db6ed8a672224b50d4759856dfb718ff434350ae7a447bf07951d7433da7d381d3f0c94fb9dac69786d082c3e4426dfeb0e2644e0e26e7403426b50889d70863633827751e33ea6ea8dd9f994f744d8189804bdd9a97295c2fbe8141b98cffea7d60069ecdd73dd32ea315bca8e626e56fc3dcb80321ea9f16f12c54b5	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E42A18706BD0C9CCF594750D2E4D6AB0048FDC4\Blob = 0300000001000000140000003e42a18706bd0c9ccf594750d2e4d6ab0048fdc4090000000100000056000000305406082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b060105050703090b000000010000001200000053006900670065006e002d0043004100000020000000010000001d0400003082041930820301a00302010202043b3cf9c9300d06092a864886f70d0101050500303d310b3009060355040613027369311b3019060355040a131273746174652d696e737469747574696f6e733111300f060355040b1308736967656e2d6361301e170d3031303632393231323734365a170d3231303632393231353734365a303d310b3009060355040613027369311b3019060355040a131273746174652d696e737469747574696f6e733111300f060355040b1308736967656e2d636130820122300d06092a864886f70d01010105000382010f003082010a0282010100b0e565b2c0ac6496f2881bb3ed9ee402c64f2b88ce2e8a518075af105bf2cb38669ba20e6d344796a59211aff63547a277220cce168862aad3496e18bc2e44d8bec69ec21a19ac418efc300702f2c66ad45b2300ef4134d8a47363df2292338401a58df3835cfab8d47a35dfecf86d0fe04cedad9c3a7d86d6a50894be7d7a111ffe853f545a8863879ca5b1a74ecdb74473afcf8a496b1fe3cdd7494d5a2b17e65c76b3bb72b96f27d29b891588df105f7621016ac715310ad19c58f82816056dd94ed9a1d70720cb4b26894d92b2a7ba96e8e3588f229c01965ac4f7314d0b49b5e17861e2541806bb9e54347e0c3eebeeb5801fdd16841d6838666773f8910203010001a382011f3082011b301106096086480186f8420101040403020007305f0603551d1f045830563054a052a050a44e304c310b3009060355040613027369311b3019060355040a131273746174652d696e737469747574696f6e733111300f060355040b1308736967656e2d6361310d300b0603550403130443524c31302b0603551d1004243022800f32303031303632393231323734365a810f32303231303632393231353734365a300b0603551d0f040403020106301f0603551d23041830168014717b8a061f310555ab60127747201e038818ec89301d0603551d0e04160414717b8a061f310555ab60127747201e038818ec89300c0603551d13040530030101ff301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d0101050500038201010000ba6334f31818eeae7e8d92c735f5c213d4d600aa213216d6d05bfa29b08dfa177792f9a5b6f6f9873f060f20ee623d34f7a92fc7a93bd027884cacddc9a9e55a5885d712353ddcb0825b72f4bb73b7fbfe3821980480b288620f1eac3a16a9e6b30af615104503a397e2cdac10dcf9001ebf736c43ec772216062f9683897bb0b853444108dc801f05db19097687be359d4e214bb493c1683a9d5f36fea1ae302c4bde78243a58d61643ef9d99388b2a98fe30d1c2ead6af25d5a5760bb9ef40392ef6ebdf325e1d7d87b544cc0239d2269572d86f8543a88f0ea346ced7cee8b956a9f88917121f4349067a32e73fbe6f79bed633d74c3c28fc12f1767618	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6DC5E562A9FD64D4BB2F631CCD041E9AA6FF60F1\Blob = 0b000000010000006e00000045002d0047005500560045004e0020004b006f006b00200045006c0065006b00740072006f006e0069006b00200053006500720074006900660069006b0061002000480069007a006d006500740020005300610067006c0061007900690063006900730069002000530033000000090000000100000020000000301e06082b0601050507030106082b0601050507030206082b060105050703040300000001000000140000006dc5e562a9fd64d4bb2f631ccd041e9aa6ff60f12000000001000000c0030000308203bc308202a4a00302010202106c110202542d2f1f314771ce83eb01d7300d06092a864886f70d01010b05003078310b300906035504061302545231283026060355040a0c1f456c656b74726f6e696b2042696c676920477576656e6c69676920412e532e313f303d06035504030c36452d475556454e204b6f6b20456c656b74726f6e696b20536572746966696b612048697a6d6574205361676c61796963697369205333301e170d3133303331313134333933355a170d3233303331303134333933355a3078310b300906035504061302545231283026060355040a0c1f456c656b74726f6e696b2042696c676920477576656e6c69676920412e532e313f303d06035504030c36452d475556454e204b6f6b20456c656b74726f6e696b20536572746966696b612048697a6d6574205361676c6179696369736920533330820122300d06092a864886f70d01010105000382010f003082010a0282010100b5f4c75e5119d9b17cbc860bd6077e2be6d262eb3bbda9b93f839a34f48235ccc58c027487ad6b98ff0f86f5b2f8f3a6e4f8381754c522da86fd6e2ae0a9074739c905eaca83994c99928b91cc1c42046e203b91d7c404ea1b87969f1559cc330a7ce66205ad85229bea4149093a950567fd2816d1940a93b0df6969c89176066048170764fde3947a324d43139403c03038133e9bd60606edd33fbf4619a1f146ad0a9e7a42832315de1ecb3bb6213b69f0a293e7337151a0438b7b7a525e2a0cee580e453d72eef8242246cf08f17b1f5396001d07df2d1559718824a798fe398c0edb6a69a5da2f86aebe23c7b8fa0e2d6518c95a9d37e8ac2f58a89efe310203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414e27433ff1a56790545d821c7b02a8a87e7a478b0300d06092a864886f70d01010b05000382010100b5654fdad4b0c8ce1fbd6403d2ef62048f632edbe498398fdb76bfc32e3164798dd13b87e40e56dfd741f45773478b8722a78d7c27b111b8b556a414cb85ee038eacfcfaa6d09fad8230d93ce9b259ff51fabf0a992413e7b236838413c3dacfd70055c42789f5c84b4979dab526fb0f92f0d28740b5d488616fcc756eb7c133c8d34536fb1b79425a6e6de043746445a80f74fd0c802fc13c09cf24ba09ac222e1d31fef7b58244f375d8da2128b18422e9759087a3898ab3595506e76d50884d03fbbb8659428d6c5f62e2cd1a6d207d1fc3160760cb53db5257a6531a77ba8624ffca6487de543a3661ee8a7ec83ed6bbb03635d018d2c1b22f8c55494686	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6969562E4080F424A1E7199F14BAF3EE58AB6ABB	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\968338F113E36A7BABDD08F7776391A68736582E\Blob = 030000000100000014000000968338f113e36a7babdd08f7776391a68736582e09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090b00000001000000540000004a006100700061006e0020004c006f00630061006c00200047006f007600650072006e006d0065006e007400200050004b00490020004100700070006c00690063006100740069006f006e0020004300410000002000000001000000a4030000308203a030820288a003020102020131300d06092a864886f70d01010505003039310b3009060355040613024a50310e300c060355040a13054c47504b49311a3018060355040b13114170706c69636174696f6e204341204732301e170d3036303333313135303030305a170d3136303333313134353935395a3039310b3009060355040613024a50310e300c060355040a13054c47504b49311a3018060355040b13114170706c69636174696f6e20434120473230820122300d06092a864886f70d01010105000382010f003082010a0282010100b935c610f8db68db07c4404cb01d1e36dcc341f6cf55156d087f5cc66855e5e757f19651e6e14d780f6e4015703b65fe11dfe7d3d658353be19f02fc9452462eb39e609b029ec982d2f6e3ae094f8444b6629b005168b83aadec64d1324be9944483b40ece21896bb036c098c64b9cc23e5b602a09312b2dab4cdeb1a0fd5856c2831d20bcc48409877ba89597c6258e83e03e930dd1c77d73a9a8fc1900402e22b87a3341f578fd5a71e782d948885ceca885872d6d8089671a69be10c05a8eed887d3e6f2c386b37ce47d8a23130de7e53656c8b865341206cbd48a57eaf005a56125881d1dc8959f9b5eef84d9ad844298b79a7f722aaea7c5cb41688200d0203010001a381b23081af301d0603551d0e041604147fb85d8ec4186bc67dcc2ee9aece34e7175de0a1300e0603551d0f0101ff040403020106304c0603551d1f044530433041a03fa03da43b3039310b3009060355040613024a50310e300c060355040a13054c47504b49311a3018060355040b13114170706c69636174696f6e204341204732300f0603551d130101ff040530030101ff301f0603551d230418301680147fb85d8ec4186bc67dcc2ee9aece34e7175de0a1300d06092a864886f70d010105050003820101003cd873364006484a5419f527483925a56e42e7b6cd1bcb3934b79bec4f2abe77e4ca84fc1deb9b2240d5f4fb688772fc475d6a0e524ae3b55d48c62296e6336d6dabf6cdd7cb245a8ca8459e3e61827d94d505f01a355f712f2e54b54105ef860d52ef9c981bf12c4c3ad1f386d38c3e7a2f86458e8332265bbf53ca0e5156dc9ac25a30190da79ed5aa9b2039697821f4976dd10e114c2ed31b5ab0f997785c2a8f5265ee4c4225c237300e6d2b35948306e8af453b0466a730bbf9e0213b636e7d445d3a6a53ef111724fd54b25a6c735621c96c2d97a442b327610521636dea28bc4f1a6f42dc98ab55d31e1bc0923f9bc1e63b1756e2c4984325eeb6cb00	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c13090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E621F3354379059A4B68309D8A2F74221587EC79\Blob = 0b000000010000002c000000470065006f0054007200750073007400200055006e006900760065007200730061006c002000430041000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000e621f3354379059a4b68309d8a2f74221587ec7920000000010000006c0500003082056830820350a003020102020101300d06092a864886f70d01010505003045310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311e301c0603550403131547656f547275737420556e6976657273616c204341301e170d3034303330343035303030305a170d3239303330343035303030305a3045310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311e301c0603550403131547656f547275737420556e6976657273616c20434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a61555a0a3c6e01f8c9d2150d7c1be2b5bb5a49ea1d97258bd001b4cbf61c9141d4582abc61d80d63deb109c3aaf6d24f8bc71019e06f57c5f1ec10e55ca839a5930ae19cb304895ed22378df44a9a72663ead95c0e01600e0101f2b310ed79454d34233a0341d1e4576dd4fca1837ec85157a1908fcd5c79cf0f2a92e10a992e63d583da916683c2f7521187f2877a5e16117b7a6e9f81e99db736ef40aa2216ceedaaa859266aff67a6b82daba2208350fcf42f135fa6aee7e2b25cc3a11e46daf73b2761dadd0b278671aa4391c510b675683fd385d0dceddf0bb2b961fde7b3252fd1dbbb506a1b2215ea5d695687ff0999edc45083ee7d2090d3594dd804e5397d7b509442064161703024c530d68ded5aa724d936d820edb9cbdcfb4f35c5d547a690996d6db11c18d75a8b4cf39c8ce3cbc247ce662cae1bd7da7bd57650be4fe25edb66910dc281a46bd011dd097b5e1983bc03764d63d94ee0be1f528ae0b56bf718b2329418e86c54b527bd871ab1f8a15a63b835ad7580151c64c41d97fd8416772a228df6083a99ec87bfc53737259f5937a17760ecef7e55cd90b5534a2aa5bb56a54e713ca57ec976df45e062f458b58d4231692e4166e28635930df50019c63891a9fdb1794827037c3249e9a47d65aca4ea86989721f916cdb7e9e1badc71f73dd2c4f1965fd7f9340102ed2f0ed3c9e2e283e692633c57b0203010001a3633061300f0603551d130101ff040530030101ff301d0603551d0e04160414dabb2eaab00cb8882651745c6d03d3c0d88f7ad6301f0603551d23041830168014dabb2eaab00cb8882651745c6d03d3c0d88f7ad6300e0603551d0f0101ff040403020186300d06092a864886f70d010105050003820201003178e6c7b5dfb89440c971c4a835ec461dc285f3285886b00bfc8eb2398f4455ab64845c69a9d09a383cfae51f35e544e380799468a4bbc49f3de134cd30468b542b95a5eff73f9984fd35e6cf31c6dc6abfa7d72308e1985ec35a0876a9a6af772fb760bd44466aef97ff7395c18ee893fbfd31b7ec571111459b30f11a8839c14f3ca700d5c7fcab6d802270a50ce05d042902fbcba091d17cd6c37e50d59d58be4138ebb9753c15d99bc94a8359c0da53fd33bb36189b850f15ddee2dac7693b9d9018d4810a8fbf53886f1db0ac6bd84a32341ded6776f85d4851c50e0ae518aba8d3e76e2b9ca27f25f9fef6e590d06d82b17a4d27c6bbb5f141a488f1a4ce7b3471c8e4c452b20ee48dfe7dd098e18a8da408d9226115361735debbde7c44d293761ebac392d672e16d6f5008385a1cc7f76c47de4b74b66ef03456069b60c529692845ea6a3b5a43e2bd9ccd81b47aaf244da4ff903e8f014cb3ff383ded0c154e3b7e80a374d8b2059033019a12cc8bd111fdfaec94ac5f327666686ac6891ffd9e6531c0f8b5c69650a26c81e34c35d517bd7a99c06a136ddd58994bcd9e42d0c5e096c08977ca33d7c93ff3fa114a7cfb55debdbdb1cc476df88b9bd4505951baefc466a4caf48e3ceae0fd27eebe66c9c4f816a7a64acbb3ed5e7cb762ec5a748c15c900fcbc83ffae632e18d1b6fa4e68ed8f929488ace73fe2c	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B865130BEDCA38D27F69929420770BED86EFBC10\Blob = 0b00000001000000220000004100430020005200410049005a00200046004e004d0054002d00520043004d000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000b865130bedca38d27f69929420770bed86efbc10200000000100000088050000308205843082036ca00302010202100081bbdd6b241fdab4be8f1bda0855c4300d06092a864886f70d0101050500303b310b30090603550406130245533111300f060355040a0c08464e4d542d52434d31193017060355040b0c104143205241495a20464e4d542d52434d301e170d3038313032393135353935355a170d3330303130313030303030305a303b310b30090603550406130245533111300f060355040a0c08464e4d542d52434d31193017060355040b0c104143205241495a20464e4d542d52434d30820222300d06092a864886f70d01010105000382020f003082020a0282020100ba71807a4c866e7fc8136dc0c67d1c00978f2c0c23bb109a40a91ab78788f89b566afbe67b8e8b928ea7255d5911db362eb751171fa9081f04172458aa374a18dfe539d457fdd7c12c910191e222d403c058fc7747ec8f3e7443baac348d4d3876678eb0c86f303358715cb4f56b6ed40150b8137e6c4aa349d12019eebcc0291865a7defeefdd0a9021e71a67924210985f4f30bc3e1c45b410d7684014c040fae777177ae60b8f655b3cd99a52dbb5bd9e46cf3deb910502c096b2764c4d10963b92fa9c7f0f99dfbe2335451e025cfeb5a89b9925da5ef322c339f5e42a2ed3c61fc46caac51c6a01054a2fd2c5c1a834265d66a5d20221f918b706f54e996fa8ab4c51e8cf5018c577c839092c49923299a8bb171779b05ac5e6a3c459654735835ea9e8350b99bbe4cd20c69b4a0639b568fc22baee558c2b4eeaf3b1e3fcb6999ad542fa714d08cf871e6a717df9d3b4e9a571817bc24e4796a5f67685a3288fe9806e8153a56d5fb848f9c2f936a62e49ffb896c28c07b39b8858fceb1b1cde2d70e2979230a189e3bc55a827d64bed90ad8bfa6325592da835ddca9733bce5cdc79dd1ecef5e0e4a90062663adb9d9352d07ba76652cac578f7df40794d78102965da30749d57ad057f91be7534675aab07942cb687108e960bd3969cef4afc35640c7ad52a209e46f86478a1feb28275d8320af04c96c569a8b46f50203010001a38183308180300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414f77dc5fdc4e89a1b7764a7f51da0ccbf87609a6d303e0603551d200437303530330604551d2000302b302906082b06010505070201161d687474703a2f2f7777772e636572742e666e6d742e65732f647063732f300d06092a864886f70d0101050500038202010076b926d7bc607c3bc3c78451925979b68dbf53e0bc88a0b5d94ce9adf5664eefa060c80bb891ed338e82f18695fec6d31a89ab4f3bd9331fd00bc7b1f54fa44bbb030c235c6cb0deac72fa69de0010cdf1d6cf3652be7ffc2641f3f2fc30e231c6db103ea974ba4feced2099c9b0e2a2a3a9429933cb7ff7aa02e924962af8e4ce5d41a00609555adadf1a4feb39fc5fe0a9a944d718ea95b1447bdaea3809741e67283fe08b392c53fa0ce039f72b1a0e3101d4667988749d48488eb49361e6bf2909efbe06a91a6c0870040abf6e0976a46443ce1f579d979e6cf874171c5103fa6053d4564696d0509fc69d33f343b1a8d7a2c9b0c983b17dc7dcac8176d789ed4326d6ffa25ca22da02447aa469a693109c1fd1079b085ec7020e63d4154a24a622fd6de4cc39c8fbdcba655941cddbd41cf28658dd04dd787d14cd3437321ecd72e17673287b6d01b74aa69c7e46c87d77d199aec3d44f1aa825972cd45dbda6642e1386c365f54dd265657a2d93ea40af2effc19801fdbbaaa80bcd851cd546ad57fd86fb5dc16fb40e2555490c3dd8733d1ff1ea5628b3644aca8bfc0d6c49477b3bdc4752469e9ff3994abfc516724ea401eeb892d13067dae07a1c30cf5d45ab24eb7211d17c5e5b9f21fe386015d0b06795dc9ca3f167e811e4d7ef09a3c25c5ce74799e4ae1f1e9f52546f6c4dee44464731dc6393e7ae6857b18	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DA8B6567EF3F6E1EA26AB146E36CCB5728041846\Blob = 0b000000010000001e000000430041002000440041005400450056002000420054002000300031000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030906082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000da8b6567ef3f6e1ea26ab146e36ccb572804184620000000010000000804000030820404308202eca003020102021068c9f4d1f06b0988e8969f4fcfbe5cb3300d06092a864886f70d01010505003039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e4341204441544556204254203031301e170d3039303130393131343233305a170d3137303130393133343233305a3039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e434120444154455620425420303130820122300d06092a864886f70d01010105000382010f003082010a0282010100bef228f1f9b972e45daf689a7c8189ed23af5615a7243aae602f1846bb5d0cf78857fa7f330f9f95664fd0176c50ed868cca2e2c6f9e45484d3634142ddb50dccdb79a72d4289f21e04c9f46477d22d74795f3fa88a278fe7c7daa688230d6d4dbab7bd8819c3ed32973844c237d3b63154b61ab0fd4100b0f480e1af3291718ecec396dea839cebcc4be344221b5cc60d0ae175f70d8a1f14b2e8103bd9ccf72e66a98ec07da9c0982f70d884dead7b26f71fe7deef9e8ade70b016aa0b931f031fa8eebc65a6f970f6d760546773876baca403560dc13634a293b6388ea70e410c23e999a09df4e543681dd8bfa2e40515d28597e92088c7e5bc663a8695310203010001a382010630820102300e0603551d0f0101ff04040302010630700603551d230469306780142441eeccce15a577a8f4c1e180caf44f3fe45618a13da43b3039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e4341204441544556204254203031821068c9f4d1f06b0988e8969f4fcfbe5cb3301d0603551d0e041604142441eeccce15a577a8f4c1e180caf44f3fe4561830120603551d130101ff040830060101ff020100304b0603551d20044430423040060604008f7a01023036303406082b060105050702011628687474703a2f2f7777772e64617465762e64652f7a6572746966696b61742d706f6c6963792d6274300d06092a864886f70d01010505000382010100b3c79fd921e326de421ccef7b878009cc05ee3db728330d22ed105791a2f9b148f7d6ca4aac50f1372552cf3307d39b1b45b68ccca3008e9a0a05171f9b34dfd9b2dc9f46d8c70a08264dda6a6827cb0acbc3e57d75e8eb26cb5014e8bd704b3a42efeb10345d6f1755d47a12730d04134c9f133857fcc102f98d91db6fd0bf4559f4e0b608edd2e1b78beed45a91e55c8629cc7debeda1f75f185e48088918abace9f8170fc2cde032320e46815361ccfe02c38474f229a5346cb999c25b2fedb74420a5dc1724b7543c0d4f06dca03dec4a3ea905fe2d671d1c21234a1e4d3c0b8f78904e73730b6dc3b8e21f0e2ce83d3ec4860a7ff722bfe814447560594	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 0b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e006700200043004100000009000000010000000c000000300a06082b0601050507030803000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd252000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A073E5C5BD43610D864C21130A855857CC9CEA46	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\61573A11DF0ED87ED5926522EAD056D744B32371\Blob = 5300000001000000220000003020301e0608608442011a01030330123010060a2b0601040182373c0101030200c00b000000010000002a0000004200750079007000610073007300200043006c0061007300730020003300200043004100200031000000090000000100000020000000301e06082b0601050507030106082b0601050507030206082b0601050507030403000000010000001400000061573a11df0ed87ed5926522ead056d744b32371200000000100000057030000308203533082023ba003020102020102300d06092a864886f70d0101050500304b310b3009060355040613024e4f311d301b060355040a0c14427579706173732041532d393833313633333237311d301b06035504030c144275797061737320436c61737320332043412031301e170d3035303530393134313330335a170d3135303530393134313330335a304b310b3009060355040613024e4f311d301b060355040a0c14427579706173732041532d393833313633333237311d301b06035504030c144275797061737320436c6173732033204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100a48ed774d92964de5f1f878091ea4e39e619c6440b80d50baf53078b12bde667f002b189f6608ac45bb042d1c021a8cbe19bef6451b6a7cf15f57480680490a058a2e674a653535548633f9256dd244e8ef8ba2bfff3348a9e28d7349fac2fd60ff1a42fbd52b249856d3935f04430934624f3b6e753fbbc61afa9a314fbc21717846ce07c88f8c91c572cf03d7e94bc259384e89a009a4505425780f44eced9ae39f6c853100c653a477b60c2d6fa91c9c6716cbd91873c918649abf30fa06c26765e1cac9b71e58dbc9b211e9cd6387e248015318296b149d362375b880c0a6234fea7487e99b1308b9037951ca81fa52c8df455c8dbdd590ac2ad78a0f48b0203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604143814e6c8f0a9a403f44e3e22a35bf2d6e0ad4074300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820101000167a38cc9253d13635d166feca13e095c91152a2ad980214f05dcbba589ab13332a9e38b78c6f027263c773771e0906ba3b287ba447c9616b080820fc8a058a1fbcbac6c2fecf6eec133371672e69faa92c3f66c012594d0b54029284bbdb12ef83707078c853fadfc6c6ffdc882f07c0499d325760d3f2f699295fe7aa01ccac33a81c0abb91c403a06fb634f986d3b3765498f44a81b3539d4d40ece5771345af5baa1fd82f4c827bfe2ac458bb4ffc9efd03651a2a0ec3a52016946b79a6a212b4bb1aa4237a5ff0ae8424e4f32bfb8a24a3279865da307576fc1991e8dbeb9b3f32bf40970726baccf394854a7a2793cf9042d4b85b16a6e7cb4003dd79	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\93F7F48B1261943F6A78210C52E626DFBFBBE260	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B12E13634586A46F1AB2606837582DC4ACFD9497\Blob = 030000000100000014000000b12e13634586a46f1ab2606837582dc4acfd949709000000010000005c000000305a06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b0601050507030906082b0601050507030606082b0601050507030706082b060105050802020b00000001000000120000004300650072007400690067006e006100000053000000010000002400000030223020060a2a817a0181310112010230123010060a2b0601040182373c0101030200c02000000001000000ac030000308203a830820290a003020102020900fedce3010fc948ff300d06092a864886f70d01010505003034310b300906035504061302465231123010060355040a0c094468696d796f7469733111300f06035504030c084365727469676e61301e170d3037303632393135313330355a170d3237303632393135313330355a3034310b300906035504061302465231123010060355040a0c094468696d796f7469733111300f06035504030c084365727469676e6130820122300d06092a864886f70d01010105000382010f003082010a0282010100c868f1c9d6d6b3347526821eecb4beea5ce126ed114761e1a27c16784021e4609e5ac863e1c4b19692ff186d6923e12b62f7dde2362f9107b948cf0eec79b62ce7344b700825a33c871b19f281070f389019d311fe86b4f2d15e1e1e96cd806cce3b3193b6f2a0d0a995127da59acc6bc884568a33a9e722155316f0cc17ec575fe9a20a9809dee35f9c6fdc48e3850b155aa6ba9fac48e309b2f7f432de5e34be1c785d425bce0e228f4d90d77d3218b30b2c6abf8e3f141189200e7714b53d940887f7251ed5b26000ec6f2a28256e2a3e186317253f3e442016f626c825ae054ab4e7632cf38c16537e5cfb111a08c146629f22b8f1c28d69dcfa3a5806df0203010001a381bc3081b9300f0603551d130101ff040530030101ff301d0603551d0e041604141aedfe413990b42459be01f252d545f65a39dc1130640603551d23045d305b80141aedfe413990b42459be01f252d545f65a39dc11a138a4363034310b300906035504061302465231123010060355040a0c094468696d796f7469733111300f06035504030c084365727469676e61820900fedce3010fc948ff300e0603551d0f0101ff040403020106301106096086480186f8420101040403020007300d06092a864886f70d0101050500038201010085031e9271f642afe1a3619eebf3c00ff2a5d4da95e6d6be68363d7e6e1f4c8aefd10f216d5ea55263ce12f8ef2ada6feb37fe1302c7cb3b3e226bda612e7fd4723ddd30e11e4c40198c0fd79cd183307b9859dc7dc6b90c294ca133a2eb673a6584d396e2ed7645708fb52bdef923d6496e3c14b5c69f351e50d0c18f6a70440262cbae1d6841a7aa57e853aa07d206f6d514060b9103752c6c72b561959a0d8bb90de7f5df54cddee6d8d609089763e5c12eb0b74426c026c0af55309e3bd5362a1904f45c1effcf2cb7ffd0fd874011d51123bb48c021a9a4282dfd15f8b04e2bf4305b21fc119134be41ef7b9d9775ff9795c096582feabb46d7bbe4d92e	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A9822E6C6933C63C148C2DCAA44A5CF1AAD2C42E	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 03000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e809000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d0049002900000020000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob = 0300000001000000140000007f88cd7223f3c813818c994614a89c99fa3b5247090000000100000016000000301406082b0601050507030406082b060105050703030b00000001000000400000004d006900630072006f0073006f00660074002000410075007400680065006e007400690063006f0064006500280074006d002900200052006f006f00740000002000000001000000da030000308203d6308202bea003020102020101300d06092a864886f70d01010405003050310b3009060355040613025553310d300b060355040a13044d53465431323030060355040313294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479301e170d3935303130313038303030315a170d3939313233313233353935395a3050310b3009060355040613025553310d300b060355040a13044d53465431323030060355040313294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100df08bae33f6e649bf589af28964a078f1b2e8b3e1dfcb88069a3a1cedbdfb08e6c8976294fca603539ad7232e00bae293d4c16d94b3c9ddac5d3d109c92c6fa6c2605345dd4bd155cd031cd2595624f3e578d807ccd8b31f903fc01a71501d2da712086d7cb0866cc7ba853207e1616faf03c56de5d6a18f36f6c10bd13e69974872c97fa4c8c24a4c7ea1d194a6d7dceb05462eb818b4571d8649db694a2c21f55e0f542d5a43a97a7e6a8e504d2557a1bf1b1505437b2c058dbd3d038c93227d63ea0a5705060adb6198652d4749a8e7e656755cb8640863a9304066b2f9b6e334e86730e1430b87ffc9be72105e23f09ba74865bf09887bcd72bc2e799b7b0203010001a381ba3081b7300d0603551d0a040630040302078030320603550403042b13294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747930720603551d01046b306980101a1be75b9ffd8c2ac339ae0c622e5332a1523050310b3009060355040613025553310d300b060355040a13044d53465431323030060355040313294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479820101300d06092a864886f70d010104050003820101002dc9e2f6129e5d5667fafa4b9a7edc29565c80140228856e26f3cd58da5080c5f819b3a67ce29d6b5f3b8f2274e61804fc4740d87a3f3066f012a4d1eb1de7b6f498ab5322865158ee230976e41d455c4bff4ce302500113cc41a45297d486d5c4fe8383657deabea2683bc1b12998bfa2a5fc9dd384ee701750f30bfa3cefa9278b91b448c845a0e101424b4476041cc219a28e6b2098c4dd02acb4d2a20e8d5db9368e4a1b5d6c1ae2cb007f10f4b295efe3e8ffa17358a9752ca2499585feccda448ac21244d244c8a5a21fa95a8e56c2c37bcf4260dc821ffbce74067ed6f1ac196a4f745cc51566316cc16271910f595b7d2a821adfb1b4d81d37de0d0f	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB\Blob = 5c000000010000000400000000100000030000000100000014000000f8db7e1c16f1ffd4aaad4aad8dff0f2445184aeb190000000100000010000000fdf830131f605511d717ae8f24143eea1400000001000000140000008570009f77591e8cac3c9f77262819cc9ac18f320f0000000100000020000000ed55f82e1444f79ca9dce826846fdc4e0ea3859e3d26efef412d2fff0c7c8e6c040000000100000010000000e0e22b8b045e62f1b233ee948b8f091520000000010000000906000030820605308203eda0030201020210078f0a9d03df119e434e4fec1bf0235a300d06092a864886f70d01010b0500308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f726974792032303134301e170d3134303532383136343334365a170d3339303532383136353134385a308194310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e313e303c060355040313354d6963726f736f667420446576656c6f706d656e7420526f6f7420436572746966696361746520417574686f72697479203230313430820222300d06092a864886f70d01010105000382020f003082020a0282020100c20f7f6d49bb39f04d943fe8fb4dc5eb3be1285ab9892a467ea5c333271d82893feb33a1876aeae882b9dac39d77d135c0cb833672a6571912bc15e2c83c7b83623414d5abb6de368ba15a71a65196a70633b3221d146253c2a5af9a40cabe2c485499e72a9368a769190b99693bc1b2acae94dc5fab7e02cade3ca774a68c10a0e5aeb69c35ef838b10e5972aba916b9a6a4595d9d054718e653fc48a53ca1e38470ae9d04184a5da1e66016504e6505b7735f5b42e29320cc6bf5f61ee3220b77c39f911faff605efec669f46f1e1ded1d06e7651e9a112e6344065f31431733e9a32682d44b83124fd2a126032548e13abd84f58ad5b46e1ae871200e45530167ade31e6be8b2e4abfdf53b8eba67af5984cc5c75d09daa5c72c42636a2ac324c6ab1f8331744d2a77d70eeeb70949abceaba1c104b635b38ddd2254504b2f0b35a7c0b0a8e21406437114d96694533e493839ef9b3b51c2b0571ea6dcce748b6b6de805010ca4938b35905704ebd9e880222586489eb40dab12d2d6a40885d23c33ed0f5d5b7908a28543962a2c5c6b1bf74cd8695f9456bccf207eaac5cd336f7a27ab5b472532a063ec337945858b14a71bb5ccd9cb2af109ad943363e528519e7422891118c8ce7bbdfe6c855087375f3960d86b7d2e506b2c08a54a86177207d6cd1feba68f3454aaf1184eb867d2f04f354ea20ffd5db3d250270870203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604148570009f77591e8cac3c9f77262819cc9ac18f32301006092b06010401823715010403020100300d06092a864886f70d01010b050003820201004f2574bd1f624f5f0ff74222d7d1d65304232ec5d5d7072b6b793b5f6d90ed1355d382f1f5028f3ef996267e0d421876fc6055825a86bd113339690fcee0b02bf15d19dfd8d2fa86a4cccdacf0d0ae9a8b2b248f03c1350d20b3dfc742ea77292e0a12fc0b1a458dd931840d8d02c0acfad212bf1e6a343eea8300a348754e72662da1a5129f37a85d4a7759cfd63afc30c5a609a5bfb108e3fb2c9f76c4fb4e611d6d23f3766985eb49bb0df73dd0aa05bcdd3d6e80445ed99a68ecc989c7e61a18f860a0e78cf6e6516f0ee025b863f9f9c20b8c3c9cb2f042cdbec3f5fe4929559c5e8696fba1ed6d2686e8b8208b5cc6e72d31c5aaca7d4b7da059a41efb5071e9afcfd6aa0d99de8e95269731a5f47f6df46815b8e3f7add8efd13875025ffd6d4efcb6fc2f451ba9cad11e7aff75181536c120e45f483a95eb7be4f5f6f4fec94b21a2a9ea8a9925cbe8444090d539b46b239b52bcc0c17e17666e650bf5741596a866ed856854b224e87588644589853c7a656b96e0f259ea4725660f6a1b0c3fd44ae64b26174709fed4d7b8e0cee72f94ad808b6770ccb77bcf1b2bb9d15bbdb8035cb1f01b412ce6535516e74a0e41089937e2a9d76d0e6a45e5ece388a9fdb69bc32820ceabc2936b516553bfa05e7b9d26349a514c8ca638d5865b3c55ee50ec000bcaacdcca10abdf189bd2ac0c8d084515af8535355ae526bc	PowerSaver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B561EBEAA4DEE4254B691A98A55747C234C7D971	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\912198EEF23DCAC40939312FEE97DD560BAE49B1\Blob = 030000000100000014000000912198eef23dcac40939312fee97dd560bae49b1090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000002e00000056006500720069007a006f006e00200047006c006f00620061006c00200052006f006f0074002000430041000000200000000100000079030000308203753082025da003020102020101300d06092a864886f70d01010b0500305c310b300906035504061302555331193017060355040a0c10566572697a6f6e20427573696e6573733111300f060355040b0c084f6d6e69526f6f74311f301d06035504030c16566572697a6f6e20476c6f62616c20526f6f74204341301e170d3039303733303134323730345a170d3334303733303134323730345a305c310b300906035504061302555331193017060355040a0c10566572697a6f6e20427573696e6573733111300f060355040b0c084f6d6e69526f6f74311f301d06035504030c16566572697a6f6e20476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a02820101008a000c701dbfeb3486c39945351e7f43f7ab6f242dcd19c210bbb0ca295ba920abab722cc4e202396d82b8c511eaf8fbb39e62f8331eb01fc9e3f637db04c83b634f36e285a4251dc7691f04bd68451396071f9450f53ec527549ec04957448e0763d4a6aeed2299cc4d966904136e76899f741694f91d54bda2b9d28301220c4d4480aafe35892725a78689c6d51a92e38fc595a014729ae856c502551c97f9202ed0f53c13195af6e1f90b038269a78cb7d66f9c563e9de82a09606d4be6fb8b9914f7344f6559808db957c8a23521d88871565dee82572d2690189f9a9c9c8fefd4c563a7547d4791877d1a12a81b186fa96fb127bae40474ce371e7f66c50203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604144c3811b898005b5a2b703eaa78e4d5676767a77e300d06092a864886f70d01010b05000382010100015fa0b10601f479d76518603ecf79a0bac2234f23df87965f810e38152e5cc802682920fc8beea58a1881645c98357e393082a4828a50b5bac3e85ad6a89ee2c317dbdbc4ebb00a200de99ee3ff605447f13b9dd4283ca2aea3fbaa8b82222a358790b81c594790d59d2efa49e365a836ebc7e41c68dcb3316cab4ece248015c810591011724d7a9c989cc4fc61e0b3b29d4ea0c6c259ab18d6a25545ec29aa2537d64e4a3d0b40c1e493e4fccd910bf8e6abccb376c462bf19ed86b679c3295454bc997d4657cfa6cff4542a9a03654701a1422acb25476e7c5e004b91d9f91b100670f94215a65faad7401efdc9489d9781ea5c68c2a0e789a1534dbfc7e3	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D6DAA8208D09D2154D24B52FCB346EB258B28A58\Blob = 030000000100000014000000d6daa8208d09d2154d24b52fcb346eb258b28a58090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030806082b060105050703090b000000010000003000000048006f006e0067006b006f006e006700200050006f0073007400200052006f006f0074002000430041002000310000002000000001000000340300003082033030820218a003020102020203e8300d06092a864886f70d01010505003047310b300906035504061302484b31163014060355040a130d486f6e676b6f6e6720506f73743120301e06035504031317486f6e676b6f6e6720506f737420526f6f742043412031301e170d3033303531353035313331345a170d3233303531353034353232395a3047310b300906035504061302484b31163014060355040a130d486f6e676b6f6e6720506f73743120301e06035504031317486f6e676b6f6e6720506f737420526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100acff38b6e9660249e3a2b4e190f9408f79f9e2bd79fe02bdee24921d22f6da857269fed73f09d4dd91b5029cd08d5ae155c35086b92926c2e3d9a0f1690328208045222d56a73b54955622591f28df1f203d6da236be23a0b16eb5b1273f395309eaab6ae874b2c2655c8ebf7cc37884cd9e16fcf52e4f202a089f77f3c51ec49a52661e485ee310068f2298e1658e1b5d23663bb8a53251c886aaa1a99e7f7694c2a66cb741f0d5c80638e6d40ce2f33b4c6d508cc48327c11384593d9e7574b6d8025e3a907ac0423672ec6a4ddcefc400df1318575f2678c8d60a7977bff7afb776b9a50b84175d10ea6fe1ab95115f6d3ca35c4d835bf2b3198a808b0b870203010001a326302430120603551d130101ff040830060101ff020103300e0603551d0f0101ff0404030201c6300d06092a864886f70d010105050003820101000e46d53caee287d95e818b029841088c4cbcdadbee271b82e76a45ec168b4f85a0f3b270bd5a96baca6e6dee468b6ee72a2e96b31933ebb49fa8b237ee98a897b62eb66727d4a649fd1c9365769e422fdc226c9a4ff25a1539b171d72b51e86d1c98c0d92af4a1827bd5c941a223017438558b0fb92e67a2200437da9c0bd31721e08f9779346f84480220331be634449f9170f4805e8443c229d26c1214e4618dac10909e8450bbf0966f459f8af3ca6c4ffa113a151546c3cd1f835b2d4112ed506741133d21ab948aaa4e7cc1b1fba7d6b5272f97ab6ee01de2d11c2c1f44e2fcbe91a19cfbd6295373869f53d8430e5dd66382711d8074caf6e2026bd95a	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F24C630CDA418EF2069FFAD4FDD5F463A1B69AA\Blob = 0300000001000000140000001f24c630cda418ef2069ffad4fdd5f463a1b69aa090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003800000047006c006f00620061006c005300690067006e002000450043004300200052006f006f00740020004300410020002d0020005200350000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c02000000001000000220200003082021e308201a4a0030201020211605949e0262ebb55f90a778a71f94ad86c300a06082a8648ce3d040303305031243022060355040b131b476c6f62616c5369676e2045434320526f6f74204341202d20523531133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3132313131333030303030305a170d3338303131393033313430375a305031243022060355040b131b476c6f62616c5369676e2045434320526f6f74204341202d20523531133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e3076301006072a8648ce3d020106052b810400220362000447450e96fb7d5dbfe939d121f89f0bb6d57b1e923a48591cf062312dc07a28fe1aa75cb3b6cc97e745d458fad1776d43a2c08765340a1f7addeb3c33a1c59d4da46f4195387fc91e84ebd19e49928794870c3a854a669f9d59934d976106864aa3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604143de629489bea07ca21444a26de6eded283d09f59300a06082a8648ce3d0403030368003065023100e56912c96edbc631ba0941e197f8fbfd9ae27d12c9ed7c64d3cb05258b56d9a0e75e5d4e0b839c5b7629a00926216a62023071d2b58f5cea3be1780985a875923bc85cfd48ef0d7422a808e26ec549cec70cbca76169f1f73be12acbf92bf3669037	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079\Blob = 030000000100000014000000379a197b418545350ca60369f33c2eaf474f2079090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b0000000100000030000000470065006f0054007200750073007400200055006e006900760065007200730061006c002000430041002000320000002000000001000000700500003082056c30820354a003020102020101300d06092a864886f70d01010505003047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e0603550403131747656f547275737420556e6976657273616c2043412032301e170d3034303330343035303030305a170d3239303330343035303030305a3047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e0603550403131747656f547275737420556e6976657273616c204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100b35452c1c93ef2d9dcb1531a5929e7b1c34528e5d7d1edc5c54ba1aa747b57af4a26fcd8f55ea76e19db740c4f355b320b01e3dbeb7a7735eaaa5ae0d6e8a15794f090a37456944430031e5c4e2b852674827a0c76a06f4dce412da01506145fb742cd7b8f586134dc2a08f92ec301a622441c4c0782e65bced04a7c04d3197327f0aa987f2eaf4eeb871e24776a5db6e85b45badcc3a1056f568e8f1026a549c32ed7418722e04f86ca60b5eaa163c001971079bd003c126d2b15b1ac4bb1ee18b94e96dcdc76ff3bbecf5f03c0fc3be8be461bffda40c252f7fee33af76a7735d0da8deb5e186a31c71eba3c1b28d66b54c6aa5bd7a22c1b19cca202f69b59bd376b86b56d82bad8eac956bca93658fd3e19f3ed0c26a99338f84fc15d2206d097eae1adc655e0812b28833afaf47b215100be5238cecd6679a8f48156e2d0830947515b506acfdb481a5d3ef7cbf665f76cf195f8023b325682397a5bbd2f891bbfa1b4e8ff7f8d8cdf03f1604e58114ceba33f102b839a0173d9946d84002766acf07040094292ad4f930d61095124d892d50b9461b287b2edff9a35ff8554caed4443ac1b3c166b484a0a1c40881f92c20b0005fff2c8024aa4aaa9cc99969c2f58e07de1bebb07dc5f04725c3134c3ec5f2de03d649022e6d1ecb82edd59aed9a137bf5435dc73324f8c041e33b2c946f1d85cc85550c968bda8ba36090203010001a3633061300f0603551d130101ff040530030101ff301d0603551d0e0416041476f355e1faa436fbf09f5c6271ed3cf44738102b301f0603551d2304183016801476f355e1faa436fbf09f5c6271ed3cf44738102b300e0603551d0f0101ff040403020186300d06092a864886f70d0101050500038202010066c1c623f3d9e02e6e5fe8cfaeb0b0254d2bf83b589b4024375acbab1649ffb3757933a12f6d70173491fe677e8fec9be55e82a9551f2fdcd4510712feac163e2c35c663fcdc10eb0da3aad07cccd1d02f512ec4145adee819e13ec6cca429e72e84aa06307876547328985938e0000d62d3427d219fae3d3a8cd5fa770d182b160e5f36e1fc2ab53024cfe0630c7b581afe99ba4212b191f47c68e2c8e8af2ceac97eaebb2a3d0d15dc3495b61874a86a0fc7b4f413c4e45bed0ad2a4974c2aed2f6c12893df12770aa6a0352219f40a86750f2f35a1fdfdf23f6dc784ee6984f553a53e3eff2f49fc77cd858af292297b8e0bd912eb076ec5711cfef2944f3e9857a6063e45d338917d931aadad6f3183572cf872b2f6323845d848c3f57a088fc999128266999d48f9744be8ed548b1a42829f115b4e1e59eddf88fa66f26d7093c3a1c110ea66c37f7ad44872c28c7d87482b3d06f4a57bb352927a08be821a78764365dccd816acc7b22740925538288d516edd1467536c715c26844d755ab67e6056a94dadfb9b1e97f30dd9d2975477da3d12b7e01eef0806acf98587e9a2dcaf7e181283fd5617412ed529827d99f431f671a9cf2c0127a505b9aab2484e2aef9f935251953c52738e564c1740c00928e48b6a4853dbeccd5555f1c6f8e9a22c4ca6d1265f7eaf5a4cda1fa6f21c2c7eae0216d256d02f575347e892	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\68ED18B309CD5291C0D3357C1D1141BF883866B1	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DA40188B9189A3EDEEAEDA97FE2F9DF5B7D18A41	updroots.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WscReg.exe360TS_Setup.exeEaInstHelper64.exeQHActiveDefense.exeQHSafeTray.exe

pid	process
1740	WscReg.exe
1740	WscReg.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
1792	EaInstHelper64.exe
1792	EaInstHelper64.exe
4256	360TS_Setup.exe
4256	360TS_Setup.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe

Suspicious behavior: LoadsDriver 24 IoCs

Processes:

360TS_Setup.exeQHActiveDefense.exe

pid	process
648
648
4256	360TS_Setup.exe
4256	360TS_Setup.exe
648
648
648
648
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
648
648
880	QHActiveDefense.exe
648
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
880	QHActiveDefense.exe
648
648
880	QHActiveDefense.exe
648

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exeQHActiveDefense.exeQHActiveDefense.exeQHSafeTray.exeDesktopPlus.exeQHSafeMain.exe

description	pid	process
Token: SeManageVolumePrivilege	4500	360TS_Setup_Mini.exe
Token: SeLoadDriverPrivilege	4256	360TS_Setup.exe
Token: SeLoadDriverPrivilege	4256	360TS_Setup.exe
Token: SeDebugPrivilege	4256	360TS_Setup.exe
Token: SeDebugPrivilege	4256	360TS_Setup.exe
Token: SeDebugPrivilege	4688	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeShutdownPrivilege	2296	QHSafeTray.exe
Token: SeCreatePagefilePrivilege	2296	QHSafeTray.exe
Token: SeBackupPrivilege	2296	QHSafeTray.exe
Token: SeSecurityPrivilege	2296	QHSafeTray.exe
Token: SeSecurityPrivilege	2296	QHSafeTray.exe
Token: SeSecurityPrivilege	2296	QHSafeTray.exe
Token: SeDebugPrivilege	2296	QHSafeTray.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeDebugPrivilege	880	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeLoadDriverPrivilege	880	QHActiveDefense.exe
Token: SeAssignPrimaryTokenPrivilege	3548	DesktopPlus.exe
Token: SeIncreaseQuotaPrivilege	3548	DesktopPlus.exe
Token: SeDebugPrivilege	880	QHActiveDefense.exe
Token: SeDebugPrivilege	2296	QHSafeTray.exe
Token: SeIncreaseQuotaPrivilege	1080	QHSafeMain.exe
Token: SeDebugPrivilege	1080	QHSafeMain.exe
Token: SeSecurityPrivilege	1080	QHSafeMain.exe
Token: SeShutdownPrivilege	1080	QHSafeMain.exe
Token: SeIncreaseQuotaPrivilege	1080	QHSafeMain.exe
Token: SeDebugPrivilege	1080	QHSafeMain.exe
Token: SeSecurityPrivilege	1080	QHSafeMain.exe
Token: SeShutdownPrivilege	1080	QHSafeMain.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

360TS_Setup_Mini.exeQHSafeTray.exePopWndLog.exeQHSafeMain.exe

pid	process
4500	360TS_Setup_Mini.exe
4500	360TS_Setup_Mini.exe
4500	360TS_Setup_Mini.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
4084	PopWndLog.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
1080	QHSafeMain.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

360TS_Setup_Mini.exeQHSafeTray.exePopWndLog.exe

pid	process
4500	360TS_Setup_Mini.exe
4500	360TS_Setup_Mini.exe
4500	360TS_Setup_Mini.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe
4084	PopWndLog.exe
2296	QHSafeTray.exe
2296	QHSafeTray.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exeWscReg.exeWscReg.exeQHActiveDefense.exeQHSafeTray.exePopWndLog.exeQHActiveDefense.exeDesktopPlus64.exeKB931125-rootsupd.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exeQHSafeMain.exePromoUtil.exe

pid	process
4288	360TS_Setup.exe
4256	360TS_Setup.exe
1740	WscReg.exe
3240	WscReg.exe
4688	QHActiveDefense.exe
2296	QHSafeTray.exe
4084	PopWndLog.exe
2296	QHSafeTray.exe
880	QHActiveDefense.exe
800	DesktopPlus64.exe
3972	KB931125-rootsupd.exe
1128	updroots.exe
2368	updroots.exe
3220	updroots.exe
1276	updroots.exe
1080	QHSafeMain.exe
4796	PromoUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

360TS_Setup_Mini.exe360TS_Setup.exe360TS_Setup.exeregsvr32.exeWscReg.exeQHActiveDefense.exeQHSafeTray.exePopWndLog.exeDesktopPlus.exeDesktopPlus64.exe

description	pid	process	target process
PID 4500 wrote to memory of 4288	4500	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4500 wrote to memory of 4288	4500	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4500 wrote to memory of 4288	4500	360TS_Setup_Mini.exe	360TS_Setup.exe
PID 4288 wrote to memory of 4256	4288	360TS_Setup.exe	360TS_Setup.exe
PID 4288 wrote to memory of 4256	4288	360TS_Setup.exe	360TS_Setup.exe
PID 4288 wrote to memory of 4256	4288	360TS_Setup.exe	360TS_Setup.exe
PID 4256 wrote to memory of 1740	4256	360TS_Setup.exe	WscReg.exe
PID 4256 wrote to memory of 1740	4256	360TS_Setup.exe	WscReg.exe
PID 4256 wrote to memory of 1740	4256	360TS_Setup.exe	WscReg.exe
PID 4256 wrote to memory of 4180	4256	360TS_Setup.exe	bcdedit.exe
PID 4256 wrote to memory of 4180	4256	360TS_Setup.exe	bcdedit.exe
PID 4256 wrote to memory of 5080	4256	360TS_Setup.exe	bcdedit.exe
PID 4256 wrote to memory of 5080	4256	360TS_Setup.exe	bcdedit.exe
PID 4256 wrote to memory of 2304	4256	360TS_Setup.exe	regsvr32.exe
PID 4256 wrote to memory of 2304	4256	360TS_Setup.exe	regsvr32.exe
PID 4256 wrote to memory of 2304	4256	360TS_Setup.exe	regsvr32.exe
PID 2304 wrote to memory of 4748	2304	regsvr32.exe	regsvr32.exe
PID 2304 wrote to memory of 4748	2304	regsvr32.exe	regsvr32.exe
PID 4256 wrote to memory of 1080	4256	360TS_Setup.exe	PowerSaver.exe
PID 4256 wrote to memory of 1080	4256	360TS_Setup.exe	PowerSaver.exe
PID 4256 wrote to memory of 1080	4256	360TS_Setup.exe	PowerSaver.exe
PID 4256 wrote to memory of 3240	4256	360TS_Setup.exe	WscReg.exe
PID 4256 wrote to memory of 3240	4256	360TS_Setup.exe	WscReg.exe
PID 4256 wrote to memory of 3240	4256	360TS_Setup.exe	WscReg.exe
PID 5100 wrote to memory of 1792	5100	WscReg.exe	EaInstHelper64.exe
PID 5100 wrote to memory of 1792	5100	WscReg.exe	EaInstHelper64.exe
PID 4256 wrote to memory of 4688	4256	360TS_Setup.exe	QHActiveDefense.exe
PID 4256 wrote to memory of 4688	4256	360TS_Setup.exe	QHActiveDefense.exe
PID 4256 wrote to memory of 4688	4256	360TS_Setup.exe	QHActiveDefense.exe
PID 880 wrote to memory of 2296	880	QHActiveDefense.exe	QHSafeTray.exe
PID 880 wrote to memory of 2296	880	QHActiveDefense.exe	QHSafeTray.exe
PID 880 wrote to memory of 2296	880	QHActiveDefense.exe	QHSafeTray.exe
PID 2296 wrote to memory of 4456	2296	QHSafeTray.exe	QHWatchdog.exe
PID 2296 wrote to memory of 4456	2296	QHSafeTray.exe	QHWatchdog.exe
PID 2296 wrote to memory of 4456	2296	QHSafeTray.exe	QHWatchdog.exe
PID 2296 wrote to memory of 4084	2296	QHSafeTray.exe	PopWndLog.exe
PID 2296 wrote to memory of 4084	2296	QHSafeTray.exe	PopWndLog.exe
PID 2296 wrote to memory of 4084	2296	QHSafeTray.exe	PopWndLog.exe
PID 2296 wrote to memory of 4792	2296	QHSafeTray.exe	QHSafeTray.exe
PID 2296 wrote to memory of 4792	2296	QHSafeTray.exe	QHSafeTray.exe
PID 2296 wrote to memory of 4792	2296	QHSafeTray.exe	QHSafeTray.exe
PID 2296 wrote to memory of 2108	2296	QHSafeTray.exe	regsvr32.exe
PID 2296 wrote to memory of 2108	2296	QHSafeTray.exe	regsvr32.exe
PID 2296 wrote to memory of 2108	2296	QHSafeTray.exe	regsvr32.exe
PID 4084 wrote to memory of 3580	4084	PopWndLog.exe	PopWndLog.exe
PID 4084 wrote to memory of 3580	4084	PopWndLog.exe	PopWndLog.exe
PID 4084 wrote to memory of 3580	4084	PopWndLog.exe	PopWndLog.exe
PID 880 wrote to memory of 4996	880	QHActiveDefense.exe	QHWatchdog.exe
PID 880 wrote to memory of 4996	880	QHActiveDefense.exe	QHWatchdog.exe
PID 880 wrote to memory of 4996	880	QHActiveDefense.exe	QHWatchdog.exe
PID 880 wrote to memory of 2464	880	QHActiveDefense.exe	QHSafeTray.exe
PID 880 wrote to memory of 2464	880	QHActiveDefense.exe	QHSafeTray.exe
PID 880 wrote to memory of 2464	880	QHActiveDefense.exe	QHSafeTray.exe
PID 2296 wrote to memory of 3548	2296	QHSafeTray.exe	DesktopPlus.exe
PID 2296 wrote to memory of 3548	2296	QHSafeTray.exe	DesktopPlus.exe
PID 2296 wrote to memory of 3548	2296	QHSafeTray.exe	DesktopPlus.exe
PID 3548 wrote to memory of 800	3548	DesktopPlus.exe	DesktopPlus64.exe
PID 3548 wrote to memory of 800	3548	DesktopPlus.exe	DesktopPlus64.exe
PID 800 wrote to memory of 2640	800	DesktopPlus64.exe	Explorer.EXE
PID 800 wrote to memory of 2640	800	DesktopPlus64.exe	Explorer.EXE
PID 800 wrote to memory of 2640	800	DesktopPlus64.exe	Explorer.EXE
PID 800 wrote to memory of 2640	800	DesktopPlus64.exe	Explorer.EXE
PID 800 wrote to memory of 2640	800	DesktopPlus64.exe	Explorer.EXE
PID 800 wrote to memory of 2640	800	DesktopPlus64.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Program Files (x86)\1675441634_0\360TS_Setup.exe
"C:\Program Files (x86)\1675441634_0\360TS_Setup.exe" /c:101 /pmode:2 /syncid0_1 /TSinstall
4⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\1675441669_00000000_wscreg\WscReg.exe
/regas:1_1
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set {bootmgr} flightsigning on
5⤵
- Modifies boot configuration data using bcdedit
PID:4180

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set flightsigning on
5⤵
- Modifies boot configuration data using bcdedit
PID:5080

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
6⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4748

C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
"C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1080

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe" /installsrv
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install
5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe
"C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"
5⤵
PID:1528

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"
6⤵
PID:4128

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5100

C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe
"C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe" /Install_run
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
/showtrayicon
2⤵
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /install
3⤵
- Executes dropped EXE
PID:4456

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /ExShowTrayIcon
4⤵
- Executes dropped EXE
PID:3580

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /ExShowTrayIcon
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4792

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\safemon\safemon.dll"
3⤵
PID:2108

C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe
"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe
"C:\ProgramData\360TotalSecurity\DesktopPlus\DesktopPlus64.exe" /lowrun
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /watch
2⤵
- Executes dropped EXE
PID:4996

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2464

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\bdfltlib.dll"
2⤵
PID:1792

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\scan.dll"
2⤵
PID:4656

C:\Program Files (x86)\360\Total Security\QHSafeMain.exe
"C:\Program Files (x86)\360\Total Security\QHSafeMain.exe" /install
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Program Files (x86)\360\Total Security\PromoUtil.exe
"C:\Program Files (x86)\360\Total Security\PromoUtil.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe
"C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe" /delay:30
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1675441634_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Program Files (x86)\1675441634_0\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360Base.dll
Filesize
965KB

MD5
4f241e5de9091f6d78469bf1dc141cbd

SHA1
dec02d084f94049a4087a0f23db063ecaf98269a

SHA256
b96a9539e9a77fc0d21131dad0df7b065d297de79010ea7a763618f670206659

SHA512
2cfb06650b6d4acc212ccb7dc1da0b55457a7dc8ea0c8f550c0b3794a2ceb41a50a4e4d2e8057878eca27d5d14ca7df36564c79ee3f3b6c5aac70ef08546ed3a

Download Submit
C:\Program Files (x86)\360\Total Security\360NetBase.dll
Filesize
1.4MB

MD5
14c6b4bbd31f6fd13530bc941cc71d1a

SHA1
ce4e38ac82a54f64d318507ddc28f9ffbb378f0f

SHA256
401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5

SHA512
c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

Download Submit
C:\Program Files (x86)\360\Total Security\360TSCommon.dll
Filesize
483KB

MD5
fd9ec3f6ae3ec4e72c7d8adb9d977480

SHA1
304b83eb514354a86c9b136ac32badcec616fed8

SHA256
deddae3c60a724e167107cda7d4ad0481d8ab451f61081eff7730d0f114da918

SHA512
22a47674c2000c175594e8b9f95d23665481a2f2c84f8870a4ad58095aa107b9a0ba61a5315ebdfcd1ec6a4b3031bb3e21ee6e2624d57daae20c587592cce5fd

Download Submit
C:\Program Files (x86)\360\Total Security\CrashReport.dll
Filesize
170KB

MD5
94a08d898c2029877e752203a477d22f

SHA1
d8a4c261b94319b4707ee201878658424e554f36

SHA256
07ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169

SHA512
79a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6

Download Submit
C:\Program Files (x86)\360\Total Security\CrashReport.dll
Filesize
170KB

MD5
94a08d898c2029877e752203a477d22f

SHA1
d8a4c261b94319b4707ee201878658424e554f36

SHA256
07ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169

SHA512
79a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6

Download Submit
C:\Program Files (x86)\360\Total Security\I18N.dll
Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\I18N.dll
Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll
Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll
Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\MenuEx64.dll
Filesize
388KB

MD5
d569954dc1054b6e7d3b495782634034

SHA1
dfaf57da05704261aa54afaa658d4e61a64fa7f2

SHA256
11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80

SHA512
b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e

Download Submit
C:\Program Files (x86)\360\Total Security\QHVer.dll
Filesize
22KB

MD5
78557da44e03016acfcc94cb4954a7bc

SHA1
e920f991eb205b9b4ca331ccd677b1157a6780fb

SHA256
f4806ddf87b56545172cd4acc3e830fcd27ee125a544b0ce787eabc6bafdeaf4

SHA512
646d287c8ecfd0b9b36a7272fd88fe5806762219f49032046245a127c3eb4d5559e4b90e814d0a91f1a3c1a34a415737603f1ecb872c5f2f49031bf9b02b4f07

Download Submit
C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe
Filesize
146KB

MD5
bebc39160a8446ec0e9693f5da3e8380

SHA1
9c4a2817429159eb4357ead9fca2d07d9d7c3f21

SHA256
ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56

SHA512
67281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718

Download Submit
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
Filesize
145KB

MD5
a99cc896f427963a7b7545a85a09b743

SHA1
360dec0169904782cfe871ba32d0ed3563c8fa62

SHA256
192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559

SHA512
5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285

Download Submit
C:\Program Files (x86)\360\Total Security\config.ini
Filesize
146B

MD5
259b45ba3e50c2921cbe47da65d08651

SHA1
e694804d77e49bdf69943501fab96533e281b653

SHA256
6228e04578135ea2b289038dbb9cd3e854626ddcc77905c955783f505d67511c

SHA512
9d4cb718772dd4131ce937ed72a634cf06798b7f5363e93d711228aea01454fb6ae50071d79023897993d2891fa7f3654b781eafd15389fd53de88ab4c1bcab2

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\360FsFlt_win10.sys
Filesize
527KB

MD5
0e91072224732381b04b5b7001cce459

SHA1
5d1c1ed761d99d7356641672bc38e4efb74ecafc

SHA256
726a10a2f2e03bd5d85ba58d877606c42338245f7471aed88442dffd807605b1

SHA512
5f453a45d7a2ab3e10898ab6d17526864c6ee8217f0825092a5a5288089cd310e0a33eb93c1b828987f5977229bfe8e0f39180050a47b26b6c24624b4cb0957a

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\BAPI.dll
Filesize
251KB

MD5
27a0b5e6e7f3fe42e272c6c4d7ebccc1

SHA1
aa7f3d9b3eca5419f098afbd049b407791843b71

SHA256
cf10bc33555da5a334b1fd77de9a215eb6e2880a3b7c6b27f46492c32ed374a7

SHA512
07d229ddb28fefabc7310e73ac653818084500966f77afa1ad55c3fa9ed47fa28ec99fff731d0edf39e3d5a97e116086619c3bc9a9be68bc1d5071970ecb10de

Download Submit
C:\Program Files (x86)\360\Total Security\deepscan\qutmload.dll
Filesize
111KB

MD5
b2fd7b345d3683210a2a465a886ddb9e

SHA1
2aa774cbae5c9460945ffb850b990d3159c091f6

SHA256
eed8df7dc1f0e59b367cf49aa53c91f05953d0164f2d0900ab8ec738a413e5e1

SHA512
62e29140ae56b9aaa1872a070ef343e085802fc9dd46245456326a67288d452e81d986672ea30d232c9241011412af728672d6b6844b481037f448e8c180cf4c

Download Submit
C:\Program Files (x86)\360\Total Security\filemon\360AvFlt.dll
Filesize
53KB

MD5
da5e35c6395a34acaa5a0eb9b71ff85a

SHA1
5da7e723aaa5859ab8f227455d80d8afa7696e22

SHA256
5e11c25e4d6e146c5e10fcbc21b2cdb5e97ec47f25c416e5d263985f3d964172

SHA512
49660339594abff9b0590bc3f401634a514834cf98fa8715b05a57a3cea575d74859681984d8c2c601d5fe947701f8f110450fac764a5d32096e24d7eadcdd2c

Download Submit
C:\Program Files (x86)\360\Total Security\filemon\AVCheck.dll
Filesize
321KB

MD5
0fc2f13d9e0cfbd4903a77051348d16a

SHA1
c1df2fe56cbd15271020e48751c39ab482f6eaca

SHA256
7b79ca1ec9ea05d6549218af8c646f8cb25c563e66d810ca8890340066cff72b

SHA512
6977514116a2fa2c0a884b46975cfa048d966448e493c1415467d6be8719c6b40db0181a861f9e0ef53aa90a3b04012e02e6aecb70230745c487355170416efc

Download Submit
C:\Program Files (x86)\360\Total Security\i18n.dll
Filesize
95KB

MD5
7e181b91215ae31b6717926501093bc4

SHA1
8fcf05c9ac64c46c87acc1ec67631e7b66363d9e

SHA256
239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9

SHA512
0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\en\UrlSettings.dll.locale
Filesize
22KB

MD5
627cbb9d1671cd7a553cb9e59e765bbf

SHA1
4a4916f14c4ca7d26dac88ff4a5884761d8c5a70

SHA256
063e660b1e32cbaefb8b928f1fa638853bbcb6b996bb08496fc861fc5425a840

SHA512
cfe0246353d9670ac7d77994633e8c55aca4a3ecc889c52d09949e427d5e5e06056678de15ecc3017af81ca6ca1333f624f8652a7488dd4e317c6a46c8719237

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\en\safemon\360procmon.dll.locale
Filesize
106KB

MD5
7bdac7623fb140e69d7a572859a06457

SHA1
e094b2fe3418d43179a475e948a4712b63dec75b

SHA256
51475f2fa4cf26dfc0b6b27a42b324a109f95f33156618172544db97cbf4dddd

SHA512
fbed994a360ecff425728b1a465c14ffe056c9b227c2eb33f221e0614984fd21670eddb3681c20e31234a57bfe26bcf02c6a3b5e335d18610d09b4ed14aa5fb2

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\i18n.ini
Filesize
246B

MD5
dfc82f7a034959dac18c530c1200b62c

SHA1
9dd98389b8fd252124d7eaba9909652a1c164302

SHA256
f421332fd132d8405cad34871425c9922e4a1b172d74f86b9e4e7ee750205919

SHA512
0acb2a043303ab1c033313d62b9b4dad8ca240e345195c87776f99f129a93946036835872b336a8efd996657c37acf56da7c01d68add340408e8fce72fc66fe5

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\360Box.dll
Filesize
50KB

MD5
f398c9c333589ed57bb5a99eb2d32d13

SHA1
1fcac85e06506f332cae1d29451abe6808d8d39b

SHA256
1587d34c58ff2376384a0f3b279248d080724809eaf5f251cc2dda7896f04602

SHA512
0282f9ab1084fe093e097b6c33adfe2de59d4ed3a9eae12698df7295498ba56d4e8250a130af9f7284cd962691340246a15b3d32e9bf1df22ddd128f44d1205c

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\360hvm.dll
Filesize
23KB

MD5
e540bc23b3f5934dee4d7b7b39fc3ac2

SHA1
465f0b0e4fe49b81a43980dd0cf40e068e98abed

SHA256
e794c636a50b5f51e0bd233c59c9144277a94792d3537460123a39c583d01421

SHA512
39412ddea1f7b16ae1b6d89db7f7c24b92b1b310f3d9191ab82bfa01283044d3c4e991a5fd4efee98d00c1e65d76328bd396138e5dfc90f44ed49ed605f8e764

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\DrvUtility.dll
Filesize
171KB

MD5
bc8917f469a0e356c015ad6a31acc134

SHA1
a2e0fbcff53018ed92754065beb0a16e35339cf3

SHA256
4f798cf1e27dd355709c4ebe11a24b17ee832b4051f8952d9ae12942e0ccc5a9

SHA512
f9039ea609c18174dd76f5a89b6af4908573fe194cfaf412430c755da0626dce7b92f668e5cac6b195c91f17cc4eaf4ddb963b95bc6de7483c05436f7f4f59c8

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\X64For32Lib.dll
Filesize
59KB

MD5
bdce31fc701c9aa16ca392a561ba102d

SHA1
58bbdeb96e7819b00d60f0e6580dfc455774a9f7

SHA256
3305ad2718c9bb9bd1db19cde17a184e0d7e497ff3930050c74875bc50f9690b

SHA512
2a16cc0a0bf718f661a3abe8f36b87c8b13716d5bdaa4c2768840734321f879de3d60255b67b2b858eabd627cf4302d7be0a29648bb65bedbfb5f838c9b96863

Download Submit
C:\Program Files (x86)\360\Total Security\ipc\sbmon.dll
Filesize
366KB

MD5
c0805da6b17d760418fd2fd031880934

SHA1
f9cf240f7bd4dbd31bc57913ab6517f0dc17d7a5

SHA256
edf443a3751d042fe16b8b11b484357a1b4702310bb50fb7aba9d68725803612

SHA512
f1c458ac3c1eb6ec67b4b0c54aaef09258e41ad4fbd3cd429da3bde278dba09c2419a79625aa39bb231ef277f803cf5ea568c82eaf028cd7a23a6a2fe74306ae

Download Submit
C:\Program Files (x86)\360\Total Security\netmon\360netctrl.dll
Filesize
382KB

MD5
30c9d5470142edf4d69b00aff040f822

SHA1
7c21ed33749b58c10ad7e1d95c922244eec62fcf

SHA256
b76103ff3d6faa46537d3db213270a086ae3b5b58fe6841b03cd5f9f73c54247

SHA512
c385b70414823107903fc1eec608b064360337114dc8a6d307f2caad9ec5ec7e53a2850f26b5374deaa97b2c727206f08a0a2037d12550e6449632d165b03b7f

Download Submit
C:\Program Files (x86)\360\Total Security\netmon\netmstart.dll
Filesize
169KB

MD5
b1f70f9be9df8bb186c5bc5159690a1f

SHA1
0c9347ac3245cdeb8dcea9b3edf01fe4cfd33fe2

SHA256
ce993f7583b1f253c6d82027b89fd867390ea1563564da75684d293539edc6a2

SHA512
188419d1cbc4f1b1bec99bf77f716bb004a0228d3d36eca9d2e479735efae8970dff62f5df42f01e8174173537f0d68ae37b9d5b70b0698b52f50ee0aacc5231

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360HipsPopWnd.dll
Filesize
790KB

MD5
c77481cac4c9411aa1ead1de68c7798d

SHA1
f2288af2ee58e25de2a11da09589bb61e94ae5cb

SHA256
eb04cc2139f21f62107afaf03939c49515730cce4ed0f0e6d12199445b5f377a

SHA512
bbde3700933d5264ec024f866dc1c6b5d7e51d6368f3614aa95fbbe93fb9ee593e87f61e7f945d141d883d4d2a07c22114bb98e262f2afbccc7ec485cffde3cc

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360SPTool.exe
Filesize
165KB

MD5
259affe7b271b29d4b04d678c94bc776

SHA1
073f326b4ce111ace97df011f8ffb78bbefcdbd2

SHA256
92d35442715cb9c7dee115e146daa72bbb5c408ae03bb6bb5b6f834ff1867444

SHA512
e042c2ecb0f2f53a2d1555799d30aff474dfeea01033761f7f9298fa5575f5c23db5819bd850209c1b916ba3d7bd8f32a31c8b81ab9ac65a0d0a27be353aeb63

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll
Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll
Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\360procmon.dll
Filesize
470KB

MD5
83f8ed9de87847a744d5c9886497c35a

SHA1
ebd215ec6eff04b395f4ddffa77b5f06d43d2e74

SHA256
0f9b89a1d321941fe5c9e714aa4590dacf6e88f4014c2ae69e394cb4f3e5640b

SHA512
c110aa4504e6978f365fdcbbc933fcf6be9b8b74403e4901b3801658bd8b540c830a3a579a7eab3865cc5c12e3545e807d3257d4ef36be00e6da5077b8f5c4e1

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
Filesize
1.1MB

MD5
7e0bce805d94db8b88971a0fe03ec52e

SHA1
f4ce366ed9958d1f25426e5914b6806aa9790a33

SHA256
e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2

SHA512
d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
Filesize
1.1MB

MD5
7e0bce805d94db8b88971a0fe03ec52e

SHA1
f4ce366ed9958d1f25426e5914b6806aa9790a33

SHA256
e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2

SHA512
d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Program Files (x86)\360\Total Security\softmgr\360elam64.sys
Filesize
16KB

MD5
67e72ee5dcd6e2c69d9c1f457fd0e3c9

SHA1
1da65ca2fd47f10ec7eac55fdb5bfce19bb90de3

SHA256
7f3f8cde5989c7339f4862dd44ecd827fbf06d0ae6152c17907e27e822e0bf82

SHA512
d715cc1761a025e0df4296a4c37c4e799c6006dce6bf63215f9864cf853cc5f7917fd24baa1cac775e8b74005eebb6fc42b211876bf386af0062364c6ee2fd77

Download Submit
C:\Program Files (x86)\360\Total Security\softmgr\EaInstHelper64.exe
Filesize
146KB

MD5
bebc39160a8446ec0e9693f5da3e8380

SHA1
9c4a2817429159eb4357ead9fca2d07d9d7c3f21

SHA256
ebe911d8eb2d2989becc8d9a965749e512914ff2bb42f1199e33c2550da46c56

SHA512
67281f868aae81017108dbfea58b882ec32eca3d6218e87d7ecf6df6df170ea62f94e041cbe09bb53d484af09acf72d6734110a4c6926cd0728029ccefdb5718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
2KB

MD5
17fc9071fb0e68185a12aeb43f3353eb

SHA1
10e7c6e03b16f1a79199067d2aeb524e6272d60d

SHA256
78ed590779c45a25167bdc37dc68cdb9c0efbd0c6fd9f6e750039edd79f4c519

SHA512
6fc722ca94feb621d3fd8d865e1e51dd58bc9e155b1b156b7b0be58236447c21ec74ddc12507aeaa94356a160184a1f6d872a88f8b016f36642ebe2293b52eb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
5b9ae1f8cf545e81c24ca6fc67cbe6b2

SHA1
fe01128033688d9e9745f32714d084b7a8b15f88

SHA256
fa0576b46c519e6e72adadbd32aa53e1c6f044e5466da4fe643496a362bf72fd

SHA512
c249eeef9a2002db49ba196797fd0b63a4afc0312b2857cdeef9a8ea2f3f0ba621334dbe4b8356c7cb58ff537fe2f3d9eb5e1f671c8d620fdc02b086860917ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
488B

MD5
2173df21878697663ac8805f58a80676

SHA1
6c0b79e487440730f96827061d5edb0509fd9ab3

SHA256
1e23acd9d71c47658e2916f46b4512a7b8773ba5eaee1854d0515d554be5c120

SHA512
d740614dc54a3ab8df0d336c3b17e947f6e96330e0aef8f8c30b59052c4c4faabb36ef4733b5401fedcbb4628d98869985623c99cf73a65328495e45a2e82c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
3054251747d4a9621b284295183fc45a

SHA1
c6bf53b40b036f244c8880e82c7538d6d10dc401

SHA256
8593e5b647b6ba05d0e7bdb9f2f34f3dc5e8e3cc6a95cd38667dc4421e46e64b

SHA512
cc92243317b8fa578e55677fb71228667f56a5b7cf109b584adbbf083d6d65a493382f79fac71b7cf33f61f9c8a6fd63bf37c2c0d08d71cea7d1227645f0da5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675441628_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675441645_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675441669_00000000_wscreg\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1675441669_00000000_wscreg\WscReg.exe
Filesize
2.9MB

MD5
c7dbfd0d17929c83f12080eb4680595f

SHA1
210f608a7929bf4085815522ffe2695063125e69

SHA256
a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75

SHA512
7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
Filesize
89.4MB

MD5
57c374e2356d0013cff1711b74e6baad

SHA1
3b914bc60de43eaa9255441b76d6b92ff25fab9c

SHA256
ae2cf3e5f83742de8b33124403b295559a1aa814dc5f0e26eddbcc3ac94c55fe

SHA512
88da3108e668099b99b5506a0904ba48122357687ec14e26763df8138f66cbc060975f85e6f812cd06229cdca90eac5cdd77a95de30570b9553ac869fe614f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20230203162725_240613359\7z.dll
Filesize
1.1MB

MD5
e74067bfda81cd82fe3a5fc2fdb87e2b

SHA1
de961204751d9af1bab9c2a9ba16edc7a4ae7388

SHA256
898bf5db34d9997b3d90b87091f34ae4e3e9cf34b6f2ae7fb8fd86e8a1bb684e

SHA512
c0b1d851d97df2635b865d7f0a252881eef622363e08190e1f45ec308fdbd81f94ece53a6c2b1b36c38fcb82c2b8262f31a936a399cee567631b9146cf3ef60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C4550E8B-EFF7-425e-BC17-02F6BE552007}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/800-226-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/800-224-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/800-237-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/800-236-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/800-235-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/800-234-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/800-223-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/800-222-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/800-216-0x0000000000000000-mapping.dmp

Download
memory/800-225-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/800-228-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/800-227-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1080-174-0x0000000000000000-mapping.dmp

Download
memory/1080-233-0x0000000000000000-mapping.dmp

Download
memory/1128-220-0x0000000000000000-mapping.dmp

Download
memory/1276-230-0x0000000000000000-mapping.dmp

Download
memory/1528-231-0x0000000000000000-mapping.dmp

Download
memory/1740-145-0x0000000000000000-mapping.dmp

Download
memory/1792-217-0x0000000000000000-mapping.dmp

Download
memory/1792-185-0x0000000000000000-mapping.dmp

Download
memory/1964-238-0x0000000000000000-mapping.dmp

Download
memory/2108-211-0x0000000000000000-mapping.dmp

Download
memory/2296-207-0x0000000000000000-mapping.dmp

Download
memory/2304-169-0x0000000000000000-mapping.dmp

Download
memory/2368-221-0x0000000000000000-mapping.dmp

Download
memory/2464-214-0x0000000000000000-mapping.dmp

Download
memory/3220-229-0x0000000000000000-mapping.dmp

Download
memory/3240-179-0x0000000000000000-mapping.dmp

Download
memory/3548-215-0x0000000000000000-mapping.dmp

Download
memory/3580-212-0x0000000000000000-mapping.dmp

Download
memory/3972-219-0x0000000000000000-mapping.dmp

Download
memory/4084-209-0x0000000000000000-mapping.dmp

Download
memory/4128-232-0x0000000000000000-mapping.dmp

Download
memory/4180-152-0x0000000000000000-mapping.dmp

Download
memory/4256-137-0x0000000000000000-mapping.dmp

Download
memory/4288-133-0x0000000000000000-mapping.dmp

Download
memory/4456-208-0x0000000000000000-mapping.dmp

Download
memory/4656-218-0x0000000000000000-mapping.dmp

Download
memory/4688-188-0x0000000000000000-mapping.dmp

Download
memory/4748-172-0x0000000000000000-mapping.dmp

Download
memory/4792-210-0x0000000000000000-mapping.dmp

Download
memory/4796-239-0x0000000000000000-mapping.dmp

Download
memory/4996-213-0x0000000000000000-mapping.dmp

Download
memory/5080-153-0x0000000000000000-mapping.dmp

Download