Malware Analysis Report

2024-12-07 02:01

Sample ID 241111-rm6bxszhrf
Target 7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188
SHA256 7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188

Threat Level: Shows suspicious behavior

The file 7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 14:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 14:19

Reported

2024-11-11 14:22

Platform

win7-20240903-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\360DrvMgr.exe = "8000" C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE\360DrvMgr.exe = "8000" C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp
PID 1716 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp
PID 1716 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp
PID 1716 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp
PID 1716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe
PID 1716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe
PID 1716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe
PID 1716 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe

"C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~4272876833651210167"

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe

"C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 conf.wsm.360.cn udp
US 104.192.110.254:80 conf.wsm.360.cn tcp
US 8.8.8.8:53 res.qhsetup.com udp
CN 1.192.137.108:80 res.qhsetup.com tcp
CN 1.192.137.108:80 res.qhsetup.com tcp
CN 1.192.137.108:80 res.qhsetup.com tcp
US 8.8.8.8:53 dm.weishi.360.cn udp
CN 106.63.103.7:443 dm.weishi.360.cn tcp
CN 106.39.219.55:80 res.qhsetup.com tcp
CN 106.39.219.55:80 res.qhsetup.com tcp
CN 106.39.219.55:80 res.qhsetup.com tcp
CN 180.163.237.138:80 res.qhsetup.com tcp
CN 180.163.237.138:80 res.qhsetup.com tcp
CN 180.163.237.138:80 res.qhsetup.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\~972560925467056277~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

\Users\Admin\AppData\Local\Temp\~4272876833651210167\360DrvMgr.exe

MD5 b05427e95473bf8af9d9672123311c39
SHA1 a97b786b99de1b8b9b37589836b2215951eb4d16
SHA256 a8456ac02baca984ae32e84d1e7ca767b0705a1d5156539fb618c7c1e7059837
SHA512 876417bd046bbd378c395b13a94266f108117a396a767652b6c306d76dbedd6a81aa7e9183375a55b004beeab4736a139104967d4c9b8e764744c9a612fa84da

memory/2532-104-0x0000000077C50000-0x0000000077C60000-memory.dmp

memory/2532-103-0x0000000077C50000-0x0000000077C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\SignHelper.dll

MD5 a60df7bdf1ab9583e8bf7b38f2eca0a3
SHA1 528064b42f0470e785e896df67b41c6335f176a6
SHA256 4c20f1868b4ee71cca4d399b947f7942460a4074f2942ba90f382c2476b96978
SHA512 7fd219bf83e63dae70dfc79ad1978cefa4a9aec27b69f6e7f0b6e26678c988f8e4dda88f8d000cc20a1b0fdcdd69c24c56eab9a70c242630e902fe1b2d47eea2

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\pdown.dll

MD5 48a849ff04150b2ec0836ab6bb32590a
SHA1 1f52bbcd5d124de15c27cf5ea84e14cb9a87f6a3
SHA256 ded09df700ef458322b6160edd39adb103c03cef3c6ffbce2ee096ce1fd33d62
SHA512 b0b23e540102b16c4ed9ac05f1ac353bf0d19e0c2b0880cec1fa2e9292030e1c5a75694176ac428c7de55588cf503ab36643d2db8c1fec3543daf3aeeb53a680

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\NetBridge.dll

MD5 9d145902fb5b9a6da62ac85761434e31
SHA1 c817d77f59e3767d75cf5f5298d6b5711308f7e5
SHA256 98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43
SHA512 bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\MiniUI.dll

MD5 043365f793b1672fc80aaebde3b22929
SHA1 be526a544e7af66b573b29ee7100374e9deb9a1f
SHA256 2bf36c7813e8410e2ef442158e4089f5c5fa512684848f421cd4b08f1eca1d23
SHA512 efb94e1447842254992f67ad2bcc8ebd1862894019e612d680a3b69a4ec9aaef787bddd155775842baf225b9dea05feaef37db26808fc8516851f995a0b62530

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\LiveUpd360.dll

MD5 e2ab61cd7dd7c8443719460140737b09
SHA1 d07424aaf894aa68bab5c7cc829e54f69f466338
SHA256 0439f9f3a68e14ee28c718ac334f9318f97858ab5430e4fa2e82eb355ed446d6
SHA512 c608aa5fd10849f5efcc74ffb02bfc59c1cd943154b30f2e2174e30543708f3b92d020d39ae36b9dd2e90c2171863b5a610ab18248d430c974853fe0a810df60

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\dynlenv.dll

MD5 61bda655c88ce843905ce63a2d5669e4
SHA1 532304d12d6e1a740e01cf03b3439301d2c6c85d
SHA256 fa7daa6a0e13f9112de63313caf4d06081aee0c7e79b5937cff0519bb4c0bbd4
SHA512 ad9c4f862747ff55ac506ea8b9d4a84a7d0c15d9cb8e9c987722141b9c33957d6aed44b59f0d85a068431ec2b85061b6c27d38011b8dca1675905aaaf6e37bf2

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\DrvMgrUI.dll

MD5 47e593bd9f923a22d98f02ceda6aa420
SHA1 24861e317c5dbb60d780ce592b58379df6817baa
SHA256 4b885265c0f72a6df3ab6ba8ac5cb0cbaf7e8c1fb50c431e51e6a559eb4a27cc
SHA512 ee84d60d019434e3d8f8f47ede08cd79e667b74070cc631783138eaa06f8cfd0088f0b0e6d657dfde458cbe3f63aaccc1e6b31cc0c9e6c37a38e06c66f3d9eb6

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\DrvmgrCore.dll

MD5 4fc36faaa9b7c855c9f06ed6dadfdd6e
SHA1 3722a0512d53312fa77e9477906ef677616a37db
SHA256 1e6fcd8985cb5ec59d42dae04ec3cede86c1d423e139c0ce2f66722768e4ec02
SHA512 c976a88ab168564bbf993aa6eb20ddb1bbe13b6fd9044021b889aa24b5b83d65f4ddd08c8b8714f08fdde164657fc4a8e9c52306186dd7f1897d7f3576547ccc

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\DownloadMgr.dll

MD5 29cf1d28db1a5c5d68b5e0cce6c81db0
SHA1 84af3d92647f8068bf6b20c2fb1937a2c1d05bb0
SHA256 b4e3b9f375c360eec4fe7d811e0476a9a8a03fc632d890342e4c5db957ef481e
SHA512 1c5bc96d1f6ebd4d5abbc2d06fea90cf5509fb258f3e691507a3c7f1d351b230bdb2848a4d50f40bc258daa9823f920730860d6f203356d7b7584c03ccdca6ec

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\DIFxAPI_x86.dll

MD5 1bd976dd77b31fe0f25708ad5c1351ae
SHA1 50d075688835df04484f0b93792a530cb47a1872
SHA256 b3c28941ceb057de44d9c322a38bb0f63c62d7ffbd91cf7970964413978f8eb7
SHA512 d58c2be88941c15214c51c59923437863a94db7b8080ead69017f7cce19d256dbe4d1d8498762476c75c26773dfba1aaff3bed615589ebf4b39df78df1b50b35

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\DataMgr.dll

MD5 cfd6ef9ed6c8585bb8b2b4a8e5b87af9
SHA1 2c476cf6651a5f9b3846aaae3a4eb6dd6b33b7f9
SHA256 da1778e29b935609b2a686fab65e7903d2206c7468bdb1f9e2408ded03b3a6d0
SHA512 f7d4a8ecc31a8b25b396619f71047f00ae682c8950731467f6ccd98352c8c9f64fe33423464aed12a789143cc4f0d532e5a27fce476b3bcd7e79e00081d51688

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\ComputerZ_HardwareDll.dll

MD5 5643fac7fb90bdb3d45178861116c9ec
SHA1 7d930a0823e7fcc91f5ff38615f4ad304a770968
SHA256 c5940597b6ff5bd4aa083c7b4fe41b538e187a176953fecd790d295dc17dcf95
SHA512 6132fd6c50aeb38f22f3ac9e502676bd121801a603b18f9afb3a19fc07aeddaace3cede11fc90cb7569481f7b5331cd24d5840ee275239efe5313af040d66fde

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\ComputerZ5.dll

MD5 d8308aa7cc08c3a56c9187029db56702
SHA1 f8a1b97e321660d814d4d01f03911f6da0caed9d
SHA256 850bb1419ab0c93d524284a6c9c15db69a1e5328e9f84f06bb27ba5efb8a65b8
SHA512 0a6c757b3e5cfaf2de92e4f402dc97306a551244501d97a099ac2a586c7501f087fe7c82c8a81e95b4fea851a0690733c116345360b5dbeb343966fdbda08baa

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\ComputerZ2.dll

MD5 a75f38215a115f9260b58cdd935d7d81
SHA1 dbb7d9d7e69cd5f2f4cda49bebc0fd922316a866
SHA256 102459b35d0b36f915b2cafc2e083d95f4e042815c732a2520dfb646efae4cd1
SHA512 3eeacb82ed9e61d9dc8fec13c2f87fd07b90a5052dd1a3482ee4cdb5122db77587078e7966bf72d73b776973bac09f53f37081f4af0828f1a914c0cd31d03ce9

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\ComputerZ1.dll

MD5 6dbf812d5b61f30a21ddccaec30b4452
SHA1 4778e2d043ac593193e5e15056bb98bba564c246
SHA256 197c529acff08fbc13b11010d95c270e50ddd867f783cfec598c5f831f847033
SHA512 7b9506902c1d0a6b8b74e068be87a7d4fec8a96b3d1b05d06d533d4ef995abc7e2ce24a8d37e38b19b62ad5b316e10831c220df44360a15a6b89e18767bea699

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\atiags32.dll

MD5 a1f7d080d2a00a9ddca9a469c29663c0
SHA1 9fa6b676b9509eead040415ca13a097118ae2175
SHA256 81b7e8a1c0073f6b7c4188216a94e5ab6420844e1acb122d93fab4c6bc14eebe
SHA512 eef12054ace42f07b05b371aa51164bbbfd65120b111e375eaec30537c232ae85022dd1bf424ed94a8d97eb216919cc5857e332029778b93faa8064555e4e07e

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\7za.dll

MD5 34f4329522a2b16d1bc9ad4ab58d9fc1
SHA1 04ec3c21a59a15a85b29bead3733f0ceccce8680
SHA256 fc07200668d45a640bbd5f6997851e31a20941fcb661f8e09469899becebdf8a
SHA512 ab8efc3dee9319401634dc3d8e6fe8282dc14a6058cf923af2d69656e58ed3724cfd5d466801fcf0bf53510f5b3197986972240693e4b1bbdcc9ae562ae0eb6c

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360P2SP.dll

MD5 75ae5114927b0200ea73e016211ae572
SHA1 15ae658c082afcab51ade61b8ed6699a978b5e05
SHA256 8e38aeb187edd59329007fe10d2b509e5566256e993a127902d57bac66b17346
SHA512 ae65e304fc669b98c5d137c4e7cba591e075b9d1b588af1d7eea2458776c29b2a2ccd06ea37aeb89d0cd0ebcb155aec7a6a0a842da4ac36f9b512049967e59fc

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360NetUL.dll

MD5 240e9b9b2b3f2a134070b7d5084278d3
SHA1 a39ce3213f364ec8435833afa36619e6d6fd24b0
SHA256 003e2f8225ae4bfe3487dea759c6e44176fb96ff89fb162904c7c923e9c78720
SHA512 2cdd9cd946b4a6df110f22197290090c1b4b734c9b9120e6403866342b17c50cd8a71d566ff0f284a03b5202af9f06248de71da1314486dbed58a64225cf5745

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360NetBase.dll

MD5 14c6b4bbd31f6fd13530bc941cc71d1a
SHA1 ce4e38ac82a54f64d318507ddc28f9ffbb378f0f
SHA256 401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5
SHA512 c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360net.dll

MD5 2bca9e782840c8214dbc3ef6ee64404c
SHA1 9144db795c7b092ac55a5b59c0eb569e3432cfec
SHA256 1320ce2bf517978d3c65cf9cb8390318f3ea1896ef10a66b53a1832792341c62
SHA512 87188cdd4d581c9b20bb36451f0376837bfe5489b685dc28a902af441f0681ff89922138d1a160f4d926189b2ae491a7fb7158c60596116f9f09e6c9516d5c6b

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360Base.dll

MD5 a73cf0457df35fab74ef3393d2766667
SHA1 c123e15967e7ab980eba5431a6993e646500befd
SHA256 df411ebc1b4a652a3822de0cebd5a48151abb3dd99c8c3d15f858401b27243fd
SHA512 faee2c8c3caf31ee2cceefadff4c442ef3aaed36fabf61a4217e1ba13b315808f09b575b5789ef7cc342cb16219afb4a1c4e7f7686ea8d079c9d7dd9ee782b90

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\ScriptExecute.exe

MD5 8b88753a733fd8fc0f12d2ea266b9afd
SHA1 2f9181e8ec946a1d0276e0c8b9a9b21bff3ad210
SHA256 914dd14b89dc73afffaf8abb1d382cc16223e9049aa4437821e8759fc67ad417
SHA512 c545ca9b8ea7d6cd858737c904d8f9d003f44525e209bdabcad912def33279c848205fcbc727d81a266e61fffcb651915975e64686b9caedf2deb8b1e803129d

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\config\defaultskin\defaultskin.ui

MD5 0cc06e728803d0cdeedda92e04313e6c
SHA1 62e897041bdbf18ca65f6c452abcb557e17c0ded
SHA256 3fb6414e92be15821c674a6e72295e75747e9734c827ac14e85479d4720f2b33
SHA512 72afb68bf2078e459cf2e37481c61ff172dd224f5b089bf9903b0c55660aecfdcb98622c0b04fe88edae0e2e25c0eb640cffafc7343bbe5d67ef137397678936

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\config\config.xml

MD5 583e167ba709fec11044409c6b09d04f
SHA1 27b363d8b5dee2df351a5d41e6f14b6156db190f
SHA256 ea5f4faf853767718beef85023fcd9e13cca2127ebb3c17331903779db2916a0
SHA512 bebb16e99340d9264b7ae4cfd1562243a8cef688d3585968046c68020f19de587668485017f74368c20b686f5543bb319cc02665a3cdbb890eb47ffa4ce2a20e

memory/2532-109-0x0000000002A00000-0x0000000002B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\config\defaultskin\miniui.xml

MD5 1c7fad425e4dc4787174876b6725c5de
SHA1 6bf7f9afb666636bea1cef7eca6ebc32f4b344a2
SHA256 ee451d9f3d84226bcd456f193e1e79ebfbd1f24b961b25770c40df93ee7ca494
SHA512 ab02ca7851e6a859244edea31b3cf931a14937ec9ad2274c49a1aedb5a258360f653d7d5e76b9c6166633c4c284db9be277ae584d89641a99da3c77564f8b57d

memory/2532-118-0x00000000032C0000-0x00000000032C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\360DrvMgr\Config.ini

MD5 6d63813c12ca56d6240cff46d9a46330
SHA1 8d7f01db6d3bc11e730b0fd3b40635bf526c450b
SHA256 50291f46574a12702ea22f58928817ef88230c246149a13e2cc80447aa2e54c5
SHA512 42623fd6583b80b75a2cb819c6a8c16b2c074ff09c8aa29d22e9678b1d53afe74700ef29624a0cd6f10ec5850a077ee6591a8d99ac9127bcbb03ac3e66249045

C:\Users\Admin\AppData\Local\Temp\CabED4E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF636.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2532-157-0x00000000032C0000-0x00000000032C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~4272876833651210167\360LibDrvmgr.dat

MD5 fa664c90f221342497fd9fcc2323b806
SHA1 d994329dc6e1ed71fb678717347ccab512680e13
SHA256 ef96ddf1fd0433df9bbff78c23505f884d86e580fcf86460ab2b5cd093cced6a
SHA512 c4d6195f24c28c8b77c2918877f9eac829f01cf50513bd165924a5c955e5bd7d58cb675411ef00d6a1bcb274d37aafb171b5077f090b5ccbca35f7e1743616e6

C:\Users\Admin\AppData\Roaming\360DrvMgr\Config.ini

MD5 d4d0336de20b181d871aa3aeff3d5b4e
SHA1 480030eaadf41f80738345e545f7d9925269ce66
SHA256 1fdc204b004c91a395b9c221666b4e5b7b8dd428ca04278823c51005f400b3fa
SHA512 1c9812e98d995b42e3aeaf8e5475ac80f9a9f048be4bb01bbf089f73e97a7124f09e91cf131bf6c96692bb2275028fce3542318214097c535365aad51881c86d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 14:19

Reported

2024-11-11 14:22

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\c_diskdrive.PNF C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File created C:\Windows\INF\c_volume.PNF C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File created C:\Windows\INF\c_processor.PNF C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File created C:\Windows\INF\c_media.PNF C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File created C:\Windows\INF\c_display.PNF C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
File created C:\Windows\INF\c_monitor.PNF C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE\360DrvMgr.exe = "8000" C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\360DrvMgr.exe = "8000" C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Windows\SYSTEM32\cmd.exe
PID 3532 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Windows\SYSTEM32\cmd.exe
PID 3532 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp
PID 3532 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp
PID 3532 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp
PID 3532 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe
PID 3532 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe
PID 3532 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe
PID 3112 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe
PID 3112 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe
PID 3112 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe

"C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\7ac10aa947210d5f3e801973b6b4552cc5578085bb443774527dfc1093fb2188.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~7333111046772601544"

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe

"C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe"

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe

"C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe"

Network

Country Destination Domain Proto
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
N/A 10.127.0.1:12000 tcp
US 8.8.8.8:53 conf.wsm.360.cn udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 104.192.110.254:80 conf.wsm.360.cn tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 254.110.192.104.in-addr.arpa udp
US 8.8.8.8:53 res.qhsetup.com udp
US 8.8.8.8:53 dm.weishi.360.cn udp
CN 106.63.103.7:443 dm.weishi.360.cn tcp
CN 180.163.237.138:80 res.qhsetup.com tcp
US 8.8.8.8:53 www.ludashi.com udp
CN 114.116.48.235:80 www.ludashi.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CN 1.192.137.108:80 res.qhsetup.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
CN 106.39.219.55:80 res.qhsetup.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 114.116.48.235:80 www.ludashi.com tcp
US 8.8.8.8:53 l.public.ludashi.com udp
CN 118.190.210.73:80 l.public.ludashi.com tcp
CN 118.190.210.73:80 l.public.ludashi.com tcp
US 8.8.8.8:53 s.ludashi.com udp
CN 106.15.48.27:80 s.ludashi.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 106.15.48.27:80 s.ludashi.com tcp
CN 114.116.48.235:80 www.ludashi.com tcp
CN 118.190.210.73:80 l.public.ludashi.com tcp
CN 106.15.48.27:80 s.ludashi.com tcp
CN 106.15.48.27:80 s.ludashi.com tcp
US 8.8.8.8:53 paint.ludashi.com udp
CN 47.104.109.169:80 paint.ludashi.com tcp
CN 106.15.48.27:80 s.ludashi.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~6502748858780307207~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360DrvMgr.exe

MD5 b05427e95473bf8af9d9672123311c39
SHA1 a97b786b99de1b8b9b37589836b2215951eb4d16
SHA256 a8456ac02baca984ae32e84d1e7ca767b0705a1d5156539fb618c7c1e7059837
SHA512 876417bd046bbd378c395b13a94266f108117a396a767652b6c306d76dbedd6a81aa7e9183375a55b004beeab4736a139104967d4c9b8e764744c9a612fa84da

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360net.dll

MD5 2bca9e782840c8214dbc3ef6ee64404c
SHA1 9144db795c7b092ac55a5b59c0eb569e3432cfec
SHA256 1320ce2bf517978d3c65cf9cb8390318f3ea1896ef10a66b53a1832792341c62
SHA512 87188cdd4d581c9b20bb36451f0376837bfe5489b685dc28a902af441f0681ff89922138d1a160f4d926189b2ae491a7fb7158c60596116f9f09e6c9516d5c6b

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ_HardwareDll.dll

MD5 5643fac7fb90bdb3d45178861116c9ec
SHA1 7d930a0823e7fcc91f5ff38615f4ad304a770968
SHA256 c5940597b6ff5bd4aa083c7b4fe41b538e187a176953fecd790d295dc17dcf95
SHA512 6132fd6c50aeb38f22f3ac9e502676bd121801a603b18f9afb3a19fc07aeddaace3cede11fc90cb7569481f7b5331cd24d5840ee275239efe5313af040d66fde

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ5.dll

MD5 d8308aa7cc08c3a56c9187029db56702
SHA1 f8a1b97e321660d814d4d01f03911f6da0caed9d
SHA256 850bb1419ab0c93d524284a6c9c15db69a1e5328e9f84f06bb27ba5efb8a65b8
SHA512 0a6c757b3e5cfaf2de92e4f402dc97306a551244501d97a099ac2a586c7501f087fe7c82c8a81e95b4fea851a0690733c116345360b5dbeb343966fdbda08baa

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\DrvMgrUI.dll

MD5 47e593bd9f923a22d98f02ceda6aa420
SHA1 24861e317c5dbb60d780ce592b58379df6817baa
SHA256 4b885265c0f72a6df3ab6ba8ac5cb0cbaf7e8c1fb50c431e51e6a559eb4a27cc
SHA512 ee84d60d019434e3d8f8f47ede08cd79e667b74070cc631783138eaa06f8cfd0088f0b0e6d657dfde458cbe3f63aaccc1e6b31cc0c9e6c37a38e06c66f3d9eb6

memory/3112-103-0x00000000772D0000-0x00000000772E0000-memory.dmp

memory/3112-102-0x0000000077192000-0x0000000077193000-memory.dmp

memory/3112-100-0x00000000772D0000-0x00000000772E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\SignHelper.dll

MD5 a60df7bdf1ab9583e8bf7b38f2eca0a3
SHA1 528064b42f0470e785e896df67b41c6335f176a6
SHA256 4c20f1868b4ee71cca4d399b947f7942460a4074f2942ba90f382c2476b96978
SHA512 7fd219bf83e63dae70dfc79ad1978cefa4a9aec27b69f6e7f0b6e26678c988f8e4dda88f8d000cc20a1b0fdcdd69c24c56eab9a70c242630e902fe1b2d47eea2

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\pdown.dll

MD5 48a849ff04150b2ec0836ab6bb32590a
SHA1 1f52bbcd5d124de15c27cf5ea84e14cb9a87f6a3
SHA256 ded09df700ef458322b6160edd39adb103c03cef3c6ffbce2ee096ce1fd33d62
SHA512 b0b23e540102b16c4ed9ac05f1ac353bf0d19e0c2b0880cec1fa2e9292030e1c5a75694176ac428c7de55588cf503ab36643d2db8c1fec3543daf3aeeb53a680

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\NetBridge.dll

MD5 9d145902fb5b9a6da62ac85761434e31
SHA1 c817d77f59e3767d75cf5f5298d6b5711308f7e5
SHA256 98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43
SHA512 bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\MiniUI.dll

MD5 043365f793b1672fc80aaebde3b22929
SHA1 be526a544e7af66b573b29ee7100374e9deb9a1f
SHA256 2bf36c7813e8410e2ef442158e4089f5c5fa512684848f421cd4b08f1eca1d23
SHA512 efb94e1447842254992f67ad2bcc8ebd1862894019e612d680a3b69a4ec9aaef787bddd155775842baf225b9dea05feaef37db26808fc8516851f995a0b62530

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\LiveUpd360.dll

MD5 e2ab61cd7dd7c8443719460140737b09
SHA1 d07424aaf894aa68bab5c7cc829e54f69f466338
SHA256 0439f9f3a68e14ee28c718ac334f9318f97858ab5430e4fa2e82eb355ed446d6
SHA512 c608aa5fd10849f5efcc74ffb02bfc59c1cd943154b30f2e2174e30543708f3b92d020d39ae36b9dd2e90c2171863b5a610ab18248d430c974853fe0a810df60

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\dynlenv.dll

MD5 61bda655c88ce843905ce63a2d5669e4
SHA1 532304d12d6e1a740e01cf03b3439301d2c6c85d
SHA256 fa7daa6a0e13f9112de63313caf4d06081aee0c7e79b5937cff0519bb4c0bbd4
SHA512 ad9c4f862747ff55ac506ea8b9d4a84a7d0c15d9cb8e9c987722141b9c33957d6aed44b59f0d85a068431ec2b85061b6c27d38011b8dca1675905aaaf6e37bf2

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\DrvmgrCore.dll

MD5 4fc36faaa9b7c855c9f06ed6dadfdd6e
SHA1 3722a0512d53312fa77e9477906ef677616a37db
SHA256 1e6fcd8985cb5ec59d42dae04ec3cede86c1d423e139c0ce2f66722768e4ec02
SHA512 c976a88ab168564bbf993aa6eb20ddb1bbe13b6fd9044021b889aa24b5b83d65f4ddd08c8b8714f08fdde164657fc4a8e9c52306186dd7f1897d7f3576547ccc

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\DownloadMgr.dll

MD5 29cf1d28db1a5c5d68b5e0cce6c81db0
SHA1 84af3d92647f8068bf6b20c2fb1937a2c1d05bb0
SHA256 b4e3b9f375c360eec4fe7d811e0476a9a8a03fc632d890342e4c5db957ef481e
SHA512 1c5bc96d1f6ebd4d5abbc2d06fea90cf5509fb258f3e691507a3c7f1d351b230bdb2848a4d50f40bc258daa9823f920730860d6f203356d7b7584c03ccdca6ec

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\DIFxAPI_x86.dll

MD5 1bd976dd77b31fe0f25708ad5c1351ae
SHA1 50d075688835df04484f0b93792a530cb47a1872
SHA256 b3c28941ceb057de44d9c322a38bb0f63c62d7ffbd91cf7970964413978f8eb7
SHA512 d58c2be88941c15214c51c59923437863a94db7b8080ead69017f7cce19d256dbe4d1d8498762476c75c26773dfba1aaff3bed615589ebf4b39df78df1b50b35

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\DataMgr.dll

MD5 cfd6ef9ed6c8585bb8b2b4a8e5b87af9
SHA1 2c476cf6651a5f9b3846aaae3a4eb6dd6b33b7f9
SHA256 da1778e29b935609b2a686fab65e7903d2206c7468bdb1f9e2408ded03b3a6d0
SHA512 f7d4a8ecc31a8b25b396619f71047f00ae682c8950731467f6ccd98352c8c9f64fe33423464aed12a789143cc4f0d532e5a27fce476b3bcd7e79e00081d51688

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ2.dll

MD5 a75f38215a115f9260b58cdd935d7d81
SHA1 dbb7d9d7e69cd5f2f4cda49bebc0fd922316a866
SHA256 102459b35d0b36f915b2cafc2e083d95f4e042815c732a2520dfb646efae4cd1
SHA512 3eeacb82ed9e61d9dc8fec13c2f87fd07b90a5052dd1a3482ee4cdb5122db77587078e7966bf72d73b776973bac09f53f37081f4af0828f1a914c0cd31d03ce9

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ1.dll

MD5 6dbf812d5b61f30a21ddccaec30b4452
SHA1 4778e2d043ac593193e5e15056bb98bba564c246
SHA256 197c529acff08fbc13b11010d95c270e50ddd867f783cfec598c5f831f847033
SHA512 7b9506902c1d0a6b8b74e068be87a7d4fec8a96b3d1b05d06d533d4ef995abc7e2ce24a8d37e38b19b62ad5b316e10831c220df44360a15a6b89e18767bea699

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\atiags32.dll

MD5 a1f7d080d2a00a9ddca9a469c29663c0
SHA1 9fa6b676b9509eead040415ca13a097118ae2175
SHA256 81b7e8a1c0073f6b7c4188216a94e5ab6420844e1acb122d93fab4c6bc14eebe
SHA512 eef12054ace42f07b05b371aa51164bbbfd65120b111e375eaec30537c232ae85022dd1bf424ed94a8d97eb216919cc5857e332029778b93faa8064555e4e07e

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\7za.dll

MD5 34f4329522a2b16d1bc9ad4ab58d9fc1
SHA1 04ec3c21a59a15a85b29bead3733f0ceccce8680
SHA256 fc07200668d45a640bbd5f6997851e31a20941fcb661f8e09469899becebdf8a
SHA512 ab8efc3dee9319401634dc3d8e6fe8282dc14a6058cf923af2d69656e58ed3724cfd5d466801fcf0bf53510f5b3197986972240693e4b1bbdcc9ae562ae0eb6c

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360P2SP.dll

MD5 75ae5114927b0200ea73e016211ae572
SHA1 15ae658c082afcab51ade61b8ed6699a978b5e05
SHA256 8e38aeb187edd59329007fe10d2b509e5566256e993a127902d57bac66b17346
SHA512 ae65e304fc669b98c5d137c4e7cba591e075b9d1b588af1d7eea2458776c29b2a2ccd06ea37aeb89d0cd0ebcb155aec7a6a0a842da4ac36f9b512049967e59fc

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360NetUL.dll

MD5 240e9b9b2b3f2a134070b7d5084278d3
SHA1 a39ce3213f364ec8435833afa36619e6d6fd24b0
SHA256 003e2f8225ae4bfe3487dea759c6e44176fb96ff89fb162904c7c923e9c78720
SHA512 2cdd9cd946b4a6df110f22197290090c1b4b734c9b9120e6403866342b17c50cd8a71d566ff0f284a03b5202af9f06248de71da1314486dbed58a64225cf5745

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360NetBase.dll

MD5 14c6b4bbd31f6fd13530bc941cc71d1a
SHA1 ce4e38ac82a54f64d318507ddc28f9ffbb378f0f
SHA256 401d8529a84f1d80a439be8cd4e869202162458e5afb5e5bac97c4859bfe8eb5
SHA512 c16d525f1d3fc098b4d6c8b8a872a9013ef2f945f27af73ed7826f61a2b80d756ae5348105432909eccc71f03834cd1301f87fa5a0107e0c7137f5c8e3a3cc95

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360Base.dll

MD5 a73cf0457df35fab74ef3393d2766667
SHA1 c123e15967e7ab980eba5431a6993e646500befd
SHA256 df411ebc1b4a652a3822de0cebd5a48151abb3dd99c8c3d15f858401b27243fd
SHA512 faee2c8c3caf31ee2cceefadff4c442ef3aaed36fabf61a4217e1ba13b315808f09b575b5789ef7cc342cb16219afb4a1c4e7f7686ea8d079c9d7dd9ee782b90

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ScriptExecute.exe

MD5 8b88753a733fd8fc0f12d2ea266b9afd
SHA1 2f9181e8ec946a1d0276e0c8b9a9b21bff3ad210
SHA256 914dd14b89dc73afffaf8abb1d382cc16223e9049aa4437821e8759fc67ad417
SHA512 c545ca9b8ea7d6cd858737c904d8f9d003f44525e209bdabcad912def33279c848205fcbc727d81a266e61fffcb651915975e64686b9caedf2deb8b1e803129d

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\config\defaultskin\miniui.xml

MD5 1c7fad425e4dc4787174876b6725c5de
SHA1 6bf7f9afb666636bea1cef7eca6ebc32f4b344a2
SHA256 ee451d9f3d84226bcd456f193e1e79ebfbd1f24b961b25770c40df93ee7ca494
SHA512 ab02ca7851e6a859244edea31b3cf931a14937ec9ad2274c49a1aedb5a258360f653d7d5e76b9c6166633c4c284db9be277ae584d89641a99da3c77564f8b57d

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\config\defaultskin\defaultskin.ui

MD5 0cc06e728803d0cdeedda92e04313e6c
SHA1 62e897041bdbf18ca65f6c452abcb557e17c0ded
SHA256 3fb6414e92be15821c674a6e72295e75747e9734c827ac14e85479d4720f2b33
SHA512 72afb68bf2078e459cf2e37481c61ff172dd224f5b089bf9903b0c55660aecfdcb98622c0b04fe88edae0e2e25c0eb640cffafc7343bbe5d67ef137397678936

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\config\config.xml

MD5 583e167ba709fec11044409c6b09d04f
SHA1 27b363d8b5dee2df351a5d41e6f14b6156db190f
SHA256 ea5f4faf853767718beef85023fcd9e13cca2127ebb3c17331903779db2916a0
SHA512 bebb16e99340d9264b7ae4cfd1562243a8cef688d3585968046c68020f19de587668485017f74368c20b686f5543bb319cc02665a3cdbb890eb47ffa4ce2a20e

memory/3112-116-0x0000000003860000-0x0000000003861000-memory.dmp

C:\Users\Admin\AppData\Roaming\360DrvMgr\Config.ini

MD5 6d63813c12ca56d6240cff46d9a46330
SHA1 8d7f01db6d3bc11e730b0fd3b40635bf526c450b
SHA256 50291f46574a12702ea22f58928817ef88230c246149a13e2cc80447aa2e54c5
SHA512 42623fd6583b80b75a2cb819c6a8c16b2c074ff09c8aa29d22e9678b1d53afe74700ef29624a0cd6f10ec5850a077ee6591a8d99ac9127bcbb03ac3e66249045

memory/3112-131-0x0000000003860000-0x0000000003861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\360LibDrvmgr.dat

MD5 fa664c90f221342497fd9fcc2323b806
SHA1 d994329dc6e1ed71fb678717347ccab512680e13
SHA256 ef96ddf1fd0433df9bbff78c23505f884d86e580fcf86460ab2b5cd093cced6a
SHA512 c4d6195f24c28c8b77c2918877f9eac829f01cf50513bd165924a5c955e5bd7d58cb675411ef00d6a1bcb274d37aafb171b5077f090b5ccbca35f7e1743616e6

C:\Users\Admin\AppData\Roaming\360DrvMgr\Config.ini

MD5 b9dda00ddd50e493a9e4b1579784e3ad
SHA1 acb4c889470ebc77f269c8ec595e82f8ab5dea7a
SHA256 3315487b3059a495c8b7da278765e9df0c5a99b657fdc635146aafdf51278545
SHA512 6efef6431a0c25210e28725620867621e8094fe84863447d05dbcb1ffeafbfe3e000989da7410ee31367419ec812a10ba507192c0153a005a527808edd2a3828

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZService.exe

MD5 ad763ec213bc25b1177dd8142154d182
SHA1 9c7890c02c49938da3aa5980c5cd35d2d2070b76
SHA256 2e6ca2547df1dad072329a8e2c0a93ad0448df58484750422306c011cc17dbd3
SHA512 ce403aa2e9ffa95f0d820cb9a9c7f4edd9a3decf9f8ab4e127cc877da936bba8598e8b6ff840dac25693b35b0772cb54afb9e65c431b8fd7d07e6561ce33bb3e

memory/3752-150-0x00000000772D0000-0x00000000772E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_B94B0F2F07332C3F5B6A37DB89E3F3B7

MD5 a647b290033a17f62fe4f70854806523
SHA1 740b996286a175e2acff5fb839454ee2f5c8d692
SHA256 f9e54d780c4aa4d5de22e1030d5ba6c60b96d2a41685c5a5c3fccaed3a516b06
SHA512 11e8951ff3d0ea6da2d02e64e8669fe3dfb6e95944c663e38135e8f7e262db88d137fa0942266039761516ff230c03c4144698992ae027a53cf1f33a472ecb6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_B94B0F2F07332C3F5B6A37DB89E3F3B7

MD5 b95c25c8459baa4c10c68b86452b7d28
SHA1 b0a67aa72ba7341e1d78a6f6f289ce58025187df
SHA256 1c8ae2d566d95aee27e35adab8261161ca94440a85e4dfb723de18e4bd22a994
SHA512 12990ae833e3b3e29ad74e012e6a6b0cbfa193a072db3e0a139dfdb66e1ccb42ee23571056b5fd4c663ff8e16b9ad5773610602f74c34e1c9c533eda9587c2ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 7b646af7de600b568577a5b28336c692
SHA1 fb4e21b620ad85246af0d237bfcf6283d8c2a6d7
SHA256 515fdca51f7cc54b72f11eed34b54827f234bc74a8a873962555f94eb6bbae89
SHA512 3d3029ece12ba9a5e06951a22f4b6b79b7ff43f4d3d135fa5a5657c4eeb27103a7bdc6c60c032a56c53ffcb1c90fa8a282792fdbbe7dd3a46053e9e18d9a1f3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 c1efd4e48753b6c7c82142bd5c279ff7
SHA1 4628719cfb393ee5cb48a9165f88334f5bdc95d0
SHA256 e4b25e3b174f6ab2fad80a9a4c537d18056a23fee1910984a9723427eddd7d2f
SHA512 cf996d4ad66b8e798589ac4bd203b7bfd536162003a3b515a06310cec4a38d273dd244428130d5418eb43e74bb8201d4fba73e15c1836f30adf5b3d57c946d45

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ.set

MD5 9e245d2355575c33f98a2df2758ca02b
SHA1 5159aec49a07737a398b98eb7b144b6798663421
SHA256 3a1ccc5933195aa6058cae3eee87201125635ac75d5b0884740638e0d4217ba7
SHA512 5aa7c866f482d78099e266b4977a2f4fdc75d47daead76a842d54fa6568b7a24da210bbd7f68488b15d9ed0665523f7053dc0a58bf66f1aae4847e0dee630349

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ.set

MD5 af3d1eae08d4a84efc83fcc7fa5c4509
SHA1 75b1cb01ae624e369b9c27b6754799c30434545e
SHA256 862f068871e0ff58c7e0ce96ac4698c96ee979c596b2ec6ae70839a8a3c89930
SHA512 526f29daab5d170eb3ab5bc86578134e205c52a146b9481bf18a44851411560cab3e8ecf33ce251076837d04145524dd075217da05a7c19a3c2864dc4011296a

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ.set

MD5 634d2d0ade861873fb010e7adc6d906c
SHA1 41aa77281e68a1c93c4343607895454e469658ca
SHA256 e35ddba52a1b921a3ae8a9d94ec0ffbef9e51d78c097acf43738be5434f3694e
SHA512 77a0daecb6e4cdad4a2be0fc0f6b45b0eada9d68816d289e80009b744bb2fc3a96877014476b1edd6e85c19c748aa482e0a5f5cf974c13c76002f482add3dd1c

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ.set

MD5 17e2ef28e2cb4e4f468b224d4f274e6b
SHA1 cf7a6f8e5e6a181277bfb330353d9b214908157c
SHA256 f6e246739063e27cc4750171a1e9ccc57c186a7fbdfd02ac616a0843bdb8d9b0
SHA512 76b1eec272442a8034caa7b498d35740073c878fb0e656b38fccb6238de3f25db77b6617227079cb5e2ed63d7699a79bd626963e00d45906453b521c1cc106fc

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ.set

MD5 964259d39663bdf75b07f9ae769b51d7
SHA1 6cae031106a55500d3a4fa729e4b6c32d45bc3a1
SHA256 0e1184fed8ed4d673f960a5a289c3d6a6c5a30ae78bc7e67ffd3af1592e7525b
SHA512 8d9529fe4b9c9101696c24375b3b648c777ffd4df1fba49af0e85c8ae284e8344edd9fee8d096a1309ead2bba715b738e985fbd9677e251fa47d969c12be2903

C:\Users\Admin\AppData\Local\Temp\~7333111046772601544\ComputerZ.set

MD5 ae7d6838b071f14d25b7f7e826915c59
SHA1 7ce7fa08b198ae900dc1432853a423b9452e66f8
SHA256 5fb26e7afd6006a4a183b14a0afed039303c6c2daa69938e79106071a05caf8a
SHA512 d7dc8f04297b95be9fe8d77956665e796c05bfcc8e7ee8e0e865a5c4c793565e64dca7aa9b60f07e2127c61dc23e519a1c79f1a57e71cbe07932d75739569091